Computer
Repair

Computer Repair &
Maintenance Service

Computer Repair
Service Fees

Remove Antivirus /
Trojan

Network /
Infrastructure

Network
Monitoring

Free
Software

Virus &
Hack Warnings

Contact Computer
Repair Centre

PC Repair Service Centre

Computer Repair Center would post the daily security alert below. Please check if your server, web server, email server and PC have below Vulnerabilities and fix it as soon as possible. You may also contact our IT expertises at 9145-7188.

 

Vulnerability Summary for the Week of April 20, 2026
Posted on Tuesday April 28, 2026

High Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
Thinkphp--ThinkPHP ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges. 2026-04-22 9.8 CVE-2018-25270 ExploitDB-45978
Official Product Homepage
Product Reference
VulnCheck Advisory: ThinkPHP 5.0.23 Remote Code Execution via invokefunction
 
Elba--ELBA5 ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands via the xp_cmdshell stored procedure or add backdoor users to the BEDIENER table. 2026-04-22 9.8 CVE-2018-25272 ExploitDB-45905
Official Product Homepage
VulnCheck Advisory: ELBA5 5.8.0 Remote Code Execution via Database Access
 
Lizardsystems--Terminal Services Manager Terminal Services Manager 3.1 contains a stack-based buffer overflow vulnerability in the computer names field that allows local attackers to execute arbitrary code by triggering structured exception handling. Attackers can craft a malicious input file with shellcode and jump instructions that overwrite the SEH handler pointer to execute calc.exe or other payloads when imported through the add computers wizard. 2026-04-22 8.4 CVE-2018-25259 ExploitDB-46058
Official Product Homepage
VulnCheck Advisory: Terminal Services Manager 3.1 Buffer Overflow SEH
 
Magix--MAGIX Music Editor MAGIX Music Editor 3.1 contains a buffer overflow vulnerability in the FreeDB Proxy Options dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious payload, paste it into the Server field via the CD menu's FreeDB Proxy Options, and trigger code execution when settings are accepted. 2026-04-22 8.4 CVE-2018-25260 ExploitDB-46056
Official Product Homepage
Product Reference
VulnCheck Advisory: MAGIX Music Editor 3.1 Buffer Overflow via SEH
 
Iperiusbackup--Iperius Backup Iperius Backup 5.8.1 contains a local buffer overflow vulnerability in the structured exception handling (SEH) mechanism that allows local attackers to execute arbitrary code by supplying a malicious file path. Attackers can create a backup job with a crafted payload in the external file location field that triggers a buffer overflow when the backup job executes, enabling code execution with application privileges. 2026-04-22 8.4 CVE-2018-25261 ExploitDB-46059
Official Product Homepage
VulnCheck Advisory: Iperius Backup 5.8.1 Local Buffer Overflow SEH
 
faleemi--Faleemi Desktop Software Faleemi Desktop Software 1.8.2 contains a local buffer overflow vulnerability in the Device alias field that allows local attackers to trigger a structured exception handler (SEH) overwrite. Attackers can craft a malicious payload and paste it into the Device alias field within the Managing Log interface to execute arbitrary code with calculator proof-of-concept execution. 2026-04-26 8.4 CVE-2018-25263 ExploitDB-45492
Product Reference
VulnCheck Advisory: Faleemi Desktop Software 1.8.2 Local Buffer Overflow SEH
 
Lizardsystems--LanSpy LanSpy 2.0.1.159 contains a local buffer overflow vulnerability in the scan section that allows local attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Attackers can craft malicious payloads using egghunter techniques to locate and execute shellcode, triggering code execution through SEH chain manipulation and controlled jumps. 2026-04-22 8.4 CVE-2018-25265 ExploitDB-46018
Official Product Homepage
VulnCheck Advisory: LanSpy 2.0.1.159 Local Buffer Overflow
 
Lizardsystems--LanSpy LanSpy 2.0.1.159 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying oversized input to the scan field. Attackers can craft a payload with 688 bytes of padding followed by 4 bytes of controlled data to crash the application or potentially achieve code execution. 2026-04-22 8.4 CVE-2018-25268 ExploitDB-45968
Official Product Homepage
VulnCheck Advisory: LanSpy 2.0.1.159 Local Buffer Overflow via Scan Field
 
Securimport--iSmartViewPro iSmartViewPro 1.5 contains a structured exception handling (SEH) buffer overflow vulnerability in the 'Save Path for Snapshot and Record file' field that allows local attackers to execute arbitrary code. Attackers can input a crafted payload exceeding 260 bytes through the System Setup interface to overwrite SEH records and execute shellcode with application privileges. 2026-04-26 8.4 CVE-2018-25283 ExploitDB-45349
Product Reference
VulnCheck Advisory: iSmartViewPro 1.5 Buffer Overflow via SavePath Parameter
 
Cewe-Photoworld--CEWE Photoshow CEWE Photoshow 6.3.4 contains a buffer overflow vulnerability in the login dialog that allows attackers to crash the application by submitting oversized input. Attackers can inject 4000 bytes of data into the email address and password fields to trigger a denial of service condition. 2026-04-26 7.5 CVE-2018-25294 ExploitDB-45211
Official Product Homepage
Product Reference
VulnCheck Advisory: CEWE Photoshow 6.3.4 Buffer Overflow Denial of Service
 
Fortra--GoAnywhere MFT The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force. 2026-04-21 7.3 CVE-2025-14362 https://fortra.com/security/advisories/product-security/FI-2026-002
 

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
Angryip--Angry IP Scanner for Linux Angry IP Scanner for Linux 3.5.3 contains a denial of service vulnerability that allows local attackers to crash the application by supplying malformed input to the port selection field. Attackers can craft a malicious string containing buffer overflow patterns and paste it into the Preferences Ports tab to trigger an application crash. 2026-04-22 6.2 CVE-2018-25262 ExploitDB-46038
Official Product Homepage
VulnCheck Advisory: Angry IP Scanner for Linux 3.5.3 Denial of Service
 
Acutesystems--TransMac TransMac 12.2 contains a buffer overflow vulnerability in the license key input field that allows local attackers to crash the application by submitting an oversized string. Attackers can generate a payload file containing 4000 bytes of data, paste it into the License Key field, and trigger a denial of service condition. 2026-04-26 6.2 CVE-2018-25264 ExploitDB-45493
VulnCheck Advisory: TransMac 12.2 Denial of Service via License Key Field
 
Angryip--Angry IP Scanner Angry IP Scanner 3.5.3 contains a buffer overflow vulnerability in the preferences dialog that allows local attackers to crash the application by supplying an excessively large string. Attackers can generate a file containing a massive buffer of repeated characters and paste it into the unavailable value field in the display preferences to trigger a denial of service. 2026-04-22 6.2 CVE-2018-25266 ExploitDB-45993
Official Product Homepage
VulnCheck Advisory: Angry IP Scanner 3.5.3 Denial of Service via Preferences Buffer Overflow
 
Ultraiso--UltraISO UltraISO 9.7.1.3519 contains a local buffer overflow vulnerability in the Output FileName field of the Make CD/DVD Image dialog that allows attackers to overwrite SEH and SE handler records. Attackers can craft a malicious filename string with 304 bytes of data followed by SEH record overwrite values and paste it into the Output FileName field to trigger a denial of service crash. 2026-04-22 6.2 CVE-2018-25267 ExploitDB-45996
Official Product Homepage
VulnCheck Advisory: UltraISO 9.7.1.3519 Buffer Overflow via Output FileName
 
icewarp--ICEWARP Client ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information. 2026-04-22 6.1 CVE-2018-25269 ExploitDB-45974
Official Product Homepage
VulnCheck Advisory: ICEWARP 11.0.0.0 Cross-Site Scripting via Email HTML Injection
 
Textpad--Textpad Textpad 8.1.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long buffer string through the Run command interface. Attackers can paste a 5000-byte payload into the Command field via Tools > Run to trigger a buffer overflow that crashes the application. 2026-04-22 6.2 CVE-2018-25271 ExploitDB-45956
Official Product Homepage
Product Reference
VulnCheck Advisory: Textpad 8.1.2 Denial of Service via Run Command
 
Acutesystems--CrossFont CrossFont 7.5 contains a buffer overflow vulnerability that allows local attackers to crash the application by submitting an oversized payload in the License Key field. Attackers can generate a malicious file containing 4000 bytes of data, paste it into the License Key input field, and trigger an application crash when processing the input. 2026-04-26 6.2 CVE-2018-25273 ExploitDB-45494
VulnCheck Advisory: CrossFont 7.5 Denial of Service via License Key Field
 
infrarecorder--InfraRecorder InfraRecorder 0.53 contains a denial of service vulnerability that allows local attackers to crash the application by importing a maliciously crafted text file. Attackers can create a text file containing 6000 bytes of data and import it through the Edit menu's Import function to trigger an application crash. 2026-04-26 6.2 CVE-2018-25274 ExploitDB-45413
VulnCheck Advisory: InfraRecorder 0.53 Denial of Service via txt File Import
 
faleemi--Faleemi Plus Faleemi Plus 1.0.2 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input strings. Attackers can paste a 2000-byte payload into the Camera name and DID number fields during camera addition to trigger an application crash. 2026-04-26 6.2 CVE-2018-25275 ExploitDB-45414
Product Reference
VulnCheck Advisory: Faleemi Plus 1.0.2 Denial of Service via Buffer Overflow
 
Br-Software--PixGPS PixGPS 1.1.8 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized string to the folder path input field. Attackers can craft a payload exceeding 6000 bytes and paste it into the 'Folder with picture files' field to trigger a denial of service condition. 2026-04-26 6.2 CVE-2018-25277 ExploitDB-45381
Product Reference
VulnCheck Advisory: PixGPS 1.1.8 Buffer Overflow Denial of Service
 
Picajet--PicaJet FX PicaJet FX 2.6.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to registration fields. Attackers can paste a 6000-byte buffer into the Registration Name and Registration Key fields via the Help menu's Register PicaJet dialog to trigger an application crash. 2026-04-26 6.2 CVE-2018-25278 ExploitDB-45383
VulnCheck Advisory: PicaJet FX 2.6.5 Denial of Service via Registration Fields
 
Convertimagetotext--jiNa OCR Image to Text jiNa OCR Image to Text 1.0 contains a denial of service vulnerability that allows local attackers to crash the application by processing a malformed PNG file. Attackers can create a specially crafted PNG file with an oversized buffer and trigger the crash when the application attempts to convert the file to PDF. 2026-04-26 6.2 CVE-2018-25279 ExploitDB-45380
Product Reference
VulnCheck Advisory: jiNa OCR Image to Text 1.0 Denial of Service via PNG
 
ZenMap--ZenMap Nmap 7.70 contains a denial of service vulnerability that allows local attackers to crash the application by processing malicious XML files with exponential entity expansion. Attackers can create a crafted XML file with nested entity definitions and open it through ZenMap's scan import functionality to cause the program to consume excessive system resources and crash. 2026-04-26 6.2 CVE-2018-25282 ExploitDB-45357
Product Reference
VulnCheck Advisory: Nmap 7.70 Denial of Service via XML Entity Expansion
 
Hdtune--HD Tune Pro HD Tune Pro 5.70 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the folder/file name field. Attackers can trigger a denial of service by entering a 6000-byte payload through the File > Options > Save dialog's folder/file name input field. 2026-04-26 6.2 CVE-2018-25284 ExploitDB-45298
Official Product Homepage
Product Reference
VulnCheck Advisory: HD Tune Pro 5.70 Denial of Service via Options Dialog
 
Hdtune--Easy PhotoResQ Easy PhotoResQ 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Folder/filename field. Attackers can input a 6000-byte payload through the File Options dialog to trigger a denial of service condition. 2026-04-26 6.2 CVE-2018-25286 ExploitDB-45300
Official Product Homepage
VulnCheck Advisory: Easy PhotoResQ 1.0 Buffer Overflow Denial of Service
 
Editorsoftware--StyleWriter StyleWriter 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a 6000-byte payload into the Pattern to Find or Advice Message fields in the Add Pattern dialog to trigger a denial of service condition. 2026-04-26 6.2 CVE-2018-25288 ExploitDB-45250
Official Product Homepage
Product Reference
VulnCheck Advisory: StyleWriter 1.0 Denial of Service via Pattern Input
 
Ezbsystems--Softdisk Softdisk 3.0.3 contains a buffer overflow vulnerability in the registration code dialog that allows local attackers to crash the application by supplying an oversized string. Attackers can trigger the vulnerability by entering a 6000-byte payload in the Registration Name field through the Help menu's Enter Registration Code dialog to cause a denial of service. 2026-04-26 6.2 CVE-2018-25289 ExploitDB-45245
Official Product Homepage
Product Reference
VulnCheck Advisory: Softdisk 3.0.3 Buffer Overflow Denial of Service
 
Ezbsystems--Easyboot Easyboot 6.6.0 contains a buffer overflow vulnerability in the Replace Text function that allows local attackers to crash the application by supplying an oversized string. Attackers can trigger the vulnerability by accessing File > Tools > Replace Text and pasting a 7000-byte payload into the text fields to cause a denial of service. 2026-04-26 6.2 CVE-2018-25290 ExploitDB-45241
Official Product Homepage
VulnCheck Advisory: Easyboot 6.6.0 Buffer Overflow Denial of Service
 
Pj64-Emu--Project64 Project64 2.3.2 contains a buffer overflow vulnerability in the Plugin Directory settings field that allows local attackers to crash the application by supplying an excessively long string. Attackers can input a 6000-byte payload into the Plugin Directory field through the Options > Settings > Directories interface to trigger an application crash when settings are reopened. 2026-04-26 6.2 CVE-2018-25291 ExploitDB-45229
Official Product Homepage
VulnCheck Advisory: Project64 2.3.2 Denial of Service via Plugin Directory
 
Bome--Restorator Bome Restorator 1793 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can create a malicious payload exceeding 4000 bytes and paste it into the Name input field to trigger an application crash and denial of service. 2026-04-26 6.2 CVE-2018-25292 ExploitDB-45223
Official Product Homepage
Product Reference
VulnCheck Advisory: Bome Restorator 1793 Denial of Service via Buffer Overflow
 
Mersenne--Prime95 Prime95 29.4b7 contains a buffer overflow vulnerability in the PrimeNet connection dialog that allows local attackers to crash the application by supplying an excessively long string in the optional proxy password field. Attackers can trigger a denial of service by entering a 6000-byte payload into the proxy password parameter, causing the application to crash when processing the connection settings. 2026-04-26 6.2 CVE-2018-25293 ExploitDB-45226
Official Product Homepage
Product Reference
VulnCheck Advisory: Prime95 29.4b7 Denial of Service via Proxy Password Field
 
P10--ObserverIP Scan Tool ObserverIP Scan Tool 1.4.0.1 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string in the IP input field. Attackers can paste a 2000-byte buffer of repeated characters into the IP field and trigger a search operation to cause an application crash. 2026-04-26 6.2 CVE-2018-25295 ExploitDB-45204
Official Product Homepage
Product Reference
VulnCheck Advisory: ObserverIP Scan Tool 1.4.0.1 Denial of Service via IP Field
 
Wansview--Wansview Wansview 1.0.2 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input strings. Attackers can inject 2000-byte payloads into the Camera name and DID number fields during camera addition to trigger application crashes. 2026-04-26 6.2 CVE-2018-25297 ExploitDB-45194
VulnCheck Advisory: Wansview 1.0.2 Denial of Service via Buffer Overflow
 
94Cb--Carbon Forum Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft. 2026-04-22 6.4 CVE-2024-58344 ExploitDB-52043
Official Product Homepage
Product Reference
VulnCheck Advisory: Carbon Forum 5.9.0 Persistent XSS via Forum Name Field
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service under certain conditions by exhausting server resources by making crafted requests to a discussions endpoint. 2026-04-22 6.5 CVE-2025-0186 HackerOne Bug Bounty Report #2915694
https://gitlab.com/gitlab-org/gitlab/-/work_items/511312
https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API. 2026-04-22 6.5 CVE-2025-3922 HackerOne Bug Bounty Report #3098035
https://gitlab.com/gitlab-org/gitlab/-/work_items/537422
https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/
 
Picajet--RoboImport RoboImport 1.2.0.72 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to registration fields. Attackers can paste a 6000-byte buffer into the Registration Name and Registration Key fields and click Register to trigger an application crash. 2026-04-26 5.5 CVE-2018-25276 ExploitDB-45382
Product Reference
VulnCheck Advisory: RoboImport 1.2.0.72 Denial of Service via Registration Fields
 
Infiltration-Systems--Infiltrator Network Security Scanner Infiltrator Network Security Scanner 4.6 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized input string. Attackers can paste a 6000-byte payload into the Scan Target field and trigger a denial of service condition when the Scan button is clicked. 2026-04-26 5.5 CVE-2018-25280 ExploitDB-45390
Product Reference
VulnCheck Advisory: Infiltrator Network Security Scanner 4.6 Denial of Service
 
Maxprog--iCash iCash 7.6.5 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload through the Connect to Server dialog. Attackers can paste a 7000-byte string into the Host field and click Connect to trigger an application crash. 2026-04-26 5.5 CVE-2018-25281 ExploitDB-45388
VulnCheck Advisory: iCash 7.6.5 Denial of Service via Connect to Server
 
Fathom--Fathom Fathom 2.4 contains a buffer overflow vulnerability in the Authorization Code field that allows local attackers to crash the application by submitting an oversized input string. Attackers can paste a 6000-byte payload into the Authorization Code field and click Activate to trigger a denial of service condition. 2026-04-26 5.5 CVE-2018-25285 ExploitDB-45294
Official Product Homepage
Product Reference
VulnCheck Advisory: Fathom 2.4 Denial of Service via Authorization Code Buffer Overflow
 
Hdtune--Drive Power Manager Drive Power Manager 1.10 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a 6000-byte payload into the Name field and click Register to trigger a denial of service condition. 2026-04-26 5.5 CVE-2018-25287 ExploitDB-45299
Official Product Homepage
VulnCheck Advisory: Drive Power Manager 1.10 Denial of Service via Name Field
 
P10--Central Management Software P10 Central Management Software 1.4.13 contains a buffer overflow vulnerability in the login password field that allows local attackers to crash the application by submitting an oversized input string. Attackers can paste a 2000-byte payload into the password field and click login to trigger an application crash and denial of service. 2026-04-26 5.5 CVE-2018-25296 ExploitDB-45207
Official Product Homepage
VulnCheck Advisory: P10 Central Management Software 1.4.13 Denial of Service
 
Fortra--GoAnywhere MFT Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data. 2026-04-21 5.8 CVE-2025-1241 https://fortra.com/security/advisories/product-security/FI-2026-001
 
OpenSC--OpenSC Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs 2026-04-23 5.7 CVE-2025-13763 https://access.redhat.com/security/cve/CVE-2025-13763
RHBZ#2417581
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv
https://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763
 
HCLSoftware--BigFix Service Management (SM) HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption due to port 80 (HTTP) being open, allowing unencrypted access.  An attacker with access to the network traffic can sniff packets from the connection and uncover the data. 2026-04-21 5.3 CVE-2025-31981 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127605
 
IBM--Security Verify Directory (Container) IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious files into the system that can be sent to victims for performing further attacks against the system. 2026-04-22 5.5 CVE-2025-36074 https://www.ibm.com/support/pages/node/7268907
 
hubspotdev--HubSpot All-In-One Marketing Forms, Popups, Live Chat The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks. 2026-04-24 4.3 CVE-2025-11762 https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=cve
https://research.cleantalk.org/CVE-2025-11762
https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.33/public/admin/class-adminconstants.php
 

Back to top

Low Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
HCLSoftware--BigFix Service Management (SM) HCL BigFix Service Management is susceptible to HTTP Request Smuggling.  HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between front-end and back-end servers, allowing attackers to bypass security controls and perform attacks like cache poisoning or request hijacking. 2026-04-21 3.7 CVE-2025-31958 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124209
 

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
NWCLARK--Storable Storable versions before 3.05 for Perl has a stack overflow. The retrieve_hook function stored the length of the class name into a signed integer but in read operations treated the length as unsigned. This allowed an attacker to craft data that could trigger the overflow. 2026-04-21 not yet calculated CVE-2017-20230 https://github.com/Perl/perl5/issues/15831
https://github.com/Perl/perl5/commit/a258c17c6937f79529c8319a829310e09cdbd216.patch
https://metacpan.org/release/RURBAN/Storable-3.05/changes
https://www.nntp.perl.org/group/perl.perl5.porters/2017/01/msg242533.html
https://www.nntp.perl.org/group/perl.perl5.porters/2017/01/msg242703.html
 
Seeyon Internet Software--A8-V5 Collaborative Management Software Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC). 2026-04-21 not yet calculated CVE-2019-25714 https://sourceforge.net/software/product/A8/
https://web.archive.org/web/20190821034711/http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/
https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/%E8%87%B4%E8%BF%9Coa/%E8%87%B4%E8%BF%9C%20OA%20A8%20htmlofficeservlet%20getshell%20%E6%BC%8F%E6%B4%9E/
https://static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com/download/pdf/90916/Security_Notification_reseller_en-US.pdf
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=31713
https://www.fortiguard.com/encyclopedia/ips/48874/seeyon-office-anywhere-htmlofficeservlet-arbitrary-file-upload
https://www.vulncheck.com/advisories/seeyon-office-anywhere-oa-a8-unauthenticated-arbitrary-file-write-via-htmlofficeservlet
 
Unknown--Email Encoder The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). 2026-04-20 not yet calculated CVE-2024-7083 https://wpscan.com/vulnerability/7aeb6891-e159-4ed8-b1a9-a551140c9fcc/
 
Semantic MediaWiki--Semantic MediaWiki Cross-Site Scripting (XSS) vulnerability reflected in Semantic MediaWiki. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. 2026-04-21 not yet calculated CVE-2025-10354 https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-semantic-mediawiki
 
EfficientLab, LLC--Controlio EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\SYSTEM. 2026-04-23 not yet calculated CVE-2025-10549 https://r.sec-consult.com/controlio
https://kb.controlio.net/hc/en-us/articles/45777908471185-Client-Update-April-15-2026-ver-1-3-95
 
Fudo Security--Fudo Enterprise Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been fixed in version 5.6.3 2026-04-20 not yet calculated CVE-2025-13480 https://www.fudosecurity.com/product/enterprise
https://cert.pl/en/posts/2026/04/CVE-2025-13480
https://download.fudosecurity.com/documentation/fudo/5_6/rn/RN_5.6.3.pdf
 
Zervit--portable HTTP/Web server Zervit's portable HTTP/web server is vulnerable to remote DoS attacks when a configuration reset request is made. The vulnerability is caused by inadequate validation of user-supplied input. An attacker can exploit this vulnerability by sending malicious requests. If the vulnerability is successfully exploited, the application can be made to stop responding, resulting in a DoS condition. It is possible to manually restart the application. 2026-04-21 not yet calculated CVE-2025-13826 https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-input-validation-zervit-portable-httpweb-server
 
ATRODO--Net:Dropbear Net:Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net:Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437. 2026-04-21 not yet calculated CVE-2025-15638 https://www.cve.org/CVERecord?id=CVE-2016-6129
https://www.cve.org/CVERecord?id=CVE-2018-12437
https://metacpan.org/release/ATRODO/Net-Dropbear-0.14/source/dropbear/libtomcrypt/changes
 
PHP Point Of Sale--PHP Point Of Sale HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' parameters. 2026-04-21 not yet calculated CVE-2025-41011 https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-php-point-sale-0
 
Zeon Global Tech--Zeon Academy Pro SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'. 2026-04-21 not yet calculated CVE-2025-41029 https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-zeon-academy-pro-zeon-global-tech
 

Back to top

Vulnerability Summary for the Week of April 13, 2026
Posted on Tuesday April 21, 2026

High Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
Grafana--Pyroscope Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems. This vulnerability is fixed in versions: 1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions). Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program. 2026-04-15 9.1 CVE-2025-41118 https://grafana.com/security/security-advisories/cve-2025-41118
 
n/a--Grocery Store Management System v1.0 Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter. 2026-04-14 9.8 CVE-2025-63939 https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-63939
 
n/a--manikandan580 School-management-system v1.0 In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter. 2026-04-14 9.8 CVE-2025-65135 https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-65135
 
Owen--WebStack The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. 2026-04-15 9.8 CVE-2026-1555 https://www.wordfence.com/threat-intel/vulnerabilities/id/b97805de-1b47-4c9f-baae-2e37c1b78570?source=cve
https://github.com/owen0o0/WebStack/blob/master/inc/ajax.php#L5
https://github.com/owen0o0/WebStack/tree/master
 
Cisco--Cisco Identity Services Engine Software A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. 2026-04-15 9.9 CVE-2026-20147 cisco-sa-ise-rce-traversal-8bYndVrZ
 
Cisco--Cisco Identity Services Engine Software A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. 2026-04-15 9.9 CVE-2026-20180 cisco-sa-ise-rce-4fverepv
 
Cisco--Cisco Webex Meetings A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of improper certificate validation. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services. 2026-04-15 9.8 CVE-2026-20184 cisco-sa-webex-cui-cert-8jSZYhWL
 
Cisco--Cisco Identity Services Engine Software A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. 2026-04-15 9.9 CVE-2026-20186 cisco-sa-ise-rce-4fverepv
 
Ubiquiti Inc--UniFi Play PowerAmp A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE). Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
UniFi Play Audio Port  (Version 1.0.24 and earlier)
 Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later
Update UniFi Play Audio Port  to Version 1.1.9 or later 2026-04-13 9.8 CVE-2026-22562 https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83
 
Ubiquiti Inc--UniFi Play PowerAmp A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
 Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later
 Update UniFi Play Audio Port  to Version 1.1.9 or later 2026-04-13 9.8 CVE-2026-22563 https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83
 
Ubiquiti Inc--UniFi Play PowerAmp An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
 Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later
 Update UniFi Play Audio Port  to Version 1.1.9 or later 2026-04-13 9.8 CVE-2026-22564 https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83
 
Festo--MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L4-AGD In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability. 2026-04-16 8.8 CVE-2023-3634 https://certvde.com/de/advisories/VDE-2023-020/
https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2023/fsa-202304.json
 
shahinurislam--Career Section The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation on the delete action in the 'appform_options_page_html' function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. 2026-04-16 8.8 CVE-2025-14868 https://www.wordfence.com/threat-intel/vulnerabilities/id/84936b68-923a-4da1-ae67-1d63d025342e?source=cve
https://plugins.trac.wordpress.org/changeset/3474216/career-section
 
Nozomi Networks--Guardian An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges for the Threat Intelligence functionality can perform administrative actions on it, altering the rules configuration, and/or affecting their availability. 2026-04-15 8.1 CVE-2025-40897 https://security.nozominetworks.com/NN-2026:1-01
 
Nozomi Networks--Guardian A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. 2026-04-15 8.9 CVE-2025-40899 https://security.nozominetworks.com/NN-2026:2-01
 
livemesh--Livemesh Addons by Elementor The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor. 2026-04-16 8.8 CVE-2026-1620 https://www.wordfence.com/threat-intel/vulnerabilities/id/2483875a-84de-4a40-a69e-aee68da1ce3b?source=cve
https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L669
https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L669
https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L671
https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L671
 
Cloud Foundry--UUA Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted. This issue affects UUA from v77.30.0 to v78.7.0 (inclusive) and it affects CF Deployment from v48.7.0 to v54.14.0 (inclusive). 2026-04-16 8.6 CVE-2026-22734 https://www.cloudfoundry.org/blog/cve-2026-22734-uaa-saml-2-0-signature-bypass/
 
WSO2--WSO2 API Manager The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources. 2026-04-16 7.5 CVE-2024-2374 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/
 
Bosch--BVMS Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface. 2026-04-15 7.5 CVE-2024-33618 https://psirt.bosch.com/security-advisories/BOSCH-SA-162032-BT.html
 
Dell--PowerProtect Data Domain BoostFS Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an insufficiently protected credentials vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to credential exposure. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account. 2026-04-17 7.8 CVE-2025-36568 https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities
 
WC Lovers--WCFM Marketplace Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through 3.7.1. 2026-04-15 7.6 CVE-2025-63029 https://patchstack.com/database/wordpress/plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-plugin-3-7-1-sql-injection-vulnerability?_s_id=cve
 
FirebirdSQL--firebird Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher. 2026-04-17 7.9 CVE-2025-65104 https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-mfpr-9886-xjhg
https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.0
 
Lenovo--Diagnostics During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges. 2026-04-15 7.1 CVE-2026-0827 https://support.lenovo.com/us/en/product_security/LEN-210693
 
Splunk--Splunk Enterprise In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory. 2026-04-15 7.1 CVE-2026-20204 https://advisory.splunk.com/advisories/SVD-2026-0403
 
Splunk--Splunk MCP Server In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. <br><br>Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Connecting to MCP Server and Admin settings](https://help.splunk.com/en/splunk-enterprise/mcp-server-for-splunk-platform/connecting-to-mcp-server-and-admin-settings) in the Splunk documentation for more information. 2026-04-15 7.2 CVE-2026-20205 https://advisory.splunk.com/advisories/SVD-2026-0407
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-04-14 7.8 CVE-2026-20930 Windows Management Services Elevation of Privilege Vulnerability
 
Ubiquiti Inc--UniFi Play PowerAmp An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
 Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later
 Update UniFi Play Audio Port  to Version 1.1.9 or later 2026-04-13 7.5 CVE-2026-22566 https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83
 
Eaton--IPP software Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download center. 2026-04-16 7.8 CVE-2026-22619 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf
 
easyappointments--Easy Appointments The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information. 2026-04-17 7.5 CVE-2026-2262 https://www.wordfence.com/threat-intel/vulnerabilities/id/e681aa8e-522e-4092-aa1f-8ada3097c8d6?source=cve
https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blocks/ea-blocks.php#L190
https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/ea-blocks/ea-blocks.php#L190
https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blocks/ea-blocks.php#L141
https://plugins.trac.wordpress.org/changeset/3485692/easy-appointments/trunk/ea-blocks/ea-blocks.php
https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-appointments/tags/3.12.21&new_path=%2Feasy-appointments/tags/3.12.22
 
Barracuda Networks--RMM Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker-controlled files in this directory, which are then executed under the NT AUTHORITY\SYSTEM account during routine automation cycles, typically succeeding within the next execution cycle. 2026-04-15 7.8 CVE-2026-22676 https://download.mw-rmm.barracudamsp.com/PDF/2025.2.2/RN_BRMM_2025.2.2_EN.pdf
https://www.vulncheck.com/advisories/barracuda-rmm-privilege-escalation-via-insecure-directory-permissions
 
Fortinet--FortiAnalyzer Cloud A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation 2026-04-14 7.3 CVE-2026-22828 https://fortiguard.fortinet.com/psirt/FG-IR-26-121
 
Eclipse Foundation--Eclipse Jetty In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request. 2026-04-14 7.4 CVE-2026-2332 https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf
https://gitlab.eclipse.org/security/cve-assignment/-/issues/89
 

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
WSO2--WSO2 API Manager The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking. 2026-04-16 6.1 CVE-2024-10242 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3741/
 
WSO2--WSO2 Identity Server Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire. 2026-04-16 6 CVE-2025-12624 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4684/
 
flippercode--WP Maps Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-16 6.4 CVE-2025-13364 https://www.wordfence.com/threat-intel/vulnerabilities/id/91d6cf21-cb65-40cb-ad19-5a8e7179fd98?source=cve
https://plugins.trac.wordpress.org/changeset?old_path=wp-google-map-plugin/tags/4.8.7/wp-google-map-plugin.php&new_path=wp-google-map-plugin/tags/4.8.8/wp-google-map-plugin.php
 
DesigningMedia--Eleganzo The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary directories on the server, including the WordPress root directory. 2026-04-14 6.5 CVE-2025-15470 https://www.wordfence.com/threat-intel/vulnerabilities/id/7c5d7818-e548-4d8f-b847-396d528b58cd?source=cve
https://testwp.local/wp-content/themes/eleganzo/welcome.php#L96
 
Emarket-design--YouTube Showcase Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1. 2026-04-15 6.5 CVE-2025-15636 https://patchstack.com/database/wordpress/plugin/youtube-showcase/vulnerability/wordpress-youtube-showcase-plugin-3-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
HCLSoftware--Velocity Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.  This vulnerability is fixed in 5.1.7. 2026-04-13 6.8 CVE-2025-31991 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130138
 
ABB--AC800M (System 800xA) A vulnerability exists in the command handling of the IEC 61850 communication stack included in the product revisions listed as affected in this CVE. An attacker with access to IEC 61850 networks could exploit the vulnera bility by using a specially crafted 61850 packet, forcing the communication interfaces of the PM 877, CI850 and CI868 modules into fault mode or causing unavailability of the S+ Operations 61850 connectivity, resulting in a denial-of-service situation.  The System 800xA IEC61850 Connect is not affected. Note: This vulnerability does not impact on the overall availability and functionality of the S+ Operations node, only the 61850 communication function.     This issue affects AC800M (System 800xA): from 6.0.0x through 6.0.0303.0, from 6.1.0x through 6.1.0031.0, from 6.1.1x through 6.1.1004.0, from 6.1.1x through 6.1.1202.0, from 6.2.0x through 6.2.0006.0; Symphony Plus SD Series: A_0, A_1, A_2.003, A_3.005, A_4.001, B_0.005; Symphony Plus MR (Melody Rack): from 3.10 through 3.52; S+ Operations: 2.1, 2.2, 2.3, 3.3. 2026-04-13 6.5 CVE-2025-3756 https://search.abb.com/library/Download.aspx?DocumentID=7PAA020125&LanguageCode=en&DocumentPartId=&Action=Launch
 
Dell--PowerScale OneFS Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. 2026-04-16 6.6 CVE-2025-43937 https://www.dell.com/support/kbdoc/en-us/000376214/dsa-2025-347-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities
 
Dell--PowerProtect Data Domain Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. 2026-04-17 6.2 CVE-2025-46605 https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities
 
Dell--PowerProtect Data Domain Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. 2026-04-17 6.2 CVE-2025-46606 https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities
 
Dell--PowerProtect Data Domain Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper authentication vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. 2026-04-17 6.6 CVE-2025-46607 https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities
 
Dell--PowerProtect Data Domain Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper authentication vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. 2026-04-17 6.6 CVE-2025-46641 https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities
 
Fortinet--FortiOS A missing authentication for critical function vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiOS 6.2.9 through 6.2.17 allows attacker to execute unauthorized code or commands via specially crafted packets. 2026-04-14 6.2 CVE-2025-53847 https://fortiguard.fortinet.com/psirt/FG-IR-26-125
 
WSO2--WSO2 API Manager The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies. 2026-04-16 6.1 CVE-2025-6024 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4251/
 
Fortinet--FortiManager An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.8, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.8, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.8, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged authenticated attacker to execute unauthorized code or commands via JSON RPC API 2026-04-14 6.8 CVE-2025-61848 https://fortiguard.fortinet.com/psirt/FG-IR-26-111
 
leaflet[.]com--Leaflet 1.9.4 Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session. 2026-04-14 6.1 CVE-2025-69993 http://leaflet.com
https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md
 
Microsoft--Windows 10 Version 1607 Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally. 2026-04-14 6.7 CVE-2026-0390 UEFI Secure Boot Security Feature Bypass Vulnerability
 
SAP_SE--SAP Supplier Relationship Management (SICF Handler in SRM Catalog) Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected. 2026-04-14 6.1 CVE-2026-0512 https://me.sap.com/notes/3645228
https://url.sap/sapsecuritypatchday
 
turn2honey--EMC Easily Embed Calendly Scheduling The EMC - Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-19 6.4 CVE-2026-0868 https://www.wordfence.com/threat-intel/vulnerabilities/id/d5653ebe-7145-4b1c-94f8-ca87ed0dc4f5?source=cve
https://plugins.trac.wordpress.org/changeset/3466576/embed-calendly-scheduling
 
vanderwijk--Content Blocks (Custom Post Widget) The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-created content blocks. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-18 6.4 CVE-2026-0894 https://www.wordfence.com/threat-intel/vulnerabilities/id/246dee15-82e0-4630-8d95-d2419e9eaef8?source=cve
https://plugins.trac.wordpress.org/changeset/3447914/custom-post-widget
 
youzify--Youzify BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-18 6.4 CVE-2026-1559 https://www.wordfence.com/threat-intel/vulnerabilities/id/6bd69711-8303-4086-87c3-eb2935a89aff?source=cve
https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/wall/class-youzify-form.php#L506
https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.6/includes/public/core/wall/class-youzify-form.php#L506
https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/class-youzify-wall.php#L109
https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.6/includes/public/core/class-youzify-wall.php#L109
https://plugins.trac.wordpress.org/changeset/3483281/youzify/trunk/includes/public/core/wall/class-youzify-form.php
https://plugins.trac.wordpress.org/changeset?old_path=%2Fyouzify/tags/1.3.6&new_path=%2Fyouzify/tags/1.3.7
 
livemesh--Livemesh Addons by Elementor The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages. 2026-04-16 6.4 CVE-2026-1572 https://www.wordfence.com/threat-intel/vulnerabilities/id/24b9bf5a-19ac-4e99-b32d-1ab681356a1b?source=cve
https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L28
https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L64
https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L64
https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L28
https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/plugin.php#L207
https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/plugin.php#L207
https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/views/settings.php#L707
https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/views/settings.php#L707
 
surbma--Surbma | Booking.com Shortcode The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-14 6.4 CVE-2026-1607 https://www.wordfence.com/threat-intel/vulnerabilities/id/01280afb-4745-4f36-823e-ed794bb3353a?source=cve
https://plugins.trac.wordpress.org/browser/surbma-bookingcom-shortcode/tags/2.0/surbma-bookingcom-shortcode.php#L34
 
Lenovo--Service Bridge A potential DLL hijacking vulnerability was reported in Lenovo Service Bridge that, under certain conditions, could allow a local authenticated user to execute code with elevated privileges. 2026-04-15 6.7 CVE-2026-1636 https://support.lenovo.com/us/en/product_security/LEN-211071
 
prasunsen--Hostel The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-04-18 6.1 CVE-2026-1838 https://www.wordfence.com/threat-intel/vulnerabilities/id/2b9da491-771a-4100-b41a-7411981dd34b?source=cve
https://plugins.trac.wordpress.org/browser/hostel/trunk/hostel.php#L44
https://plugins.trac.wordpress.org/browser/hostel/tags/1.1.6/hostel.php#L44
https://plugins.trac.wordpress.org/browser/hostel/trunk/controllers/ajax.php#L28
https://plugins.trac.wordpress.org/browser/hostel/tags/1.1.6/controllers/ajax.php#L28
https://plugins.trac.wordpress.org/browser/hostel/trunk/views/partial/rooms-table.html.php#L29
https://plugins.trac.wordpress.org/browser/hostel/tags/1.1.6/views/partial/rooms-table.html.php#L29
https://plugins.trac.wordpress.org/changeset/3478265/hostel/trunk/hostel.php
https://plugins.trac.wordpress.org/changeset?old_path=%2Fhostel/tags/1.1.6&new_path=%2Fhostel/tags/1.1.7
 
woobeewoo--Product Pricing Table by WooBeWoo The Product Pricing Table by WooBeWoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the updateLabel() and remove() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages or delete pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-04-15 6.1 CVE-2026-1852 https://www.wordfence.com/threat-intel/vulnerabilities/id/a3b459e0-4bd9-443e-96e4-91663a35c26e?source=cve
https://github.com/wpcodefactory/woo-product-pricing-tables/releases/tag/v1.1.1
 
Cisco--Cisco Unity Connection A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. 2026-04-15 6.1 CVE-2026-20059 cisco-sa-unity-vulns-n2EJSbbw
 
Cisco--Cisco Unity Connection Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker&nbsp;to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials.&nbsp; These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system. 2026-04-15 6.5 CVE-2026-20078 cisco-sa-unity-file-download-RmKEVWPx
 
Cisco--Cisco Unity Connection Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker&nbsp;to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials.&nbsp; These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system. 2026-04-15 6.5 CVE-2026-20081 cisco-sa-unity-file-download-RmKEVWPx
 
Cisco--Cisco Identity Services Engine Software A vulnerability in the&nbsp;CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on the underlying operating system and elevate privileges to root. This vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by providing crafted input to a specific CLI command. A successful exploit could allow the attacker to elevate their privileges to root on the underlying operating system. 2026-04-15 6 CVE-2026-20136 cisco-sa-ise-cmd-inj-5WSJcYJB
 
Cisco--Cisco Webex Contact Center A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This vulnerability existed because HTML and script content was not properly handled. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to steal sensitive information from the browser, including authentication and session information. 2026-04-15 6.1 CVE-2026-20170 cisco-sa-webexcc-xss-WEX5nUnA
 
Splunk--Splunk Enterprise In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users. 2026-04-15 6.6 CVE-2026-20202 https://advisory.splunk.com/advisories/SVD-2026-0401
 
Samsung Mobile--Samsung Mobile Devices Improper input validation in Retail Mode prior to SMR Apr-2026 Release 1 allows local attackers to trigger privileged functions. 2026-04-13 6.6 CVE-2026-21010 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04
 
Adobe--Adobe Connect Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed. 2026-04-14 6.1 CVE-2026-21331 https://helpx.adobe.com/security/products/connect/apsb26-37.html
 
Fortinet--FortiSOAR on-premise A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow attacker to information disclosure via <insert attack vector here> 2026-04-14 6.2 CVE-2026-22155 https://fortiguard.fortinet.com/psirt/FG-IR-26-106
 
Fortinet--FortiSOAR on-premise An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5 all versions, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform path traversal attack via File Content Extraction actions. 2026-04-14 6.2 CVE-2026-22573 https://fortiguard.fortinet.com/psirt/FG-IR-26-116
 
Eaton--IPP Software Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre. 2026-04-16 6 CVE-2026-22615 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf
 
Eaton--IPP Software Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre. 2026-04-16 6.5 CVE-2026-22616 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf
 
Fortinet--FortiVoice An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0 all versions, FortiVoice 7.0.0 through 7.0.1 may allow a remote authenticated attacker with at least read-only permission on system maintenance to access backup information via crafted HTTP requests 2026-04-14 5.4 CVE-2024-23104 https://fortiguard.fortinet.com/psirt/FG-IR-26-124
 
WSO2--WSO2 API Manager The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag. 2026-04-16 5.4 CVE-2024-4867 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/
 
cartasi--Nexi XPay The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed. 2026-04-14 5.3 CVE-2025-15565 https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve
https://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268
 
Dell--Dell Pro 14 Essential PV14250 Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability, leading to unauthorized access. 2026-04-16 5.1 CVE-2025-36579 https://www.dell.com/support/kbdoc/en-us/000300450/dsa-2025-153
 
Fortinet--FortiOS An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.7.0, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.11, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSwitchManager 7.2.0 through 7.2.7, FortiSwitchManager 7.0.0 through 7.0.6 may allow an authenticated attacker with admin profile and at least read-write permissions to write or delete arbitrary files via specific CLI commands. 2026-04-14 5.4 CVE-2025-61624 https://fortiguard.fortinet.com/psirt/FG-IR-26-122
 
Fortinet--FortiManager Cloud An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged attacker to delete files from the underlying filesystem via crafted CLI requests. 2026-04-14 5.4 CVE-2025-68649 https://fortiguard.fortinet.com/psirt/FG-IR-26-120
 
wpxpo--Post Grid Gutenberg Blocks for News, Magazines, Blog Websites PostX The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions up to, and including, 5.0.5. This makes it possible for unauthenticated attackers to modify the share_count post meta for any post, including private or draft posts. 2026-04-16 5.3 CVE-2026-0718 https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b2cf3b-5d35-4ce6-9453-1538a6f7752f?source=cve
https://plugins.trac.wordpress.org/changeset?old_path=/ultimate-post/tags/5.0.5/classes/Blocks.php&new_path=/ultimate-post/tags/5.0.6/classes/Blocks.php
 
iberezansky--3D FlipBook PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks. 2026-04-14 5.3 CVE-2026-1314 https://www.wordfence.com/threat-intel/vulnerabilities/id/d7e41753-2dbf-4afa-b61e-e617be2c4dc2?source=cve
https://plugins.trac.wordpress.org/changeset/3467608/
 
themefusion--Avada (Fusion) Builder The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation. 2026-04-15 5.4 CVE-2026-1509 https://www.wordfence.com/threat-intel/vulnerabilities/id/fdc57b06-bae9-49a3-84dd-f593705330e9?source=cve
https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
https://avada.com/documentation/avada-changelog/
 
Wpmet--MetForm Pro The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without recomputing or validating it against the configured form price. This makes it possible for unauthenticated attackers to manipulate the payment amount via the 'mf-calculation' field in the form submission REST request granted there exists a specific form with this particular configuration. 2026-04-15 5.3 CVE-2026-1782 https://www.wordfence.com/threat-intel/vulnerabilities/id/a49dd64b-6ae8-49ed-9e8a-e5b73c2acf4b?source=cve
https://wpmet.com/plugin/metform/
 
Cisco--Cisco Secure Web Appliance A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to improper validation of user-supplied authentication input in HTTP requests. An attacker could exploit this vulnerability by sending HTTP requests that contain specific authentication requests to an affected device. A successful exploit could allow the attacker to bypass policy enforcement on the device. There is no direct impact to the Cisco Secure Web Appliance. However, as a result of exploiting this vulnerability, an attacker could send HTTP requests that should be restricted through the device. 2026-04-15 5.3 CVE-2026-20152 cisco-sa-wsa-auth-bypass-6YZkTQhd
 
Cisco--Cisco ThousandEyes Enterprise Agent A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system&nbsp;of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device. 2026-04-15 5.5 CVE-2026-20161 cisco-sa-te-agentfilewrite-tqUw3SMU
 
Microsoft--Windows 10 Version 1809 Access of resource using incompatible type ('type confusion') in Windows COM allows an authorized attacker to disclose information locally. 2026-04-14 5.5 CVE-2026-20806 Windows COM Server Information Disclosure Vulnerability
 
Grafana--Loki The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability. 2026-04-15 5.3 CVE-2026-21726 https://grafana.com/security/security-advisories/cve-2026-21726
 
Fortinet--FortiSOAR PaaS A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to view cleartext password in response for Secure Message Exchange and Radius queries, if configured 2026-04-14 5.4 CVE-2026-21742 https://fortiguard.fortinet.com/psirt/FG-IR-26-106
 
Eaton--IPP Software Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre. 2026-04-16 5.7 CVE-2026-22617 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf
 
Eaton--IPP software A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre. 2026-04-16 5.9 CVE-2026-22618 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf
 
Wago--Smart Designer In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint. 2026-04-16 4.3 CVE-2023-5872 https://certvde.com/de/advisories/VDE-2023-045
https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-045.json
 
Vision--Helpdesk Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. 2026-04-16 4.3 CVE-2024-58343 https://github.com/websec/Vision-Helpdesk-Exploit
https://websec.net/blog/critical-vulnerability-in-vision-helpdesk-allows-unauthorized-session-access-67264646bde7fa99ea26446f
 
Zaytech--Smart Online Order for Clover Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through 1.6.0. 2026-04-15 4.3 CVE-2025-15635 https://patchstack.com/database/wordpress/plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Dell--PowerScale OneFS Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper check for unusual or exceptional conditions vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. 2026-04-16 4.1 CVE-2025-43883 https://www.dell.com/support/kbdoc/en-us/000376214/dsa-2025-347-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities
 
Dell--PowerScale OneFS Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper resource shutdown or release vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. 2026-04-16 4.4 CVE-2025-43935 https://www.dell.com/support/kbdoc/en-us/000376214/dsa-2025-347-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities
 
DeluxeThemes--Userpro Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11. 2026-04-15 4.3 CVE-2025-53444 https://patchstack.com/database/wordpress/plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Fortinet--FortiSOAR on-premise A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.4, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to discover services running on local ports via crafted requests. 2026-04-14 4.1 CVE-2025-59809 https://fortiguard.fortinet.com/psirt/FG-IR-26-103
 
Fortinet--FortiSandbox PaaS An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox PaaS 5.0.0 through 5.0.4 may allow an attacker to perform an XSS attack via crafted HTTP requests. 2026-04-14 4.9 CVE-2025-61886 https://fortiguard.fortinet.com/psirt/FG-IR-26-109
 
themefusion--Avada (Fusion) Builder The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's `fusion_get_post_custom_field()` function failing to validate whether metadata keys are protected (underscore-prefixed). This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract protected post metadata fields that should not be publicly accessible via the Dynamic Data feature's `post_custom_field` parameter. 2026-04-15 4.3 CVE-2026-1541 https://www.wordfence.com/threat-intel/vulnerabilities/id/f1f69f93-80e3-434d-98a6-fc8757b4e6d1?source=cve
https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
 
Cisco--Cisco Unity Connection A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious web page. 2026-04-15 4.7 CVE-2026-20060 cisco-sa-unity-vulns-n2EJSbbw
 
Cisco--Cisco Unity Connection A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device. 2026-04-15 4.3 CVE-2026-20061 cisco-sa-unity-vulns-n2EJSbbw
 
Cisco--Cisco Identity Services Engine Software Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative&nbsp;write privileges to conduct a stored cross-site scripting (XSS) attack or a reflected XSS attack against a user of the web-based management interface of an affected device. These vulnerabilities are due to insufficient sanitization of user-supplied data that is stored in the web page. An attacker could exploit these vulnerabilities by convincing a user of the interface to click a specific link or view an affected web page. The injected script code may be executed in the context of the web-based management interface or allow the attacker to access sensitive browser-based information. 2026-04-15 4.8 CVE-2026-20132 cisco-sa-isexss-BS8ctE7U
 
Cisco--Cisco Identity Services Engine Software A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system and read arbitrary files. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system. 2026-04-15 4.9 CVE-2026-20148 cisco-sa-ise-rce-traversal-8bYndVrZ
 
Splunk--Splunk Enterprise In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles, has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control. 2026-04-15 4.3 CVE-2026-20203 https://advisory.splunk.com/advisories/SVD-2026-0402
 
Microsoft--Windows 10 Version 1607 Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack. 2026-04-14 4.6 CVE-2026-20928 Windows Recovery Environment Security Feature Bypass Vulnerability
 
Microsoft--Microsoft SharePoint Enterprise Server 2016 Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. 2026-04-14 4.6 CVE-2026-20945 Microsoft SharePoint Server Spoofing Vulnerability
 
Fortinet--FortiSOAR PaaS An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP Requests. 2026-04-14 4.4 CVE-2026-22154 https://fortiguard.fortinet.com/psirt/FG-IR-26-117
 
Fortinet--FortiSOAR PaaS A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve Service account password via server address modification in LDAP configuration. 2026-04-14 4.1 CVE-2026-22574 https://fortiguard.fortinet.com/psirt/FG-IR-26-105
 
Fortinet--FortiSOAR PaaS A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve passwords for multiple installed connectors via server address modification in connector configuration. 2026-04-14 4.1 CVE-2026-22576 https://fortiguard.fortinet.com/psirt/FG-IR-26-104
 
octobercms--october October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with CMS_SAFE_MODE enabled (disabled by default). This issue has been fixed in versions 3.7.13 and 4.1.5. To workaround this issue, users can disable CMS_SAFE_MODE if untrusted template editing is not required, and restrict CMS template editing permissions to fully trusted administrators only. 2026-04-14 4.9 CVE-2026-22692 https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6
 

Back to top

Low Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
WSO2--WSO2 API Manager The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product. 2026-04-16 3.5 CVE-2024-8010 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/
 
1Panel-dev--MaxKB A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. 2026-04-13 3.5 CVE-2025-15632 VDB-356967 | 1Panel-dev MaxKB MdPreview chat.ts cross site scripting
VDB-356967 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #782265 | 1Panel-dev MaxKB <= v2.6.1 Stored XSS
https://github.com/AnalogyC0de/public_exp/issues/28
https://github.com/1Panel-dev/MaxKB/pull/4578
https://github.com/1Panel-dev/MaxKB/commit/7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8
https://github.com/1Panel-dev/MaxKB/releases/tag/v2.5.0
https://github.com/1Panel-dev/MaxKB/
 
Siemens--Siemens Software Center A vulnerability has been identified in Siemens Software Center (All versions < V3.5.8.2), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Simcenter STAR-CCM+ (All versions < V2602), Solid Edge SE2025 (All versions < V225.0 Update 13), Solid Edge SE2026 (All versions < V226.0 Update 04), Tecnomatix Plant Simulation (All versions < V2504.0008). Affected applications do not properly validate client certificates to connect to Analytics Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks. 2026-04-14 3.7 CVE-2025-40745 https://cert-portal.siemens.com/productcert/html/ssa-981622.html
 
Grafana--Grafana Correlations --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana's Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability. 2026-04-15 3.3 CVE-2026-21727 https://grafana.com/security/security-advisories/cve-2026-21727
 
HCL--AION HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying environment, which could potentially aid in further targeted actions or limited information disclosure. 2026-04-15 2.9 CVE-2025-52641 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130007
 
Fortinet--FortiNAC-F An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] vulnerability in Fortinet FortiNAC-F 7.6.0 through 7.6.5, FortiNAC-F 7.4 all versions, FortiNAC-F 7.2 all versions may allow a remote privileged attacker with system administrator role to redirect users to an arbitrary website via crafted CSV file. 2026-04-14 2.2 CVE-2026-21741 https://fortiguard.fortinet.com/psirt/FG-IR-26-118
 

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
AMD--AMD EPYC 7003 Series Processors Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in a potential loss of confidential guest integrity. 2026-04-16 not yet calculated CVE-2023-20585 https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3016.html
 
n/a--NietThijmen ShoppingCart 0.0.2 Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field 2026-04-15 not yet calculated CVE-2024-53412 https://github.com/NietThijmen/ShoppingCart/issues/1
https://github.com/Buckdray/vulnerability-research/blob/main/CVE-2024-53412/README.md
 
Grafana--Grafana Alerting In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions "alert.notifications:write" or "alert.notifications.receivers:test" that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations. 2026-04-15 not yet calculated CVE-2025-12141 https://grafana.com/security/security-advisories/cve-2025-12141/
 
MCPHub--MCPHub MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges. 2026-04-14 not yet calculated CVE-2025-13822 https://github.com/samanhappy/mcphub
https://cert.pl/en/posts/2026/04/CVE-2025-13822
 
Legion of the Bouncy Castle Inc.--BC-JAVA Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher. GOSTCTR implementation unable to process more than 255 blocks correctly. This issue affects BC-JAVA: from 1.59 before 1.84. 2026-04-15 not yet calculated CVE-2025-14813 https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9014813
https://github.com/bcgit/bc-java/commit/b42574345414e4b7c8051b16fa1fafe01c29871f
https://github.com/bcgit/bc-java/commit/701686cb0184cd9ae103c801b3581fdf95c6d4f3
 
Unknown--Form Maker by 10Web The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts. 2026-04-13 not yet calculated CVE-2025-15441 https://wpscan.com/vulnerability/41f69b0a-4d17-4a6b-b803-ea1c370e3cc0/
 
OpenText, Inc--RightFax Deserialization of untrusted data vulnerability in OpenText, Inc RightFax on Windows, 64 bit, 32 bit allows Object Injection.This issue affects RightFax: through 25.4. 2026-04-15 not yet calculated CVE-2025-15610 https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0861863
 
Sparx Systems Pty Ltd.--Sparx Enterprise Architect Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication 2026-04-16 not yet calculated CVE-2025-15621 https://sparxsystems.com/products/ea/17.1/history.html
 
Sparx Systems Pty Ltd.--Sparx Enterprise Architect Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow. 2026-04-17 not yet calculated CVE-2025-15622 https://sparxsystems.com/products/ea/17.1/history.html
 
Sparx Systems Pty Ltd.--Sparx Pro Cloud Server Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain situations 2026-04-17 not yet calculated CVE-2025-15623 https://sparxsystems.com/products/procloudserver/6.1/history.html
 
Sparx Systems Pty Ltd.--Sparx Pro Cloud Server Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.  In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext. 2026-04-17 not yet calculated CVE-2025-15624 https://sparxsystems.com/products/procloudserver/6.1/history.html
 
Sparx Systems Pty Ltd.--Sparx Pro Cloud Server Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases. 2026-04-17 not yet calculated CVE-2025-15625 https://sparxsystems.com/products/procloudserver/6.1/history.html
 
n/a--Phpgurukul Online Course In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page. 2026-04-13 not yet calculated CVE-2025-51414 https://github.com/12T40910/CVE/issues/12
https://medium.com/@tanushkushtk01/cve-2025-51414-unrestricted-file-upload-in-online-course-registration-v3-1-bd8b839be1d7
 
AMD--AMD EPYC 9004 Series Processors Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with local access (Ring 0) to achieve privilege escalation potentially resulting in arbitrary code execution. 2026-04-16 not yet calculated CVE-2025-54502 https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-7054.html
 
AMD--AMD EPYC 9004 Series Processors A missing lock verification in AMD Secure Processor (ASP) firmware may permit a locally authenticated attacker with administrative privileges to alter MMIO routing on some Zen 5-based products, potentially compromising guest system integrity. 2026-04-16 not yet calculated CVE-2025-54510 https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3034.html
 
Apache Software Foundation--Apache Airflow The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability. It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of the example with improved resiliance for that case. Users who followed that pattern are advised to adjust their implementations accordingly. 2026-04-15 not yet calculated CVE-2025-54550 https://lists.apache.org/thread/3mf4cfx070ofsnf9qy0s2v5gqb5sc2g1
https://github.com/apache/airflow/pull/63200
 
Openai[.]com-- Codex CLI v0.23.0 A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately. 2026-04-14 not yet calculated CVE-2025-61260 http://openai.com
https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/
 
Snipe-it[.]com--Snipe-IT asset management v8.3.0 Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The JavaScript code is executed whenever "Activity Report" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's "Display Name" is not set. The vulnerability is fixed in v8.3.2. 2026-04-13 not yet calculated CVE-2025-63743 http://grokability.com
http://snipe-it.com
https://github.com/grokability/snipe-it/commit/b6d397bcca4e8a05176b782de769d7160058bfc4#diff-7fe056d76c09808dac923c4639161d587c3fff281a01122f3e10c4a781674a65
https://github.com/mikust/CVEs/tree/main/CVE-2025-63743
 
n/a-- hotel-management-php version 1.0 alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter. 2026-04-14 not yet calculated CVE-2025-65132 https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65132/README.md
 
n/a--School Management System v1.0 A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database information. 2026-04-14 not yet calculated CVE-2025-65133 https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65133/README.md
 
n/a--School Management System v1.0 In manikandan580 School-management-system 1.0, a reflected cross-site scripting (XSS) vulnerability exists in /studentms/admin/contact-us.php via the email POST parameter. 2026-04-14 not yet calculated CVE-2025-65134 https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65134/README.md
 
n/a--School Management System v1.0 In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter. 2026-04-14 not yet calculated CVE-2025-65136 https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65136/README.md
 
Apache Software Foundation--Apache Airflow Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which fixes this issue. 2026-04-13 not yet calculated CVE-2025-66236 https://github.com/apache/airflow/pull/58662
https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo
 
gonitro[.]com-- Nitro PDF Pro v14.41.1.4 A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service (DoS) via a crafted XFA packet. 2026-04-13 not yet calculated CVE-2025-66769 https://www.gonitro.com/
https://jeroscope.com/advisories/2025/jero-2025-015/
 
nordicsemi[.]no--IronSide SE Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue. 2026-04-15 not yet calculated CVE-2025-67841 https://nordicsemi.no
https://docs.nordicsemi.com/bundle/SA/resource/SA-2025-447-v1.1.pdf
 
gonitro[.]com-- Nitro PDF Pro v14.41.1.4 Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs is null), the engine routes the call through a fallback path intended for non-string arguments. In this path, js_ValueToString() is invoked on the null value and returns an invalid string pointer, which is then passed to JS_GetStringChars() without validation. Dereferencing this pointer leads to an access violation and application crash when opening a crafted PDF. 2026-04-13 not yet calculated CVE-2025-69624 http://nitro.com
 
gonitro[.]com-- Nitro PDF Pro v14.41.1.4 Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes. 2026-04-13 not yet calculated CVE-2025-69627 http://nitro.com
https://jeroscope.com/advisories/2025/jero-2025-016/
 
trezor[.]com--Trezor One v1.13.0 A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant time execution and specific branch patterns for word searching. An attacker with physical access during the initial setup phase can collect a single side-channel trace. By utilizing profiling-based Deep Learning Side-Channel Analysis (DL-SCA), the attacker can recover the mnemonic code and subsequently steal the assets. The issue was patched. 2026-04-14 not yet calculated CVE-2025-69893 http://trezor.com
https://trezor.io/vulnerability/fix-side-channel-in-bip-39-mnemonic-processing-when-unlocked
 
n/a-- transloadit uppy v0.25.6 An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6. 2026-04-14 not yet calculated CVE-2025-70023 https://github.com/transloadi
https://github.com/transloadit/uppy
https://gist.github.com/zcxlighthouse/27926a85371ac5d2291f44903254753e
 
Safetica Application suite-- STProcessMonitor 11.11.4.0  STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficient caller validation in the driver's IOCTL handler, enabling unauthorized processes to perform those actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. Unauthorized processes load the driver and send a crafted IOCTL request (0xB822200C) to terminate processes protected by a third-party implementation. This action exploits insufficient caller validation in the driver's IOCTL handler, allowing unauthorized processes to perform termination operations in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. 2026-04-17 not yet calculated CVE-2025-70795 https://bbs.kafan.cn/thread-2287429-1-1.html
https://bbs.kafan.cn/thread-2287429-2-1.html
https://www.virustotal.com/gui/file/70bcec00c215fe52779700f74e9bd669ff836f594df92381cbfb7ee0568e7a8b
https://www.virustotal.com/gui/file/9ace6a1e4bee5834be38b4c2fd26780d1fcc18ea9d58224e31d6382c19e53296
https://www.virustotal.com/gui/file/fc3588482f596a067b65d5d64d21fe62463b38a138fc87d8d2350efa86d34284
https://github.com/magicsword-io/LOLDrivers/commit/eea8326bf891d810902203e9ac5cfdeaf5a17a1c
https://github.com/magicsword-io/LOLDrivers/issues/268
 
Vtiger[.]com-- Vtiger CRM 8.4.0 Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s session. 2026-04-13 not yet calculated CVE-2025-70936 https://www.vtiger.com/open-source-crm/
https://www.simonjuguna.com/cve-2025-70936-reflected-xss-vulnerability-in-vtiger-crm-v8-4-0/
 
Progress Software Corporation--OpenEdge A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server through the adopted authority of the AdminServer process itself.  The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile() methods exposed through the RMI interface.  Misuse was limited only by OS-level authority of the AdminServer's elevated privileges granted and the user's access to these methods enabled through RMI.  The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry. 2026-04-14 not yet calculated CVE-2025-7389 https://community.progress.com/s/article/Important-Arbitrary-File-Ready-Security-Update-for-OpenEdge-AdminServer
 
Progress Software Corporation--OpenEdge The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform.  It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications.  OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption. 2026-04-14 not yet calculated CVE-2025-8095 https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection
 
PureStorage--FlashBlade A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions. 2026-04-14 not yet calculated CVE-2026-0207 https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html
 
PureStorage--FlashArray Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured. 2026-04-14 not yet calculated CVE-2026-0209 https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html
 
Palo Alto Networks--Cortex XDR Agent A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection. 2026-04-13 not yet calculated CVE-2026-0232 https://security.paloaltonetworks.com/CVE-2026-0232
 
Palo Alto Networks--Autonomous Digital Experience Manager A certificate validation vulnerability in Palo Alto Networks Autonomous Digital Experience Manager on Windows allows an unauthenticated attacker with adjacent network access to execute arbitrary code with NT AUTHORITY\SYSTEM privileges. 2026-04-13 not yet calculated CVE-2026-0233 https://security.paloaltonetworks.com/CVE-2026-0233
 
Palo Alto Networks--Cortex XSOAR Microsoft Teams Marketplace An improper verification of cryptographic signature vulnerability exists in Cortex XSOAR and Cortex XSIAM platforms during integration of Microsoft Teams that enables an unauthenticated user to access and modify protected resources. 2026-04-13 not yet calculated CVE-2026-0234 https://security.paloaltonetworks.com/CVE-2026-0234
 
Legion of the Bouncy Castle Inc.--BC-JAVA Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.84. 2026-04-15 not yet calculated CVE-2026-0636 https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%900636
https://github.com/bcgit/bc-java/commit/d20cdb8430e09224114fec0179a71859929fcbde
 
keras-team--keras-team/keras A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method. 2026-04-13 not yet calculated CVE-2026-1462 https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c
https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f
 
Pegasystems--Pega Infinity Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role. 2026-04-15 not yet calculated CVE-2026-1564 https://support.pega.com/support-doc/pega-security-advisory-b26-vulnerability-remediation-note
 
Pegasystems--Pega Infinity Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role. 2026-04-15 not yet calculated CVE-2026-1711 https://support.pega.com/support-doc/pega-security-advisory-d26-vulnerability-remediation-note
 
ASUS--DriverHub An Incorrect Permission Assignment for Critical Resource vulnerability in the ASUS DriverHub update process allows privilege escalation due to improper protection of required execution resources during the validation phase, permitting a local user to make unprivileged modifications. This allows the altered resource to pass system checks and be executed with elevated privileges upon a user-initiated update. Refer to the 'Security Update for ASUS DriverHub' section on the ASUS Security Advisory for more information. 2026-04-16 not yet calculated CVE-2026-1880 https://www.asus.com/security-advisory
 
Samsung Mobile--Samsung Mobile Devices Improper input validation in data related to network restrictions prior to SMR Apr-2026 Release 1 allows physical attackers to bypass the restrictions. 2026-04-13 not yet calculated CVE-2026-21003 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04
 
Samsung Mobile--Samsung Mobile Devices Improper access control in Samsung DeX prior to SMR Apr-2026 Release 1 allows physical attackers to access to hidden notification contents. 2026-04-13 not yet calculated CVE-2026-21006 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04
 
Samsung Mobile--Samsung Mobile Devices Improper check for exceptional conditions in Device Care prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Knox Guard. 2026-04-13 not yet calculated CVE-2026-21007 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04
 
Samsung Mobile--Samsung Mobile Devices Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 allows adjacent attacker to access sensitive information. 2026-04-13 not yet calculated CVE-2026-21008 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04
 
Samsung Mobile--Samsung Mobile Devices Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning. 2026-04-13 not yet calculated CVE-2026-21009 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04
 
Samsung Mobile--Samsung Mobile Devices Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock. 2026-04-13 not yet calculated CVE-2026-21011 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04
 
Samsung Mobile--Samsung Mobile Devices External control of file name in AODManager prior to SMR Apr-2026 Release 1 allows privileged local attacker to create file with system privilege. 2026-04-13 not yet calculated CVE-2026-21012 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04
 
Samsung Mobile--Galaxy Wearable Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information. 2026-04-13 not yet calculated CVE-2026-21013 https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04
 
Samsung Mobile--Samsung Camera Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data. User interaction is required for triggering this vulnerability. 2026-04-13 not yet calculated CVE-2026-21014 https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04
 
Veeam--Backup and Replication A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement. 2026-04-17 not yet calculated CVE-2026-21709 https://www.veeam.com/kb4830
https://www.veeam.com/kb4831
 
CubeCart Limited--CubeCart An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command. 2026-04-17 not yet calculated CVE-2026-21719 https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405
https://jvn.jp/en/jp/JVN78422311/
 
Imagination Technologies--Graphics DDK Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory and files. This is caused by improper handling of GPU memory reservation protections. 2026-04-17 not yet calculated CVE-2026-21733 https://www.imaginationtech.com/gpu-driver-vulnerabilities/
 
Ubiquiti Inc--UniFi Play PowerAmp An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
 Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later
 Update UniFi Play Audio Port  to Version 1.1.9 or later 2026-04-13 not yet calculated CVE-2026-22565 https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83
 
Microchip--IStaX A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03. 2026-04-16 not yet calculated CVE-2026-2336 https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/istax-privilege-escalation-via-weak-cookie-authentication
 

Back to top

Vulnerability Summary for the Week of April 6, 2026
Posted on Tuesday April 14, 2026

High Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
nyariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36. 2026-04-06 10 CVE-2026-34208 https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj
 
Davidtavarez--CF Image Hosting Script CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter. 2026-04-12 9.8 CVE-2019-25709 ExploitDB-46094
Official Product Homepage
Product Reference
VulnCheck Advisory: CF Image Hosting Script 1.6.5 Unauthorized Database Access
 
Beijing Topsec Network Security Technology Co., Ltd.--Tianxin Internet Behavior Management System Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC). 2026-04-07 9.8 CVE-2021-4473 https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972
https://www.cnvd.org.cn/patchInfo/show/280166
https://cn-sec.com/archives/4631959.html
https://avd.aliyun.com/detail?id=AVD-2021-890232
https://www.vulncheck.com/advisories/tianxin-internet-behavior-management-system-command-injection-via-toquery-php
 
Contemporary Controls--BASControl20 An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T. 2026-04-09 9.8 CVE-2025-13926 https://www.ccontrols.com/support/contacttech.htm
https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-01.json
 
SaturdayDrive--Ninja Forms - File Uploads The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27. 2026-04-07 9.8 CVE-2026-0740 https://www.wordfence.com/threat-intel/vulnerabilities/id/0b606ded-ab50-486a-9337-97ee9f452f12?source=cve
https://ninjaforms.com/extensions/file-uploads/
 
IBM--Verify Identity Access Container IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to root due to execution with unnecessary privileges than required. 2026-04-08 9.3 CVE-2026-1346 https://www.ibm.com/support/pages/node/7268253
 
davidfcarr--Quick Playground The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server. 2026-04-09 9.8 CVE-2026-1830 https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=cve
https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L39
https://plugins.trac.wordpress.org/browser/quick-playground/trunk/expro-api.php#L419
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3500839%40quick-playground&new=3500839%40quick-playground&sfp_email=&sfph_mail=
 
LibRaw--LibRaw A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 2026-04-07 9.8 CVE-2026-20889 https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358
 
LibRaw--LibRaw A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 2026-04-07 9.8 CVE-2026-20911 https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330
 
LibRaw--LibRaw A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 2026-04-07 9.8 CVE-2026-21413 https://talosintelligence.com/vulnerability_reports/TALOS-2026-2331
 
Weaver Network Co., Ltd.--E-cology Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC). 2026-04-07 9.8 CVE-2026-22679 https://www.weaver.com.cn/cs/securityDownload.html#
https://h4cker.zip/post/d5d211/
https://ti.qianxin.com/vulnerability/notice-detail/1760
https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-via-dubboapi-debug-endpoint
 
prosolution--ProSolution WP Client The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'proSol_fileUploadProcess' function in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. 2026-04-08 9.8 CVE-2026-2942 https://www.wordfence.com/threat-intel/vulnerabilities/id/3852aef6-42e7-4b71-a1ba-dd41284fd07b?source=cve
https://plugins.trac.wordpress.org/browser/prosolution-wp-client/trunk/public/class-prosolwpclient-public.php?rev=3331282#L993
https://plugins.trac.wordpress.org/changeset/3484577/prosolution-wp-client
 
Rukovoditel--Rukovoditel CRM A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions. The vulnerable code is: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); An unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover. The issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection. 2026-04-11 9.3 CVE-2026-31845 https://forum.rukovoditel.net/viewtopic.php?p=22499#p22499
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter - which only passes through Security::remove_XSS() (an HTML-only filter) - is concatenated directly into shell commands such as exec("mv $source $target"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 9.1 CVE-2026-32892 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr
https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf
https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1
 
wpeverest--Everest Forms Contact Form, Payment Form, Quiz, Survey & Custom Form Builder The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions. 2026-04-08 9.8 CVE-2026-3296 https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-790d-4b18-a9ec-054c8c27b8bc?source=cve
https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admin/views/html-admin-page-entries-view.php#L133
https://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/views/html-admin-page-entries-view.php#L133
https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-functions.php#L5594
https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/readme.txt?old=3464753&old_path=everest-forms%2Ftags%2F3.4.3%2Freadme.txt
https://plugins.trac.wordpress.org/changeset?old_path=/everest-forms/tags/3.4.3&new_path=/everest-forms/tags/3.4.4
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 9.4 CVE-2026-33707 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-f27g-66gq-g7v2
https://github.com/chamilo/chamilo-lms/commit/078d7e5b77679fa7ccfcd6783bd5cc683db0bda8
https://github.com/chamilo/chamilo-lms/commit/750a45312a0d5c3ad60dbfbd0d959ca40be4a18c
 
Juniper Networks--JSI LWC A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94. 2026-04-09 9.8 CVE-2026-33784 https://kb.juniper.net/JSA107871
 
Canonical--lxd Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root. 2026-04-09 9.1 CVE-2026-34177 VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
lxd: Prevent use of raw.apparmor and raw.qemu.conf when low level options are blocked
 
Canonical--lxd In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise. 2026-04-09 9.1 CVE-2026-34178 Importing a crafted backup leads to project restriction bypass
Import: Create backup config from index
 
Canonical--lxd In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin. 2026-04-09 9.1 CVE-2026-34179 Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
Improve validation on certificate edit
 
Nextendweb--Smart Slider 3 Pro for WordPress Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications. 2026-04-09 9.8 CVE-2026-34424 https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise
https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise
https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability
https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/
https://mysites.guru/blog/smart-slider-3-pro-supply-chain-compromise/
 
usebruno--bruno Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1 2026-04-06 9.8 CVE-2026-34841 https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g
https://github.com/axios/axios/issues/10604
https://github.com/usebruno/bruno/pull/7632
https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
 
R-Project--RGui RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution. 2026-04-12 8.4 CVE-2018-25258 ExploitDB-46107
Official Product Homepage
Product Reference
VulnCheck Advisory: RGui 3.5.0 Local Buffer Overflow SEH DEP Bypass
 
Html5Videoplayer--HTML5 Video Player HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized key code string. Attackers can craft a malicious payload exceeding 997 bytes and paste it into the KEY CODE field in the Help Register dialog to trigger code execution and spawn a calculator process. 2026-04-12 8.4 CVE-2019-25689 ExploitDB-46279
Official Product Homepage
VulnCheck Advisory: HTML5 Video Player 1.2.5 Local Buffer Overflow Non-SEH
 
Faleemi--Faleemi Desktop Software Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field to trigger a buffer overflow and execute arbitrary code via ROP chain gadgets. 2026-04-12 8.4 CVE-2019-25691 ExploitDB-46269
Official Product Homepage
VulnCheck Advisory: Faleemi Desktop Software 1.8 Local Buffer Overflow SEH DEP Bypass
 
r-project--R R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by injecting malicious input into the GUI Preferences language field. Attackers can craft a payload with a 292-byte offset and JMP ESP instruction to execute commands like calc.exe when the payload is pasted into the Language for menus and messages field. 2026-04-12 8.4 CVE-2019-25695 ExploitDB-46265
Official Product Homepage
VulnCheck Advisory: R 3.4.4 Local Buffer Overflow Windows XP SP3
 
VictorAlagwu--CMSsite CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php with malicious cat_id values to extract sensitive database information including usernames and credentials. 2026-04-12 8.2 CVE-2019-25697 ExploitDB-46259
Product Reference
VulnCheck Advisory: CMSsite 1.0 SQL Injection via category.php
 
Divxtodvd--Easy Video to iPod Converter Easy Video to iPod Converter 1.6.20 contains a local buffer overflow vulnerability in the user registration field that allows local attackers to overwrite the structured exception handler. Attackers can input a crafted payload exceeding 996 bytes in the username field to trigger SEH overwrite and execute arbitrary code with user privileges. 2026-04-12 8.4 CVE-2019-25701 ExploitDB-46255
Official Product Homepage
Product Reference
VulnCheck Advisory: Easy Video to iPod Converter 1.6.20 Local Buffer Overflow SEH
 
Sourceforge--Echo Mirage Echo Mirage 3.1 contains a stack buffer overflow vulnerability that allows local attackers to crash the application or execute arbitrary code by supplying an oversized string in the Rules action field. Attackers can create a malicious text file with a crafted payload exceeding buffer boundaries and paste it into the action field through the Rules dialog to trigger the overflow and overwrite the return address. 2026-04-12 8.4 CVE-2019-25705 ExploitDB-46216
Official Product Homepage
Product Reference
VulnCheck Advisory: Echo Mirage 3.1 Stack Buffer Overflow via Rules Action Field
 
Dolibarr--Dolibarr ERP-CRM Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques. 2026-04-12 8.2 CVE-2019-25710 ExploitDB-46095
Official Product Homepage
Product Reference
VulnCheck Advisory: Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter
 
Synology--Synology SSL VPN Client A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction. 2026-04-10 8.1 CVE-2021-47961 Synology-SA-26:05 Synology SSL VPN Client
 
Adivaha--WordPress adivaha Travel Plugin WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid' values using XOR-based payloads to extract sensitive database information or cause denial of service. 2026-04-09 8.2 CVE-2023-54359 ExploitDB-51655
Official Product Homepage
Product Reference
VulnCheck Advisory: WordPress adivaha Travel Plugin 2.3 SQL Injection via pid
 
Juniper Networks--Apstra A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM attacker to impersonate managed devices. Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials. This issue affects all versions of Apstra before 6.1.1. 2026-04-09 8.7 CVE-2025-13914 https://kb.juniper.net/JSA107862
 
Qualcomm, Inc.--Snapdragon Memory corruption when decoding corrupted satellite data files with invalid signature offsets. 2026-04-06 8.8 CVE-2025-47392 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
CactusThemes--VideoPro Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through 2.3.8.1. 2026-04-10 8.1 CVE-2025-58913 https://patchstack.com/database/wordpress/theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-1-local-file-inclusion-vulnerability?_s_id=cve
 
Hitachi--JP1/IT Desktop Management 2 - Manager Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13. 2026-04-07 8.8 CVE-2025-65115 https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html
 
IBM--Verify Identity Access Container IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere. 2026-04-07 8.5 CVE-2026-1342 https://www.ibm.com/support/pages/node/7268253
 
LibRaw--LibRaw An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 2026-04-07 8.1 CVE-2026-20884 https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364
 
Windmill Labs--Windmill CE (Community Edition) Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0. 2026-04-07 8.8 CVE-2026-22683 https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/
https://github.com/Chocapikk/Windfall
https://github.com/windmill-labs/windmill/releases/tag/v1.615.0
https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b
https://www.windmill.dev/
https://apps.nextcloud.com/apps/flow/releases
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38. 2026-04-10 8.3 CVE-2026-31939 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx
https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38
 
danbilabs--Advanced Members for ACF The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 1.2.5. 2026-04-08 8.8 CVE-2026-3243 https://www.wordfence.com/threat-intel/vulnerabilities/id/22b63369-c6ea-42e9-bea3-d15837da7732?source=cve
https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L57
https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L266
https://plugins.trac.wordpress.org/browser/advanced-members/trunk/core/modules/class-avatar.php#L710
https://plugins.trac.wordpress.org/changeset/3479725/
https://plugins.trac.wordpress.org/changeset/3492372/
 
Elastic--Logstash Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution. 2026-04-08 8.1 CVE-2026-33466 https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816
 
homarr-labs--homarr Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0. 2026-04-06 8.8 CVE-2026-33510 https://github.com/homarr-labs/homarr/security/advisories/GHSA-79pg-554g-rw82
 
IBM--Langflow Desktop IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component. 2026-04-08 8.8 CVE-2026-3357 https://www.ibm.com/support/pages/node/7268428
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3. 2026-04-10 8.8 CVE-2026-33618 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w
https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b
 
lexiforest--curl_cffi curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi's TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0. 2026-04-06 8.6 CVE-2026-33752 https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp
 
Juniper Networks--Junos OS A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute specific commands which will lead to a complete compromise of managed devices. Any user logged in, without requiring specific privileges, can issue 'request csds' CLI operational commands. These commands are only meant to be executed by high privileged or users designated for Juniper Device Manager (JDM) / Connected Security Distributed Services (CSDS) operations as they will impact all aspects of the devices managed via the respective MX. This issue affects Junos OS on MX Series: * 24.4 releases before 24.4R2-S3,  * 25.2 releases before 25.2R2. This issue does not affect Junos OS releases before 24.4. 2026-04-09 8.8 CVE-2026-33785 https://kb.juniper.net/JSA107872
 
podman-desktop--podman-desktop Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application crash or full host freeze. Additionally, verbose error responses disclose internal paths and system details (including usernames on Windows), aiding further exploitation. The issue requires no authentication or user interaction and is exploitable over the network. This vulnerability is fixed in 1.26.2. 2026-04-07 8.2 CVE-2026-34045 https://github.com/podman-desktop/podman-desktop/security/advisories/GHSA-2q88-39rh-gxvv
 
OpenClaw--OpenClaw OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions. 2026-04-09 8.1 CVE-2026-34512 GitHub Security Advisory (GHSA-9p93-7j67-5pc2)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint
 
opnsense--core OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6. 2026-04-09 8.2 CVE-2026-34578 https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54
https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e
 
Adobe--Acrobat Reader Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-04-11 8.6 CVE-2026-34621 https://helpx.adobe.com/security/products/acrobat/apsb26-43.html
 
MontFerret--ferret Ferret is a declarative system for working with web data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret's IO::FS::WRITE standard library function allows a malicious website to write arbitrary files to the filesystem of the machine running Ferret. When an operator scrapes a website that returns filenames containing ../ sequences, and uses those filenames to construct output paths (a standard scraping pattern), the attacker controls both the destination path and the file content. This can lead to remote code execution via cron jobs, SSH authorized_keys, shell profiles, or web shells. This vulnerability is fixed in 2.0.0-alpha.4. 2026-04-06 8.1 CVE-2026-34783 https://github.com/MontFerret/ferret/security/advisories/GHSA-j6v5-g24h-vg4j
https://github.com/MontFerret/ferret/commit/160ebad6bd50f153453e120f6d909f5b83322917
 
David Lingren--Media LIbrary Assistant Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34. 2026-04-06 8.5 CVE-2026-34885 https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerability?_s_id=cve
 
adianti--Adianti Framework Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in SystemProfileForm. Attackers can submit crafted SQL statements in the profile edit endpoint to modify user credentials and gain administrative access. 2026-04-12 7.1 CVE-2018-25257 ExploitDB-46217
VulnCheck Advisory: Adianti Framework 5.5.0 and 5.6.0 SQL Injection via Profile
 
Resourcespace--ResourceSpace ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data. 2026-04-12 7.1 CVE-2019-25693 ExploitDB-46274
Official Product Homepage
Product Reference
VulnCheck Advisory: ResourceSpace 8.6 SQL Injection via collection_edit.php
 
Newsbull--Newsbull Haber Script Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injection techniques. Attackers can inject malicious SQL code through the search parameter in endpoints like /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs to manipulate database queries and retrieve sensitive data. 2026-04-12 7.1 CVE-2019-25699 ExploitDB-46266
Official Product Homepage
Product Reference
VulnCheck Advisory: Newsbull Haber Script 1.0.0 Authenticated SQL Injection via search parameter
 
Impresscms--ImpressCMS ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information. 2026-04-12 7.1 CVE-2019-25703 ExploitDB-46239
Official Product Homepage
Product Reference
VulnCheck Advisory: ImpressCMS 1.3.11 SQL Injection via bid Parameter
 
Across--DR-810 Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request. Attackers can access the rom-0 endpoint without authentication to retrieve and decompress the backup file, exposing router passwords and other sensitive configuration data. 2026-04-12 7.5 CVE-2019-25706 ExploitDB-46132
Official Product Homepage
VulnCheck Advisory: Across DR-810 ROM-0 Unauthenticated File Disclosure
 
Ebrigade--eBrigade ERP eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to pdf.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table names and schema details. 2026-04-12 7.1 CVE-2019-25707 ExploitDB-46117
Official Product Homepage
Product Reference
VulnCheck Advisory: eBrigade ERP 4.5 SQL Injection via pdf.php
 
MyT--Project Management MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data. 2026-04-12 7.1 CVE-2019-25713 ExploitDB-46084
Official Product Homepage
Product Reference
VulnCheck Advisory: MyT-PM 1.5.1 SQL Injection via Charge[group_total] Parameter
 
Twitch--Twitch Studio Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an unprotected XPC service. Attackers can invoke the installFromPath:toPath:withReply: method to overwrite system files and privileged binaries, achieving full system compromise. Twitch Studio was discontinued in May 2024. 2026-04-06 7.8 CVE-2024-14032 https://www.iru.com/blog/twitch-privileged-helper
https://help.twitch.tv/s/topic/0TO3a000000kZfYGAU/twitch-studio
https://help.twitch.tv/s/article/recommended-software-for-broadcasting
https://www.vulncheck.com/advisories/twitch-studio-launcherhelper-xpc-missing-authorization-to-root-file-write
 
WAGO--CC100 (0751-9x01) An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on the device. 2026-04-09 7.2 CVE-2024-1490 https://certvde.com/de/advisories/VDE-2024-008
https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2024-008.json
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries. 2026-04-08 7.5 CVE-2025-12664 HackerOne Bug Bounty Report #3377091
https://gitlab.com/gitlab-org/gitlab/-/work_items/579376
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users. 2026-04-07 7.8 CVE-2025-14821 https://access.redhat.com/security/cve/CVE-2025-14821
RHBZ#2423148
https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/
 
Qualcomm, Inc.--Snapdragon Memory corruption when buffer copy operation fails due to integer overflow during attestation report generation. 2026-04-06 7.8 CVE-2025-47389 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while preprocessing IOCTL request in JPEG driver. 2026-04-06 7.8 CVE-2025-47390 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while processing a frame request from user. 2026-04-06 7.8 CVE-2025-47391 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Cryptographic issue while copying data to a destination buffer without validating its size. 2026-04-06 7.1 CVE-2025-47400 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Case Themes--Case Theme User Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4. 2026-04-10 7.5 CVE-2025-5804 https://patchstack.com/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-case-theme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=cve
 
Zootemplate--Cerato Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato allows Reflected XSS.This issue affects Cerato: from n/a through 2.2.18. 2026-04-10 7.1 CVE-2025-58920 https://patchstack.com/database/wordpress/theme/cerato/vulnerability/wordpress-cerato-theme-2-2-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads. 2026-04-08 7.5 CVE-2026-1092 HackerOne Bug Bounty Report #3487030
https://gitlab.com/gitlab-org/gitlab/-/work_items/586479
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
 
IBM--Verify Identity Access Container IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication endpoints which are protected by the Reverse Proxy. 2026-04-08 7.2 CVE-2026-1343 https://www.ibm.com/support/pages/node/7268253
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition. 2026-04-09 7.5 CVE-2026-1584 https://access.redhat.com/security/cve/CVE-2026-1584
RHBZ#2435258
 
Qualcomm, Inc.--Snapdragon Transient DOS when processing nonstandard FILS Discovery Frames with out-of-range action sizes during initial scans. 2026-04-06 7.6 CVE-2026-21367 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when retrieving output buffer with insufficient size validation. 2026-04-06 7.8 CVE-2026-21371 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when sending IOCTL requests with invalid buffer sizes during memcpy operations. 2026-04-06 7.8 CVE-2026-21372 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when accessing an output buffer without validating its size during IOCTL processing. 2026-04-06 7.8 CVE-2026-21373 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when processing auxiliary sensor input/output control commands with insufficient buffer size validation. 2026-04-06 7.8 CVE-2026-21374 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when accessing an output buffer without validating its size during IOCTL processing. 2026-04-06 7.8 CVE-2026-21375 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver. 2026-04-06 7.8 CVE-2026-21376 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver. 2026-04-06 7.8 CVE-2026-21378 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when using deprecated DMABUF IOCTL calls to manage video memory. 2026-04-06 7.8 CVE-2026-21380 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Transient DOS when receiving a service data frame with excessive length during device matching over a neighborhood awareness network protocol connection. 2026-04-06 7.6 CVE-2026-21381 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when handling power management requests with improperly sized input/output buffers. 2026-04-06 7.8 CVE-2026-21382 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Juniper Networks--Junos OS A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system. When after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root. This issue affects Junos OS: * all versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R2. This issue does not affect versions 25.4R1 or later. 2026-04-09 7.3 CVE-2026-21916 https://kb.juniper.net/JSA107807
 
Dolibarr--Dolibarr ERP/CRM Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval(). 2026-04-07 7.2 CVE-2026-22666 https://jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-22666
https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg
https://github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea
https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2
https://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-standard
 
HKUDS--OpenHarness OpenHarness prior to commit 166fcfe contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository scope. Attackers can exploit the path parameter not being passed to the PermissionChecker in read_file, write_file, edit_file, and notebook_edit tools to bypass deny rules and access sensitive files such as configuration files, credentials, and SSH material, or create and overwrite files in restricted host paths in full_auto mode. 2026-04-07 7.1 CVE-2026-22682 https://github.com/HKUDS/OpenHarness/pull/32
https://github.com/HKUDS/OpenHarness/commit/166fcfefb7614dbac51bd061f56542725b0298e9
https://www.vulncheck.com/advisories/openharness-improper-access-control-via-file-tools
 
VMware--Spring Cloud Gateway When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0  available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases. 2026-04-10 7.5 CVE-2026-22750 https://spring.io/security/cve-2026-22750
 
Dell--Elastic Cloud Storage Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account. 2026-04-08 7.8 CVE-2026-28261 https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability
 
CouchCMS--CouchCMS CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass authorization validation and gain full application control, circumventing restrictions on SuperAdmin account creation and privilege assignment. 2026-04-10 7.2 CVE-2026-29002 https://gist.github.com/thepiyushkumarshukla/477e2d2bbbe8cc3ec0d640c50f0cf9e1
https://www.couchcms.com/
https://www.vulncheck.com/advisories/couchcms-privilege-escalation-via-f-k-levels-list-parameter
 
glpi-project--glpi GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6. 2026-04-06 7.2 CVE-2026-29047 https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr
 
open-telemetry--opentelemetry-go OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0. 2026-04-07 7.5 CVE-2026-29181 https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475
 
Tinyproxy Project--Tinyproxy Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass. 2026-04-07 7.5 CVE-2026-31842 Upstream issue report and reproduction details
Tinyproxy upstream project
RFC 7230: transfer-coding names are case-insensitive
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 7.5 CVE-2026-31940 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv
https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9
https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 7.7 CVE-2026-31941 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q74c-mx8x-489h
https://github.com/chamilo/chamilo-lms/commit/e3790c5f0ff3b4dc547c2099fadf5c438c1bb265
https://github.com/chamilo/chamilo-lms/commit/ea6b7b7e90580c9b01dc4bcafe4ad737061e0ead
 
chartbrew--chartbrew Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, "updateAny", "chart") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0. 2026-04-10 7.7 CVE-2026-32252 https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj
https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1
 
Red Hat--mirror registry for Red Hat OpenShift A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload. 2026-04-08 7.1 CVE-2026-32589 https://access.redhat.com/security/cve/CVE-2026-32589
RHBZ#2446963
 
Red Hat--mirror registry for Red Hat OpenShift A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server. 2026-04-08 7.1 CVE-2026-32590 https://access.redhat.com/security/cve/CVE-2026-32590
RHBZ#2446964
 
NI--LabVIEW There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVLIB file in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvlib file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. 2026-04-07 7.8 CVE-2026-32860 https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-project-library-file-parsing-memory-corruption-vulnerability-in-ni-labview.html
 
NI--LabVIEW There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvclass file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. 2026-04-07 7.8 CVE-2026-32861 https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-class-file-parsing-memory-corruption-vulnerability-in-ni-labview.html
 
NI--LabVIEW There is a memory corruption vulnerability due to an out-of-bounds write in ResFileFactory::InitResourceMgr() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. 2026-04-07 7.8 CVE-2026-32862 https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html
 
NI--LabVIEW There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. 2026-04-07 7.8 CVE-2026-32863 https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html
 
NI--LabVIEW There is a memory corruption vulnerability due to an out-of-bounds read in mgcore_SH_25_3!aligned_free() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. 2026-04-07 7.8 CVE-2026-32864 https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 7.1 CVE-2026-32894 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98
https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151
https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 7.1 CVE-2026-32930 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6
https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416da35aaa658dd
https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3ce4e4b80d79d
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 7.5 CVE-2026-32931 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx
https://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38dee8752b4
https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cdd10bea457f3
 
aces--Loris LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1. 2026-04-08 7.5 CVE-2026-33350 https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh
 
Elastic--Kibana Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. 2026-04-08 7.7 CVE-2026-33461 https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812
 
distribution--distribution Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0. 2026-04-06 7.5 CVE-2026-33540 https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r
 
themeum--Tutor LMS eLearning and online course solution The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`. 2026-04-10 7.5 CVE-2026-3360 https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0a-4f39-880d-7216ce2f7d1e?source=cve
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.php#L563
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L1059
https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/CheckoutController.php#L1059
https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/ecommerce/CheckoutController.php
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress - including score, status, completion, and time - without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 7.1 CVE-2026-33702 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654
https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f
https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38. 2026-04-10 7.1 CVE-2026-33704 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v
https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.38. 2026-04-10 7.1 CVE-2026-33706 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3gqc-xr75-pcpw
https://github.com/chamilo/chamilo-lms/commit/0acf8a196307c66c049f97f5ff76cf21c4a08127
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 7.5 CVE-2026-33710 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpmg-j327-mr39
https://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe9c49c2d09
https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a2374f3d269a9a9d
 
saleor--saleor Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. 2026-04-08 7.5 CVE-2026-33756 https://github.com/saleor/saleor/security/advisories/GHSA-24jw-f244-qfpp
https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64
https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8
https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a
https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa
https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464
 
Juniper Networks--CTP OS A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS might allow an unauthenticated, network-based attacker to exploit weak passwords of local accounts and potentially take full control of the device. The password management menu enables the administrator to set password complexity requirements, but these settings are not saved. The issue can be verified with the menu option "Show password requirements". Failure to enforce the intended requirements can lead to weak passwords being used, which significantly increases the likelihood that an attacker can guess these and subsequently attain unauthorized access. This issue affects CTP OS versions 9.2R1 and 9.2R2. 2026-04-09 7.4 CVE-2026-33771 https://kb.juniper.net/JSA107864
 
Juniper Networks--Junos OS An Improper Validation of Syntactic Correctness of Input vulnerability in the IPsec library used by kmd and iked of Juniper Networks Junos OS on SRX Series and MX Series allows an unauthenticated, network-based attacker to cause a complete Denial-of-Service (DoS). If an affected device receives a specifically malformed first ISAKMP packet from the initiator, the kmd/iked process will crash and restart, which momentarily prevents new security associations (SAs) for from being established. Repeated exploitation of this vulnerability causes a complete inability to establish new VPN connections. This issue affects Junos OS on SRX Series and MX Series: * all versions before 22.4R3-S9, * 23.2 version before 23.2R2-S6, * 23.4 version before 23.4R2-S7, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S3, * 25.2 versions before 25.2R1-S2, 25.2R2. 2026-04-09 7.5 CVE-2026-33778 https://kb.juniper.net/JSA107868
 
Juniper Networks--Junos OS Evolved A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FPCs installed in the device. A local user with low privileges can gain direct access to the installed FPCs as a high privileged user, which can potentially lead to a full compromise of the affected component. This issue affects Junos OS Evolved on PTX10004, PTX10008, PTX100016, with JNP10K-LC1201 or JNP10K-LC1202: * All versions before 21.2R3-S8-EVO, * 21.4-EVO versions before 21.4R3-S7-EVO, * 22.2-EVO versions before 22.2R3-S4-EVO, * 22.3-EVO versions before 22.3R3-S3-EVO, * 22.4-EVO versions before 22.4R3-S2-EVO, * 23.2-EVO versions before 23.2R2-EVO. 2026-04-09 7.8 CVE-2026-33788 https://kb.juniper.net/JSA107806
 
Juniper Networks--Junos OS An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker sending a specific, malformed ICMPv6 packet to cause the srxpfe process to crash and restart. Continued receipt and processing of these packets will repeatedly crash the srxpfe process and sustain the Denial of Service (DoS) condition. During NAT64 translation, receipt of a specific, malformed ICMPv6 packet destined to the device will cause the srxpfe process to crash and restart. This issue cannot be triggered using IPv4 nor other IPv6 traffic. This issue affects Junos OS on SRX Series: * all versions before 21.2R3-S10, * all versions of 21.3, * from 21.4 before 21.4R3-S12, * all versions of 22.1, * from 22.2 before 22.2R3-S8, * all versions of 22.4, * from 22.4 before 22.4R3-S9, * from 23.2 before 23.2R2-S6, * from 23.4 before 23.4R2-S7, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S3, * from 25.2 before 25.2R1-S2, 25.2R2. 2026-04-09 7.5 CVE-2026-33790 https://kb.juniper.net/JSA107874
 
Juniper Networks--Junos OS An Execution with Unnecessary Privileges vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system. When a configuration that allows unsigned Python op scripts is present on the device, a non-root user is able to execute malicious op scripts as a root-equivalent user, leading to privilege escalation.  This issue affects Junos OS:  * All versions before 22.4R3-S7,  * from 23.2 before 23.2R2-S4,  * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R1-S2, 24.2R2,  * from 24.4 before 24.4R1-S2, 24.4R2;  Junos OS Evolved:  * All versions before 22.4R3-S7-EVO,  * from 23.2 before 23.2R2-S4-EVO,  * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-EVO,  * from 24.4 before 24.4R1-S1-EVO, 24.4R2-EVO. 2026-04-09 7.8 CVE-2026-33793 https://kb.juniper.net/JSA103142
 
Juniper Networks--Junos OS An Improper Input Validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker, sending a specific genuine BGP packet in an already established BGP session to reset only that session causing a Denial of Service (DoS). An attacker repeatedly sending the packet will sustain the Denial of Service (DoS).This issue affects Junos OS: * 25.2 versions before 25.2R2 This issue doesn't not affected Junos OS versions before 25.2R1. This issue affects Junos OS Evolved: * 25.2-EVO versions before 25.2R2-EVO This issue doesn't not affected Junos OS Evolved versions before 25.2R1-EVO. eBGP and iBGP are affected. IPv4 and IPv6 are affected. 2026-04-09 7.4 CVE-2026-33797 https://kb.juniper.net/JSA107850
 
shamimmoeen--WCAPF Ajax Product Filter for WooCommerce WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-04-08 7.5 CVE-2026-3396 https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0a762e-9159-4dab-a7be-9cbe332effb1?source=cve
https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L739
https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L689
https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L81
https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L65
https://plugins.trac.wordpress.org/changeset/3484080/
 
@fedify--fedify Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1. 2026-04-06 7.5 CVE-2026-34148 https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp
https://github.com/fedify-dev/fedify/releases/tag/1.10.5
https://github.com/fedify-dev/fedify/releases/tag/1.9.6
https://github.com/fedify-dev/fedify/releases/tag/2.0.8
https://github.com/fedify-dev/fedify/releases/tag/2.1.1
 
AcademySoftwareFoundation--openexr OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decoder performs an in-place HALF→FLOAT conversion by casting an unaligned uint8_t * row pointer to float * and writing through it. Because the row buffer may not be 4-byte aligned, this constitutes undefined behavior under the C standard and crashes immediately on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but remains exploitable via compiler optimizations that assume aligned access. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. 2026-04-06 7.1 CVE-2026-34379 https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-w88v-vqhq-5p24
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
 
aces--Loris LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1. 2026-04-08 7.5 CVE-2026-34392 https://github.com/aces/Loris/security/advisories/GHSA-rfj5-58hv-wc5f
 
go-vikunja--vikunja Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0. 2026-04-10 7.4 CVE-2026-34727 https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8jvc-mcx6-r4cg
 
HDFGroup--hdf5 HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term. 2026-04-09 7.8 CVE-2026-34734 https://github.com/HDFGroup/hdf5/security/advisories/GHSA-w7v2-9cmr-pwwj
 
Analytify--Under Construction, Coming Soon & Maintenance Mode Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction, Coming Soon & Maintenance Mode allows Cross Site Request Forgery.This issue affects Under Construction, Coming Soon & Maintenance Mode: from n/a through 2.1.1. 2026-04-07 7.5 CVE-2026-34896 https://patchstack.com/database/wordpress/plugin/under-construction-maintenance-mode/vulnerability/wordpress-under-construction-coming-soon-maintenance-mode-plugin-2-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Analytify--Simple Social Media Share Buttons Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Social Media Share Buttons allows Cross Site Request Forgery.This issue affects Simple Social Media Share Buttons: from n/a through 6.2.0. 2026-04-07 7.5 CVE-2026-34904 https://patchstack.com/database/wordpress/plugin/simple-social-buttons/vulnerability/wordpress-simple-social-media-share-buttons-plugin-6-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
Dynalon--MDwiki MDwiki contains a cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript by injecting malicious code through the location hash parameter. Attackers can craft URLs with JavaScript payloads in the hash fragment that are parsed and rendered without sanitization, causing the injected scripts to execute in the victim's browser context. 2026-04-12 6.1 CVE-2017-20239 ExploitDB-46097
VulnCheck Advisory: MDwiki Cross-Site Scripting via Location Hash Parameter
 
NSauditor--SpotFTP Password Recover SpotFTP Password Recover 2.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized buffer in the Name field during registration. Attackers can generate a 256-byte payload, paste it into the Name input field, and trigger a crash when submitting the registration code. 2026-04-12 6.2 CVE-2019-25711 ExploitDB-46088
VulnCheck Advisory: SpotFTP Password Recover 2.4.2 Denial of Service via Name Field
 
NSauditor--BlueAuditor BlueAuditor 1.7.2.0 contains a buffer overflow vulnerability in the registration key field that allows local attackers to crash the application by submitting an oversized key value. Attackers can trigger a denial of service by entering a 256-byte buffer of repeated characters in the Key registration field, causing the application to crash during registration processing. 2026-04-12 6.2 CVE-2019-25712 ExploitDB-46087
VulnCheck Advisory: BlueAuditor 1.7.2.0 Buffer Overflow Denial of Service via Registration Key
 
Synology--Synology SSL VPN Client A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface. By leveraging user interaction with a crafted web page, attackers may retrieve sensitive files such as configuration files, certificates, and logs, leading to information disclosure. 2026-04-10 6.5 CVE-2021-47960 Synology-SA-26:05 Synology SSL VPN Client
 
Adivaha--WordPress adivaha Travel Plugin WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browsers and steal session tokens or credentials. 2026-04-09 6.1 CVE-2023-54358 ExploitDB-51663
Official Product Homepage
Product Reference
VulnCheck Advisory: WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile
 
Jlexart--Joomla JLex Review Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers when clicked, enabling session hijacking or credential theft. 2026-04-09 6.1 CVE-2023-54360 ExploitDB-51645
Official Product Homepage
Product Reference
VulnCheck Advisory: Joomla JLex Review 6.0.1 Reflected XSS via review_id Parameter
 
Thethinkery--Joomla iProperty Real Estate Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials. 2026-04-09 6.1 CVE-2023-54361 ExploitDB-51640
Official Product Homepage
Product Reference
VulnCheck Advisory: Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword
 
Virtuemart--Cart Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants endpoint to execute arbitrary JavaScript in victim browsers and steal session tokens or credentials. 2026-04-09 6.1 CVE-2023-54362 ExploitDB-51631
Official Product Homepage
Product Reference
VulnCheck Advisory: Joomla VirtueMart Shopping-Cart 4.0.12 Reflected XSS via keyword
 
Solidres--Joomla Solidres Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. Attackers can craft malicious URLs containing JavaScript payloads in these parameters to steal session tokens, login credentials, or manipulate site content when victims visit the crafted links. 2026-04-09 6.1 CVE-2023-54363 ExploitDB-51638
Official Product Homepage
Product Reference
VulnCheck Advisory: Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters
 
Hikashop--Joomla HikaShop Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link. 2026-04-09 6.1 CVE-2023-54364 ExploitDB-51629
Official Product Homepage
Product Reference
VulnCheck Advisory: Joomla HikaShop 4.7.4 Reflected XSS via Product Filter
 
IBM--Concert IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack. 2026-04-07 6.2 CVE-2025-13044 https://www.ibm.com/support/pages/node/7268620
 
elemntor--Elementor Website Builder more than just a page builder The Elementor Website Builder - More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-08 6.4 CVE-2025-14732 https://www.wordfence.com/threat-intel/vulnerabilities/id/20232d70-72b2-47b7-ac7e-ad07892864ef?source=cve
https://plugins.trac.wordpress.org/browser/elementor/trunk/modules/wp-rest/classes/elementor-post-meta.php#L67
https://plugins.trac.wordpress.org/changeset?old_path=/elementor/tags/3.35.5&new_path=/elementor/tags/3.35.6
 
Juniper Networks--Junos OS A Missing Authentication for Critical Function vulnerability in command processing of Juniper Networks Junos OS allows a privileged local attacker to gain access to line cards running Junos OS Evolved as root. This issue affects systems running Junos OS using Linux-based line cards. Affected line cards include: * MPC7, MPC8, MPC9, MPC10, MPC11 * LC2101, LC2103 * LC480, LC4800, LC9600 * MX304 (built-in FPC) * MX-SPC3 * SRX5K-SPC3 * EX9200-40XS * FPC3-PTX-U2, FPC3-PTX-U3 * FPC3-SFF-PTX * LC1101, LC1102, LC1104, LC1105 This issue affects Junos OS:  * all versions before 22.4R3-S8,  * from 23.2 before 23.2R2-S6,  * from 23.4 before 23.4R2-S6,  * from 24.2 before 24.2R2-S3,  * from 24.4 before 24.4R2, * from 25.2 before 25.2R2. 2026-04-08 6.7 CVE-2025-30650 https://github.com/orangecertcc/security-research/security/advisories/GHSA-fwhc-gh5m-v8fq
https://kb.juniper.net/JSA107863
 
Qualcomm, Inc.--Snapdragon Memory Corruption when accessing freed memory due to concurrent fence deregistration and signal handling. 2026-04-06 6.5 CVE-2025-47374 https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html
 
Siklu--EtherHaul 8010 Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b devices have a static root password. 2026-04-08 6.4 CVE-2025-57175 https://semaja2.net/2025/04/30/siklu-eh-firmware-decryption/
 
Red Hat--Red Hat Ansible Automation Platform 2 A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This vulnerability allows an attacker to add a new user with any arbitrary UID, including UID 0, gaining full root privileges within the container. 2026-04-08 6.4 CVE-2025-57847 https://access.redhat.com/security/cve/CVE-2025-57847
RHBZ#2391092
 
Red Hat--Multicluster Engine for Kubernetes A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. 2026-04-08 6.4 CVE-2025-57851 https://access.redhat.com/security/cve/CVE-2025-57851
RHBZ#2391104
 
Red Hat--Red Hat Web Terminal A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. 2026-04-08 6.4 CVE-2025-57853 https://access.redhat.com/security/cve/CVE-2025-57853
RHBZ#2391106
 
Red Hat--Red Hat OpenShift Update Service A container privilege escalation flaw was found in certain OpenShift Update Service (OSUS) images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. 2026-04-08 6.4 CVE-2025-57854 https://access.redhat.com/security/cve/CVE-2025-57854
RHBZ#2391107
 
Red Hat--Red Hat Process Automation 7 A container privilege escalation flaw was found in certain Red Hat Process Automation Manager images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. 2026-04-08 6.4 CVE-2025-58713 https://access.redhat.com/security/cve/CVE-2025-58713
RHBZ#2394419
 
Juniper Networks--Junos OS Evolved A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the advanced forwarding toolkit (evo-aftmand/evo-pfemand) of Juniper Networks Junos OS Evolved on PTX Series or QFX5000 Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).An attacker sending crafted multicast packets will cause line cards running evo-aftmand/evo-pfemand to crash and restart or non-line card devices to crash and restart. Continued receipt and processing of these packets will sustain the Denial of Service (DoS) condition. This issue affects Junos OS Evolved PTX Series: * All versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-EVO, * from 24.2 before 24.2R2-EVO, * from 24.4 before 24.4R2-EVO. This issue affects Junos OS Evolved on QFX5000 Series: * 22.2-EVO version before 22.2R3-S7-EVO, * 22.4-EVO version before 22.4R3-S7-EVO, * 23.2-EVO versions before 23.2R2-S4-EVO, * 23.4-EVO versions before 23.4R2-S5-EVO, * 24.2-EVO versions before 24.2R2-S1-EVO, * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not affect Junos OS Evolved on QFX5000 Series versions before: 21.2R2-S1-EVO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EVO, and 22.1R1-EVO. 2026-04-09 6.5 CVE-2025-59969 https://kb.juniper.net/JSA103159
 
GitLab--GitLab GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries. 2026-04-08 6.5 CVE-2026-1101 HackerOne Bug Bounty Report #3460228
https://gitlab.com/gitlab-org/gitlab/-/work_items/586488
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
 
usystemsgmbh--Webling The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject Webling forms and memberlists with arbitrary web scripts that will execute whenever an administrator views the related form or memberlist area of the WordPress admin. 2026-04-10 6.4 CVE-2026-1263 https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8fbe0d-0709-4fa2-9294-393ddcd05b22?source=cve
https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Form_List.php#L122
https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Memberlist_List.php#L115
https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_form.php#L2
https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_memberlist.php#L2
https://plugins.trac.wordpress.org/changeset?old_path=%2Fwebling/tags/3.9.0&new_path=%2Fwebling/tags/3.9.1
 
magicplugins--Magic Conversation For Gravity Forms The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-08 6.4 CVE-2026-1396 https://www.wordfence.com/threat-intel/vulnerabilities/id/bc425c4a-cb4e-4f50-b85b-8c4c7778c073?source=cve
https://plugins.trac.wordpress.org/browser/magic-conversation-for-gravity-forms/trunk/main.php#L1627
https://plugins.trac.wordpress.org/browser/magic-conversation-for-gravity-forms/tags/3.0.96/main.php#L1627
https://plugins.trac.wordpress.org/changeset/3482359/magic-conversation-for-gravity-forms/trunk/main.php
 
realmag777--BEAR Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net The BEAR - Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link. 2026-04-08 6.5 CVE-2026-1672 https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b5faa-1a29-4fa7-9146-d782adce0b1f?source=cve
https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L782
https://plugins.trac.wordpress.org/changeset/3457263/
https://plugins.trac.wordpress.org/changeset/3465138/
 
wpeverest--User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder The User Registration & Membership - Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to SQL Injection via the 'membership_ids[]' parameter in all versions up to, and including, 5.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-04-08 6.5 CVE-2026-1865 https://www.wordfence.com/threat-intel/vulnerabilities/id/07c79459-66b8-4c93-a1cd-6e3ede95643f?source=cve
https://plugins.trac.wordpress.org/changeset/3469042/user-registration
 
n/a--Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an escalation of privilege. Hardware reverse engineer adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via physical access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (none) impacts. Use of Default Cryptographic Key in the hardware for some Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an escalation of privilege. Hardware reverse engineer adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via physical access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (none) impacts. 2026-04-08 6.6 CVE-2026-20709 https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00609.html
 
Juniper Networks--Junos Space An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the list filter field that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator. This issue affects all versions of Junos Space before 24.1R5 Patch V3. 2026-04-09 6.1 CVE-2026-21904 https://kb.juniper.net/JSA106003
 
Juniper Networks--JSI LWC A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows a local, high privileged attacker to escalate their privileges to root. The CLI menu accepts input without carefully validating it, which allows for shell command injection. These shell commands are executed with root permissions and can be used to gain complete control of the system. This issue affects all JSI vLWC versions before 3.0.94. 2026-04-09 6.7 CVE-2026-21915 https://kb.juniper.net/JSA106016
 
Juniper Networks--Junos OS An Incorrect Synchronization vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker with low privileges to cause a complete Denial-of-Service (DoS) of the management plane. When NETCONF sessions are quickly established and disconnected, a locking issue causes mgd processes to hang in an unusable state. When the maximum number of mgd processes has been reached, no new logins are possible. This leads to the inability to manage the device and requires a power-cycle to recover. This issue can be monitored by checking for mgd processes in lockf state in the output of 'show system processes extensive': user@host> show system processes extensive | match mgd <pid> root       20   0 501M 4640K lockf   1 0:01 0.00% mgd If the system still can be accessed (either via the CLI or as root, which might still be possible as last resort as this won't invoke mgd), mgd processes in this state can be killed with 'request system process terminate <PID>' from the CLI or with 'kill -9 <PID>' from the shell.  This issue affects: Junos OS: * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R1-S3, 24.4R2; This issue does not affect Junos OS versions before 23.4R1; Junos OS Evolved: * 23.4 versions before 23.4R2-S5-EVO, * 24.2 versions before 24.2R2-S1-EVO, * 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not affect Junos OS Evolved versions before 23.4R1-EVO; 2026-04-09 6.5 CVE-2026-21919 https://kb.juniper.net/JSA106019
 
addfunc--AddFunc Head & Footer Code The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` post meta values in all versions up to, and including, 2.3. This is due to the plugin outputting these meta values without any sanitization or escaping. While the plugin restricts its own metabox and save handler to administrators via `current_user_can('manage_options')`, it does not use `register_meta()` with an `auth_callback` to protect these meta keys. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via the WordPress Custom Fields interface that execute when an administrator previews or views the post. 2026-04-10 6.4 CVE-2026-2305 https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2d1a67-1d9b-4b73-988e-085eaa7474c6?source=cve
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L63
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L74
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L85
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L63
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L74
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L85
https://plugins.trac.wordpress.org/changeset?old_path=%2Faddfunc-head-footer-code/tags/2.3&new_path=%2Faddfunc-head-footer-code/tags/2.4
 
blubrry--PowerPress Podcasting plugin by Blubrry The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-08 6.4 CVE-2026-2988 https://www.wordfence.com/threat-intel/vulnerabilities/id/de25459d-9e19-4e3e-982f-0b34fa89dc30?source=cve
https://plugins.trac.wordpress.org/changeset/3473781/powerpress
 
fernandobt--List category posts The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-09 6.4 CVE-2026-3005 https://www.wordfence.com/threat-intel/vulnerabilities/id/1a93ff8a-364f-4ec4-9c32-208c7a3e1fc1?source=cve
https://plugins.trac.wordpress.org/browser/list-category-posts/trunk/include/lcp-thumbnail.php#L95
https://plugins.trac.wordpress.org/changeset/3482733/
 
uniquecodergmailcom--Pinterest Site Verification plugin using Meta Tag The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_var' parameter in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-08 6.4 CVE-2026-3142 https://www.wordfence.com/threat-intel/vulnerabilities/id/7ccb7534-b588-4bdd-9627-0e38c0ee5e8a?source=cve
https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L160
https://plugins.trac.wordpress.org/browser/pinterest-site-verification/trunk/PinterestMetaTagSiteVerification.php#L160
https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L172
https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L180
https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L92
https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L132
https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L214
 
wpchill--Strong Testimonials The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonial_view shortcode in all versions up to, and including, 3.2.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-08 6.4 CVE-2026-3239 https://www.wordfence.com/threat-intel/vulnerabilities/id/88d769cd-bea8-42e4-80a8-a77c0699b50c?source=cve
https://plugins.trac.wordpress.org/changeset/3470120/strong-testimonials
 
posimyththemes--The Plus Addons for Elementor Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce The The Plus Addons for Elementor - Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Progress Bar shortcode in all versions up to, and including, 6.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-08 6.4 CVE-2026-3311 https://www.wordfence.com/threat-intel/vulnerabilities/id/6367c5fc-f664-4105-a1b7-a93fb0a2392b?source=cve
https://plugins.trac.wordpress.org/changeset/3473275/the-plus-addons-for-elementor-page-builder
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3. 2026-04-10 6.5 CVE-2026-33141 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-j2pr-2r5w-jrpj
https://github.com/chamilo/chamilo-lms/commit/792ba05953470ca971617fe2674ed14c1479fa80
 
pi-hole--web Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5. 2026-04-06 6.1 CVE-2026-33403 https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59
 
Elastic--Kibana Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. 2026-04-08 6.8 CVE-2026-33458 https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815
 
Elastic--Kibana Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users. 2026-04-08 6.5 CVE-2026-33459 https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-26/385814
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38. 2026-04-10 6.5 CVE-2026-33708 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999
https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2
 
pi-hole--pi-hole Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1. 2026-04-06 6.4 CVE-2026-33727 https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3. 2026-04-10 6.5 CVE-2026-33736 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9
https://github.com/chamilo/chamilo-lms/commit/1739371ce1c562c007c7f5d53e6d65b7a4ff4109
 
trailofbits--rfc3161-client rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to 1.0.6, an Authorization Bypass vulnerability in rfc3161-client's signature verification allows any attacker to impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic flaw in how the library extracts the leaf certificate from an unordered PKCS#7 bag of certificates, an attacker can append a spoofed certificate matching the target common_name and Extended Key Usage (EKU) requirements. This tricks the library into verifying these authorization rules against the forged certificate while validating the cryptographic signature against an actual trusted TSA (such as FreeTSA), thereby bypassing the intended TSA authorization pinning entirely. This vulnerability is fixed in 1.0.6. 2026-04-08 6.2 CVE-2026-33753 https://github.com/trailofbits/rfc3161-client/security/advisories/GHSA-3xxc-pwj6-jgrj
 
Juniper Networks--Junos OS An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device. On MX platforms with MPC10, MPC11, LC4800 or LC9600 line cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don't get executed when lo0.n is in the global VRF / default routing-instance. An affected configuration would be: user@host# show configuration interfaces lo0 | display set set interfaces lo0 unit 1 family inet filter input <filter-name> where a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it's used in the default RI. The issue can be observed with the CLI command: user@device> show firewall counter filter <filter_name> not showing any matches. This issue affects Junos OS on MX Series: * all versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2, * 24.4 versions before 24.4R2. 2026-04-09 6.5 CVE-2026-33774 https://kb.juniper.net/JSA107865
 
Juniper Networks--Junos OS A Missing Release of Memory after Effective Lifetime vulnerability in the BroadBand Edge subscriber management daemon (bbe-smgd) of Juniper Networks Junos OS on MX Series allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS). If the authentication packet-type option is configured and a received packet does not match that packet type, the memory leak occurs. When all memory available to bbe-smgd has been consumed, no new subscribers will be able to login. The memory utilization of bbe-smgd can be monitored with the following show command: user@host> show system processes extensive | match bbe-smgd The below log message can be observed when this limit has been reached: bbesmgd[<PID>]: %DAEMON-3-SMD_DPROF_RSMON_ERROR: Resource unavailability, Reason: Daemon Heap Memory exhaustion This issue affects Junos OS on MX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R2. 2026-04-09 6.5 CVE-2026-33775 https://kb.juniper.net/JSA107821
 
Juniper Networks--Junos OS An Improper Following of a Certificate's Chain of Trust vulnerability in J-Web of Juniper Networks Junos OS on SRX Series allows a PITM to intercept the communication of the device and get access to confidential information and potentially modify it. When an SRX device is provisioned to connect to Security Director (SD) cloud, it doesn't perform sufficient verification of the received server certificate. This allows a PITM to intercept the communication between the SRX and SD cloud and access credentials and other sensitive information. This issue affects Junos OS: * all versions before 22.4R3-S9, * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S2, 25.2R2. 2026-04-09 6.5 CVE-2026-33779 https://kb.juniper.net/JSA107823
 
Juniper Networks--Junos OS A Missing Release of Memory after Effective Lifetime vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a memory leak ultimately leading to a Denial of Service (DoS). In an EVPN-MPLS scenario, routes learned from remote multi-homed Provider Edge (PE) devices are programmed as ESI routes. Due to a logic issue in the l2ald memory management, memory allocated for these routes is not released when there is churn for these routes. As a result, memory leaks in the l2ald process which will ultimately lead to a crash and restart of l2ald. Use the following command to monitor the memory consumption by l2ald: user@device> show system process extensive | match "PID|l2ald" This issue affects: Junos OS: * all versions before 22.4R3-S5, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2; Junos OS Evolved: * all versions before 22.4R3-S5-EVO, * 23.2 versions before 23.2R2-S3-EVO, * 23.4 versions before 23.4R2-S4-EVO, * 24.2 versions before 24.2R2-EVO. 2026-04-09 6.5 CVE-2026-33780 https://kb.juniper.net/JSA107819
 
Juniper Networks--Junos OS An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX and QFX Series devices allow an unauthenticated, adjacent attacker to cause a complete Denial of Service (DoS). On EX4k, and QFX5k platforms configured as service-provider edge devices, if L2PT is enabled on the UNI and VSTP is enabled on NNI in VXLAN scenarios, receiving VSTP BPDUs on UNI leads to packet buffer allocation failures, resulting in the device to not pass traffic anymore until it is manually recovered with a restart.This issue affects Junos OS: * 24.4 releases before 24.4R2, * 25.2 releases before 25.2R1-S1, 25.2R2. This issue does not affect Junos OS releases before 24.4R1. 2026-04-09 6.5 CVE-2026-33781 https://kb.juniper.net/JSA107869
 
Juniper Networks--Junos OS A Missing Release of Memory after Effective Lifetime vulnerability in the DHCP daemon (jdhcpd) of Juniper Networks Junos OS on MX Series, allows an adjacent, unauthenticated attacker to cause a memory leak, that will eventually cause a complete Denial-of-Service (DoS). In a DHCPv6 over PPPoE, or DHCPv6 over VLAN with Active lease query or Bulk lease query scenario, every subscriber logout will leak a small amount of memory. When all available memory has been exhausted, jdhcpd will crash and restart which causes a complete service impact until the process has recovered. The memory usage of jdhcpd can be monitored with: user@host> show system processes extensive | match jdhcpd This issue affects Junos OS: * all versions before 22.4R3-S1, * 23.2 versions before 23.2R2, * 23.4 versions before 23.4R2. 2026-04-09 6.5 CVE-2026-33782 https://kb.juniper.net/JSA107820
 
Juniper Networks--Junos OS Evolved A Function Call With Incorrect Argument Type vulnerability in the sensor interface of Juniper Networks Junos OS Evolved on PTX Series allows a network-based, authenticated attacker with low privileges to cause a complete Denial of Service (DoS). If colored SRTE policy tunnels are provisioned via PCEP, and gRPC is used to monitor traffic in these tunnels, evo-aftmand crashes and doesn't restart which leads to a complete and persistent service impact. The system has to be manually restarted to recover. The issue is seen only when the Originator ASN field in PCEP contains a value larger than 65,535 (32-bit ASN). The issue is not reproducible when SRTE policy tunnels are statically configured. This issue affects Junos OS Evolved on PTX Series:  * all versions before 22.4R3-S9-EVO, * 23.2 versions before 23.2R2-S6-EVO, * 23.4 versions before 23.4R2-S7-EVO, * 24.2 versions before 24.2R2-S4-EVO, * 24.4 versions before 24.4R2-S2-EVO, * 25.2 versions before 25.2R1-S2-EVO, 25.2R2-EVO. 2026-04-09 6.5 CVE-2026-33783 https://kb.juniper.net/JSA107870
 
Juniper Networks--Junos OS An OS Command Injection vulnerability in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker executing specific, crafted CLI commands to inject arbitrary shell commands as root, leading to a complete compromise of the system. Certain 'set system' commands, when executed with crafted arguments, are not properly sanitized, allowing for arbitrary shell injection. These shell commands are executed as root, potentially allowing for complete control of the vulnerable system. This issue affects: Junos OS:  * all versions before 22.4R3-S8,  * from 23.2 before 23.2R2-S5,  * from 23.4 before 23.4R2-S7,  * from 24.2 before 24.2R2-S2,  * from 24.4 before 24.4R2,  * from 25.2 before 25.2R2;  Junos OS Evolved:  * all versions before 22.4R3-S8-EVO,  * from 23.2 before 23.2R2-S5-EVO,  * from 23.4 before 23.4R2-S7-EVO,  * from 24.2 before 24.2R2-S2-EVO,  * from 24.4 before 24.4R2-EVO,  * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. 2026-04-09 6.7 CVE-2026-33791 https://kb.juniper.net/JSA107875
 
danny-avila--LibreChat LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user. This vulnerability is fixed in 0.8.4. 2026-04-07 6.3 CVE-2026-34371 https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692
 
AcademySoftwareFoundation--openexr OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a signed integer overflow in generic_unpack(). By setting dataWindow.min.x to a large negative value, OpenEXRCore computes an enormous image width, which is later used in a signed integer multiplication that overflows, causing the process to terminate with SIGILL via UBSan. This vulnerability is fixed in 3.4.9. 2026-04-06 6.5 CVE-2026-34378 https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-v76p-4qvv-vh4g
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
 
vllm-project--vllm vLLM is an inference and serving engine for large language models (LLMs). From 0.7.0 to before 0.19.0, the VideoMediaIO.load_base64() method at vllm/multimodal/media/video.py splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The num_frames parameter (default: 32), which is enforced by the load_bytes() code path, is completely bypassed in the video/jpeg base64 path. An attacker can send a single API request containing thousands of comma-separated base64-encoded JPEG frames, causing the server to decode all frames into memory and crash with OOM. This vulnerability is fixed in 0.19.0. 2026-04-06 6.5 CVE-2026-34755 https://github.com/vllm-project/vllm/security/advisories/GHSA-pq5c-rjhq-qp7p
 
vllm-project--vllm vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0. 2026-04-06 6.5 CVE-2026-34756 https://github.com/vllm-project/vllm/security/advisories/GHSA-3mwp-wvh9-7528
https://github.com/vllm-project/vllm/pull/37952
https://github.com/vllm-project/vllm/commit/b111f8a61f100fdca08706f41f29ef3548de7380
 
electron--electron Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions. Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected. Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. 2026-04-07 6 CVE-2026-34765 https://github.com/electron/electron/security/advisories/GHSA-f3pv-wv63-48x8
 
burlingtonbytes--WP Blockade Visual Page Builder The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files). 2026-04-08 6.5 CVE-2026-3480 https://www.wordfence.com/threat-intel/vulnerabilities/id/3f159aac-092b-4655-9d97-a496ac01738c?source=cve
https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L393
https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L393
https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L361
https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L361
https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L112
https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L112
 
David Lingren--Media LIbrary Assistant Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant: from n/a through 3.34. 2026-04-06 6.5 CVE-2026-34897 https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Red Hat--mirror registry for Red Hat OpenShift A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation. 2026-04-08 5.3 CVE-2025-14243 https://access.redhat.com/security/cve/CVE-2025-14243
RHBZ#2419829
 
inisev--BackupBliss Backup & Migration with Free Cloud Storage The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion. 2026-04-07 5.3 CVE-2025-14944 https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847?source=cve
https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/offline.php#L29
https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/ajax_offline.php#L112
https://plugins.trac.wordpress.org/changeset?old=3386897&old_path=backup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3449635&new_path=backup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php
 
johanaarstein--AM LottiePlayer The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-04-08 5.4 CVE-2025-1794 https://www.wordfence.com/threat-intel/vulnerabilities/id/ef2f1ad1-1e2e-4b56-b16c-d87956b142ad?source=cve
https://plugins.trac.wordpress.org/browser/am-lottieplayer/tags/3.5.0/includes/upload-thumbnail.php
 
Hitachi--JP1/IT Desktop Management 2 - Manager Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13. 2026-04-07 5.5 CVE-2025-65116 https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html
 
vsourz1td--Advanced Contact form 7 DB The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for unauthenticated attackers to delete form entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-04-08 5.4 CVE-2026-0811 https://www.wordfence.com/threat-intel/vulnerabilities/id/88097744-d2f5-4ae5-aa71-0f4a0decd911?source=cve
https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7-db-admin.php#L885
https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db
 
GitLab--GitLab GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content. 2026-04-08 5.7 CVE-2026-1516 HackerOne Bug Bounty Report #3514461
https://gitlab.com/gitlab-org/gitlab/-/work_items/587893
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
 
wpmudev--Hustle Email Marketing, Lead Generation, Optins, Popups The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics. 2026-04-07 5.3 CVE-2026-2263 https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc2-e32628c4864d?source=cve
https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L32
https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L1047
https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front.php#L311
https://plugins.trac.wordpress.org/changeset?old_path=/wordpress-popup/tags/7.8.10.2&new_path=/wordpress-popup/tags/7.8.11
 
OCS Inventory--OCS Inventory NG Server OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitation and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard. 2026-04-06 5.4 CVE-2026-22675 https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483
https://github.com/OCSInventory-NG/OCSInventory-Server/commit/78faf2ca8b897141ba4d337d75692ab8e405bd4e
https://www.vulncheck.com/advisories/ocs-inventory-ng-server-stored-xss-via-user-agent
 
Volcengine--OpenViking OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments. 2026-04-07 5.3 CVE-2026-22680 https://github.com/volcengine/OpenViking/releases/tag/v0.3.3
https://github.com/volcengine/OpenViking/pull/1182
https://github.com/volcengine/OpenViking/commit/8c1c3f3608364ee0bb0e45f73478771a68aebdf5
https://www.vulncheck.com/advisories/openviking-missing-authorization-via-task-polling
 
HDFGroup--hdf5 HDF5 is software for managing data. In 1.14.1-2 and earlier, an attacker who can control an h5 file parsed by HDF5 can trigger a write-based heap buffer overflow condition in the H5T__ref_mem_setnull method. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. 2026-04-10 5.5 CVE-2026-29043 https://github.com/HDFGroup/hdf5/security/advisories/GHSA-qm2m-5g5w-2277
 
smub--Charitable Donation Plugin for WordPress Fundraising with Recurring Donations & More The Charitable - Donation Plugin for WordPress - Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment. 2026-04-07 5.3 CVE-2026-3177 https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600?source=cve
https://plugins.trac.wordpress.org/changeset/3485023/charitable
 
Red Hat--mirror registry for Red Hat OpenShift A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application. 2026-04-08 5.2 CVE-2026-32591 https://access.redhat.com/security/cve/CVE-2026-32591
RHBZ#2446965
 
opensourcepos--opensourcepos Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3. 2026-04-07 5.4 CVE-2026-32712 https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3. 2026-04-10 5.4 CVE-2026-32893 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-37jh-g64j-88mc
https://github.com/chamilo/chamilo-lms/commit/72bc403f89b1ebb73a139f8f6cf0478857592276
 
Microsoft--Microsoft Edge for Android User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. 2026-04-10 5.4 CVE-2026-33119 Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
 
pi-hole--web Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5. 2026-04-06 5.4 CVE-2026-33406 https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p
 
themeum--Tutor LMS eLearning and online course solution The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability. 2026-04-11 5.4 CVE-2026-3358 https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989
https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8
https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38. 2026-04-10 5.3 CVE-2026-33705 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-8x28-px57
https://github.com/chamilo/chamilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef7b98db17bff
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 5.3 CVE-2026-33737 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j
https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e
https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3
 
Juniper Networks--Junos OS An Incorrect Initialization of Resource vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series and QFX Series device allows an unauthenticated, network-based attacker to cause an integrity impact to downstream networks. When the same family inet or inet6 filter is applied on an IRB interface and on a physical interface as egress filter on EX4100, EX4400, EX4650 and QFX5120 devices, only one of the two filters will be applied, which can lead to traffic being sent out one of these interfaces which should have been blocked. This issue affects Junos OS on EX Series and QFX Series: * 23.4 version 23.4R2-S6, * 24.2 version 24.2R2-S3. No other Junos OS versions are affected. 2026-04-09 5.8 CVE-2026-33773 https://kb.juniper.net/JSA107815
 
Juniper Networks--Junos OS A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a local user with low privileges to read sensitive information. A local user with low privileges can execute the CLI command 'show mgd' with specific arguments which will expose sensitive information. This issue affects Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S1, * 25.2 version before 25.2R1-S2, 25.2R2; Junos OS Evolved: * all versions before 23.2R2-S6-EVO, * 23.4 version before 23.4R2-S6-EVO, * 24.2 version before 24.2R2-S4-EVO, * 24.4 versions before 24.4R2-S1-EVO, * 25.2 versions before 25.2R2-EVO. 2026-04-09 5.5 CVE-2026-33776 https://kb.juniper.net/JSA107866
 
Juniper Networks--Junos OS An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1600, SRX2300 and SRX4300 allows a local attacker with low privileges to cause a complete Denial of Service (DoS). When a specific 'show chassis' CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again. This issue affects Junos OS on SRX1600, SRX2300 and SRX4300: * 24.4 versions before 24.4R1-S3, 24.4R2. This issue does not affect Junos OS versions before 24.4R1. 2026-04-09 5.5 CVE-2026-33786 https://kb.juniper.net/JSA107810
 
Juniper Networks--Junos OS An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600 allows a local attacker with low privileges to cause a complete Denial of Service (DoS). When a specific 'show chassis' CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again. This issue affects Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600:  * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7 * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S1, 25.2R2. 2026-04-09 5.5 CVE-2026-33787 https://kb.juniper.net/JSA107873
 
AcademySoftwareFoundation--openexr OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377. The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit integer before casting to uint64_t. When w is large, this multiplication constitutes undefined behavior under the C standard. On tested builds (clang/gcc without sanitizers), two's-complement wraparound commonly occurs, and for specific values of w the wrapped result is a small positive integer, which may allow the subsequent bounds check to pass incorrectly. If the check is bypassed, the decoding loop proceeds to write pixel data through dout, potentially extending far beyond the allocated output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. 2026-04-06 5.9 CVE-2026-34380 https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q3v8-hw4m-59w5
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
 
vllm-project--vllm vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0. 2026-04-06 5.4 CVE-2026-34753 https://github.com/vllm-project/vllm/security/advisories/GHSA-pf3h-qjgv-vcpr
 
pnggroup--libpng LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57. 2026-04-09 5.1 CVE-2026-34757 https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645
https://github.com/pnggroup/libpng/issues/836
https://github.com/pnggroup/libpng/issues/837
https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a
https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc
 
projectzealous01--PZ Frontend Manager The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via the wp_ajax_pzfm_user_request_action action hook, lacks both capability checks and nonce verification. This function handles user activation, deactivation, and deletion operations. When the 'dataType' parameter is set to 'delete', the function calls wp_delete_user() on all provided user IDs without verifying that the current user has the appropriate permissions. Notably, the similar pzfm_remove_item_callback() function does check pzfm_can_delete_user() before performing deletions, indicating this was an oversight. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary WordPress users (including administrators) by sending a crafted request to the AJAX endpoint. 2026-04-08 5.3 CVE-2026-3477 https://www.wordfence.com/threat-intel/vulnerabilities/id/90d8e345-b549-493b-a84b-abe56ab42a04?source=cve
https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L331
https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L331
https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L292
https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L292
https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L290
https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L290
 
Eniture technology--LTL Freight Quotes Worldwide Express Edition Missing Authorization vulnerability in Eniture technology LTL Freight Quotes - Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes - Worldwide Express Edition: from n/a through 5.2.1. 2026-04-07 5.3 CVE-2026-34899 https://patchstack.com/database/wordpress/plugin/ltl-freight-quotes-worldwide-express-edition/vulnerability/wordpress-ltl-freight-quotes-worldwide-express-edition-plugin-5-2-1-broken-access-control-vulnerability?_s_id=cve
 
OceanWP--Ocean Extra Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3. 2026-04-07 5.4 CVE-2026-34903 https://patchstack.com/database/wordpress/plugin/ocean-extra/vulnerability/wordpress-ocean-extra-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve
 
Heatmiser--Heatmiser Wifi Thermostat Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent. 2026-04-12 4.3 CVE-2019-25708 ExploitDB-46100
VulnCheck Advisory: Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery
 
GitLab--GitLab GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries. 2026-04-08 4.3 CVE-2025-9484 GitLab Issue #565363
HackerOne Bug Bounty Report #3303810
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
 
vsourz1td--Advanced Contact form 7 DB The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file. 2026-04-08 4.3 CVE-2026-0814 https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3de1a4-a534-475b-9138-2337755b0288?source=cve
https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7-db-admin.php#L1507
https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db
 
realmag777--BEAR Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net The BEAR - Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link. 2026-04-08 4.3 CVE-2026-1673 https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e8960-b0c1-4dbb-ba97-e45b88fb06c0?source=cve
https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L1474
https://plugins.trac.wordpress.org/changeset/3457263/
https://plugins.trac.wordpress.org/changeset/3465138/
 
GitLab--GitLab GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API. 2026-04-08 4.3 CVE-2026-1752 HackerOne Bug Bounty Report #3533545
https://gitlab.com/gitlab-org/gitlab/-/work_items/588413
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
 
arubadev--Aruba HiSpeed Cache The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-04-10 4.3 CVE-2026-1924 https://www.wordfence.com/threat-intel/vulnerabilities/id/d2230151-fde2-43d6-8bff-0d2ffd559ab3?source=cve
https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.php#L632
https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.php#L631
https://plugins.trac.wordpress.org/changeset?old_path=%2Faruba-hispeed-cache/tags/3.0.4&new_path=%2Faruba-hispeed-cache/tags/3.0.5
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks. 2026-04-08 4.3 CVE-2026-2104 HackerOne Bug Bounty Report #3541476
https://gitlab.com/gitlab-org/gitlab/-/work_items/589021
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
 
idealwebdesignlk--Whole Enquiry Cart for WooCommerce The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'woowhole_success_msg' parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-04-08 4.4 CVE-2026-2838 https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc14a98-1df8-480b-bae3-5ec057b498af?source=cve
https://plugins.trac.wordpress.org/browser/whole-cart-enquiry/trunk/admin.php#L53
 
homarr-labs--homarr Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operations without a transaction: CHECK, CREATE, and DELETE. Because these operations are not atomic, concurrent requests can all pass the validation step (1) before any of them reaches the deletion step (3). This allows multiple accounts to be registered using a single invite token that was intended to be single-use. This vulnerability is fixed in 1.57.0. 2026-04-06 4.2 CVE-2026-32602 https://github.com/homarr-labs/homarr/security/advisories/GHSA-vfw3-53q9-2hp8
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. 2026-04-10 4.7 CVE-2026-32932 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q2cp-3qj3-wx8q
https://github.com/chamilo/chamilo-lms/commit/b005b3d3e76cf6eafc03e15ac445ceff089551c0
https://github.com/chamilo/chamilo-lms/commit/fbd8d7eb37d05ec974293f05b6ffaaf9102ebd2b
 
Microsoft--Microsoft Edge (Chromium-based) Microsoft Edge (Chromium-based) Spoofing Vulnerability 2026-04-10 4.3 CVE-2026-33118 Microsoft Edge (Chromium-based) Spoofing Vulnerability
 
Elastic--Kibana Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access. 2026-04-08 4.3 CVE-2026-33460 https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813
 
themeum--Tutor LMS eLearning and online course solution The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs. 2026-04-11 4.3 CVE-2026-3371 https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cf0430-8577-449a-aefe-d7bf606fe2de?source=cve
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1687
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1755
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L252
https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8
 

Back to top

Low Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
Mattermost--Mattermost Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610 2026-04-09 3.7 CVE-2026-21388 MMSA-2026-00610
 
Dell--PowerProtect Agent Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. 2026-04-08 3.3 CVE-2026-28264 https://www.dell.com/support/kbdoc/en-us/000447277/dsa-2026-158-security-update-dell-powerprotect-data-manager-for-multiple-security-vulnerabilities
 
pi-hole--web Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping - an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5. 2026-04-06 3.4 CVE-2026-33404 https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v
 
pi-hole--web Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5. 2026-04-06 3.1 CVE-2026-33405 https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq
 
OpenStack--Keystone An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected. 2026-04-10 3.5 CVE-2026-33551 https://bugs.launchpad.net/keystone/+bug/2142138
https://security.openstack.org/ossa/OSSA-2026-005.html
 
harttle--liquidjs LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times in the input string. This allows an attacker who controls template content to bypass the memoryLimit DoS protection with approximately 2,500x amplification, potentially causing out-of-memory conditions. This vulnerability is fixed in 10.25.3. 2026-04-08 3.7 CVE-2026-34166 https://github.com/harttle/liquidjs/security/advisories/GHSA-mmg9-6m6j-jqqx
https://github.com/harttle/liquidjs/commit/abc058be0f33d6372cd2216f4945183167abeb25
https://github.com/harttle/liquidjs/releases/tag/v10.25.3
 
electron--electron Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected. To mitigate this issue, ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. 2026-04-06 2.3 CVE-2026-34764 https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-64mp
 
electron--electron Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. 2026-04-07 2.8 CVE-2026-34781 https://github.com/electron/electron/security/advisories/GHSA-f37v-82c4-4x64
 

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
chamilo--chamilo-lms Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2. 2026-04-10 not yet calculated CVE-2025-66447 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-m82x-prv3-rwwv
https://github.com/chamilo/chamilo-lms/commit/73ae6293adaa6098374bc22625342dbae5cbc446
 
n/a--Stakeholder-Specific Vulnerability Categorization (SSVC) QD 20230821 is vulnerable to Server-side request forgery (SSRF) via a crafted request 2026-04-08 not yet calculated CVE-2023-46945 https://qd-today.github.io/qd/
https://gist.github.com/kurokoleung/5b36b2013a54adadcce79967d3e4f056
 
n/a--Koha 23.05.10 Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images. 2026-04-07 not yet calculated CVE-2024-36057 https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md
https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md
https://github.com/hacklantic/Research/tree/main/CVE-2024-36057
https://koha-community.org/koha-22-05-22-released/
 
n/a--Koha 23.05.10 The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database. 2026-04-07 not yet calculated CVE-2024-36058 https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md
https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md
https://koha-community.org/koha-22-05-22-released/
https://github.com/hacklantic/Research/tree/main/CVE-2024-36058
 
Unknown--YML for Yandex Market The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process. 2026-04-10 not yet calculated CVE-2025-14545 https://wpscan.com/vulnerability/9bb1a4ca-976c-461d-82de-8a3b04a56fbc/
 
Canonical--Ubuntu In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs. 2026-04-09 not yet calculated CVE-2025-14551 noble backport - stop logging network config and identity data
Stop logging identity data and network secrets
 
Mitsubishi Electric Corporation--GENESIS64 Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials stored in plaintext within the local SQLite file by exploiting this vulnerability, when the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system. 2026-04-08 not yet calculated CVE-2025-14815 https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf
https://jvn.jp/vu/JVNVU90646130/
https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01
 
Mitsubishi Electric Corporation--GENESIS64 Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials displayed in plain text in the GUI of the Hyper Historian Splitter feature by exploiting this vulnerability, when SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system. 2026-04-08 not yet calculated CVE-2025-14816 https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01
https://jvn.jp/vu/JVNVU90646130/
 
Semtech--LR1110 An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device's secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access. 2026-04-07 not yet calculated CVE-2025-14857 https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001
 
Semtech--LR1110 The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface. 2026-04-07 not yet calculated CVE-2025-14858 https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001
 
Semtech--LR1110 The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device. 2026-04-07 not yet calculated CVE-2025-14859 https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001
 
Canonical--Ubuntu In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs. 2026-04-09 not yet calculated CVE-2025-15480 feat: don't log identity data (noble backport)
feat: don't log identity data
 
Unknown--Popup Box The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend. 2026-04-07 not yet calculated CVE-2025-15611 https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/
 
Ping Identity--PingIDM An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity's security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode. 2026-04-07 not yet calculated CVE-2025-20628 https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest
https://backstage.pingidentity.com/downloads/browse/idm/featured
 
Nokia--MantaRay NM Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application. 2026-04-07 not yet calculated CVE-2025-24817 https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24817/
 
Nokia--MantaRay NM Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application. 2026-04-07 not yet calculated CVE-2025-24818 https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24818/
 
Nokia--MantaRay NM Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application. 2026-04-07 not yet calculated CVE-2025-24819 https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24819/
 
Checkmk GmbH--Checkmk Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are processed when the `omd` administrative command is run by root. 2026-04-07 not yet calculated CVE-2025-39666 https://checkmk.com/werk/18891
 
n/a--OwnTone - open source (audio) media server  owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking. 2026-04-10 not yet calculated CVE-2025-44560 https://github.com/owntone/owntone-server/issues/1873
https://gist.github.com/wenwenyuyu/517851c3fe38c4f97b2d1940597da2d3
 
D-Link[.]com -- D-Link DI-8300 D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the ip parameter in the ip_position_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-04-08 not yet calculated CVE-2025-45057 https://www.dlink.com/en/security-bulletin/
https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8300 D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the fx parameter in the jingx_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-04-08 not yet calculated CVE-2025-45058 https://www.dlink.com/en/security-bulletin/
https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8300 D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the fn parameter in the tgfile_htm function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-04-08 not yet calculated CVE-2025-45059 https://www.dlink.com/en/security-bulletin/
https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
www[.]rrweb[.]io/ -- rrwebplayer A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. 2026-04-09 not yet calculated CVE-2025-45806 https://github.com/rrweb-io/rrweb
https://github.com/rrweb-io/rrweb/tree/master/packages/rrweb-snapshot
https://github.com/rrweb-io/rrweb/issues/1817
 
Google--Android In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. 2026-04-06 not yet calculated CVE-2025-48651 https://source.android.com/docs/security/bulletin/2026/2026-04-01
 
n/a--n/a Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules. 2026-04-09 not yet calculated CVE-2025-50228 https://github.com/Cherry-toto/jizhicms
https://www.jizhicms.cn
https://github.com/Cherry-toto/jizhicms/issues/104
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper validation of user input in the qj.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50644 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A vulnerability has been discovered in D-Link DI-8003 16.07.26A1, which can lead to a buffer overflow when the s parameter in the pppoe_list_opt.asp endpoint is manipulated. By sending a crafted request with an excessively large value for the s parameter, an attacker can trigger a buffer overflow condition. 2026-04-08 not yet calculated CVE-2025-50645 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to insufficient input validation on the name parameter in the /qos_type_asp.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50646 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1, specifically in the handling of the wans parameter in the qos.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50647 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inadequate input validation in the /tggl.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50648 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper input validation in the vlan_name parameter in the /shut_set.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50649 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inadequate validation of input size in the routes_static parameter in the /router.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50650 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 An issue in D-Link DI-8003 16.07.26A1 related to improper handling of the id parameter in the /saveparm_usb.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50652 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name and mem parameters in the /time_group.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50653 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper validation of the id parameter in the /thd_member.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50654 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /thd_group.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50655 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the pid parameter in the /trace.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50657 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the custom_error parameter in the /user.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50659 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /url_member.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50660 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of multiple parameters in the /url_rule.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request with parameters name, en, ips, u, time, act, rpri, and log. 2026-04-08 not yet calculated CVE-2025-50661 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /url_group.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50662 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /usb_paswd.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50663 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /user_group.asp endpoint. The attacker can exploit this vulnerability by sending a crafted HTTP GET request with parameters name, mem, pri, and attr. 2026-04-08 not yet calculated CVE-2025-50664 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of input parameters in the /web_keyword.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request via the name, en, time, mem_gb2312, and mem_utf8 parameters. 2026-04-08 not yet calculated CVE-2025-50665 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of multiple parameters in the /web_post.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request in parameters such as name, en, user_id, log, and time. 2026-04-08 not yet calculated CVE-2025-50666 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the iface parameter in the /wan_line_detection.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50667 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the s parameter in the /web_list_opt.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50668 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 and DI-8003G 19.12.10A1 due to improper handling of the wan_ping parameter in the /wan_ping.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50669 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /xwgl_bwr.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request in the name, qq, and time parameters. 2026-04-08 not yet calculated CVE-2025-50670 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /xwgl_ref.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request with excessively long strings in parameters name, en, user_id, shibie_name, time, act, log, and rpri. 2026-04-08 not yet calculated CVE-2025-50671 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /yyxz_dlink.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50672 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003 A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the http_lanport parameter in the /webgl.asp endpoint. 2026-04-08 not yet calculated CVE-2025-50673 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
Tendacn[.]com -- AC6 WiFi Router Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetCfm function via the funcname, funcpara1, and funcpara2 parameters. 2026-04-08 not yet calculated CVE-2025-52221 https://github.com/faqiadegege/IoTVuln/blob/main/tendaAc6_formSetCfm_funcname_overflow/detail.md
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
D-Link[.]com -- D-Link DI-8003  D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-8400 v16.07.26A1, DI-8004w v16.07.26A1, DI-8100 v16.07.26A1, and DI-8100G v17.12.20A1 were discovered to contain a buffer overflow via the rd_en, rd_auth, rd_acct, http_hadmin, http_hadminpwd, rd_key, and rd_ip parameters in the radius_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-04-08 not yet calculated CVE-2025-52222 https://www.dlink.com/en/security-bulletin/
https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md
 
Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow via a certain ioctl message, issue 1 of 2. 2026-04-07 not yet calculated CVE-2025-52908 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52908/
 
Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow via a certain ioctl message, issue 2 of 2. 2026-04-07 not yet calculated CVE-2025-52909 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52909/
 
Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect Handling of a DL NAS Transport packet leads to a Denial of Service. 2026-04-06 not yet calculated CVE-2025-54324 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54324/
 
Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. A Stack-based Buffer Overflow occurs while parsing SMS RP-DATA messages. 2026-04-06 not yet calculated CVE-2025-54328 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54328/
 
Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor amd Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Improper synchronization on a global variable leads to a double free. An attacker can trigger a race condition by invoking an ioctl function concurrently from multiple threads. 2026-04-06 not yet calculated CVE-2025-54601 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54601/
 
Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Improper synchronization on a global variable leads to a use-after-free. An attacker can trigger a race condition by invoking an ioctl function concurrently from multiple threads. 2026-04-06 not yet calculated CVE-2025-54602 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54602/
 
n/a--GenieACS In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint. 2026-04-07 not yet calculated CVE-2025-56015 https://github.com/genieacs/genieacs/
https://github.com/e1st/CVE-2025-56015
 
Apache Software Foundation--Apache Airflow When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue. 2026-04-09 not yet calculated CVE-2025-57735 https://github.com/apache/airflow/pull/61339
https://github.com/apache/airflow/pull/56633
https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98
 
Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem (Exynos 980, 850, 990, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 1680, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400, and Modem 5410). The absence of proper input validation leads to a Denial of Service. 2026-04-06 not yet calculated CVE-2025-57834 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54328/
 
Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos An issue was discovered in RRC in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Improper memory initialization results in an illegal memory access, causing a system crash via a malformed RRCReconfiguration message. 2026-04-06 not yet calculated CVE-2025-57835 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-57835/
 
Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect handling of LTE MAC packets containing many MAC Control Elements (CEs) leads to baseband crashes. 2026-04-06 not yet calculated CVE-2025-58349 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58349/
 
Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos An issue was discovered in USIM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Improper handling of SIM card proactive commands leads to a Denial of Service. 2026-04-06 not yet calculated CVE-2025-59440 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59440/
 
n/a--n/a An open redirect in Ascertia SigningHub User v10.0 allows attackers to redirect users to a malicious site via a crafted URL. 2026-04-06 not yet calculated CVE-2025-61166 https://linkedin.com/in/thakur-nikhil
https://medium.com/@rajput.thakur/malicious-open-redirection-cve-2025-61166-bf5d708cd241
 
Apache Software Foundation--Apache DolphinScheduler An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.*. Users are recommended to upgrade to: * version ≥ 3.2.0 if using 3.1.x As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable: ``` MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus ``` Alternatively, add the following configuration to the application.yaml file: ``` management:    endpoints:      web:         exposure:           include: health,metrics,prometheus ``` This issue has been reported as CVE-2023-48796: https://cveprocess.apache.org/cve5/CVE-2023-48796 2026-04-09 not yet calculated CVE-2025-62188 https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo
https://www.cve.org/CVERecord?id=CVE-2023-48796
 
axios--axios Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0. 2026-04-09 not yet calculated CVE-2025-62718 https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
https://github.com/axios/axios/pull/10661
https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df
https://datatracker.ietf.org/doc/html/rfc1034#section-3.1
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
https://github.com/axios/axios/releases/tag/v1.15.0
 
Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. An out-of-bounds write occurs due to a mismatch between the TP-UDHI and UDL values when processing an SMS TP-UD packet. 2026-04-07 not yet calculated CVE-2025-62818 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-62818/
 
n/a--LimeSurvey A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user. 2026-04-09 not yet calculated CVE-2025-63238 https://github.com/LimeSurvey/LimeSurvey/commit/80769a677dc82ddb1fcced4af19bd959d583208d
https://gist.github.com/masquerad3r/f913ab479e8de2ad71987ef98a088fb5
 
n/a--n/a An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporting an incorrect or static location. 2026-04-07 not yet calculated CVE-2025-69515 http://jxl.com
https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.md
 
n/a--n/a An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. 2026-04-09 not yet calculated CVE-2025-70364 http://kiamo.com
https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70364-Kiamo.md
 
Kiamo[.]com -- Kiamo A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. 2026-04-09 not yet calculated CVE-2025-70365 http://kiamo.com
https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70365-Kiamo.md
 
n/a-- Limesurvey Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters. 2026-04-09 not yet calculated CVE-2025-70797 https://gist.github.com/masquerad3r/772ddbfbd9fd95754f4873bcb202146d
https://github.com/LimeSurvey/LimeSurvey/pull/4356
 
n/a--n/a Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism 2026-04-09 not yet calculated CVE-2025-70810 https://github.com/ariefibis
https://www.linkedin.com/in/mohammed-a-6a2548112/
https://gist.github.com/ariefibis/80e306765c23d6fac1584dbb76822e30
 
n/a--n/a Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality. 2026-04-09 not yet calculated CVE-2025-70811 https://github.com/ariefibis
https://www.linkedin.com/in/mohammed-a-6a2548112/
https://github.com/ariefibis/PHPBB/security/advisories/GHSA-56pv-xg3w-6822
 
n/a--Yaffa  yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page. 2026-04-07 not yet calculated CVE-2025-70844 https://github.com/kantorge/yaffa
https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844
 
n/a--n/a Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations. 2026-04-07 not yet calculated CVE-2025-71058 https://sourceforge.net/projects/dhcp-dns-server/
https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-71058
 
Google--Android In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. 2026-04-06 not yet calculated CVE-2026-0049 https://source.android.com/docs/security/bulletin/2026/2026-04-01
 
Pegasystems--Pega Robot Studio An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur if a Robot Runtime user navigates to the malicious website. 2026-04-07 not yet calculated CVE-2026-1078 https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note
 
Pegasystems--Pega Browser Extension (PBE) A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box. 2026-04-07 not yet calculated CVE-2026-1079 https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note
 
parisneo--parisneo/lollms In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0. 2026-04-07 not yet calculated CVE-2026-1114 https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89
https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34
 
parisneo--parisneo/lollms A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0. 2026-04-10 not yet calculated CVE-2026-1115 https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa
https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a
 
parisneo--parisneo/lollms A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks. 2026-04-12 not yet calculated CVE-2026-1116 https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e
https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a
 
parisneo--parisneo/lollms An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password. 2026-04-08 not yet calculated CVE-2026-1163 https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b
 
Python Software Foundation--CPython CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. 2026-04-10 not yet calculated CVE-2026-1502 https://github.com/python/cpython/pull/146212
https://github.com/python/cpython/issues/146211
https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/
https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69
 
huggingface--huggingface/transformers A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3. 2026-04-07 not yet calculated CVE-2026-1839 https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485
https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396
 
Unknown--Link Whisper Free The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates. 2026-04-07 not yet calculated CVE-2026-1900 https://wpscan.com/vulnerability/dc10b627-7981-4c53-bc9d-e87418f3fcfc/
 
MediaTek, Inc.--MediaTek chipset In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01106496; Issue ID: MSV-4467. 2026-04-07 not yet calculated CVE-2026-20431 https://corp.mediatek.com/product-security-bulletin/April-2026
 
MediaTek, Inc.--MediaTek chipset In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MSV-4461. 2026-04-07 not yet calculated CVE-2026-20432 https://corp.mediatek.com/product-security-bulletin/April-2026
 
MediaTek, Inc.--MediaTek chipset In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MSV-4460. 2026-04-07 not yet calculated CVE-2026-20433 https://corp.mediatek.com/product-security-bulletin/April-2026
 
MediaTek, Inc.--MediaTek chipset In sec boot, there is a possible out of bounds write due to an integer overflow. This could lead to local denial of service, if an attacker has physical access to the device, with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09963054; Issue ID: MSV-3899. 2026-04-07 not yet calculated CVE-2026-20446 https://corp.mediatek.com/product-security-bulletin/April-2026
 
Rocket.Chat--Rocket.Chat An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint. 2026-04-10 not yet calculated CVE-2026-22560 https://hackerone.com/reports/3418031
https://github.com/RocketChat/Rocket.Chat/pull/38994
 
The Wikimedia Foundation--Mediawiki - Wikilove Extension Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. 2026-04-07 not yet calculated CVE-2026-22711 https://phabricator.wikimedia.org/T416502
https://gerrit.wikimedia.org/r/q/Iab86209478a044504f5a6aea0d8c3d14f21c48b3
 
OpenPLC_V3--OpenPLC_V3 OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API. 2026-04-09 not yet calculated CVE-2026-28205 https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10
 
OpenSSL--OpenSSL Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not written to output. The vulnerable code path is only reached when processing partial blocks (when a previous call left an incomplete block and the current call provides fewer bytes than needed to complete it). Additionally, the input buffer must be positioned at a page boundary with the following page unmapped. CFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or ChaCha20-Poly1305 instead. For these reasons the issue was assessed as Low severity according to our Security Policy. Only x86-64 systems with AVX-512 and VAES instruction support are affected. Other architectures and systems without VAES support use different code paths that are not affected. OpenSSL FIPS module in 3.6 version is affected by this issue. 2026-04-07 not yet calculated CVE-2026-28386 OpenSSL Advisory
3.6.2 git commit
 
OpenSSL--OpenSSL Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary. 2026-04-07 not yet calculated CVE-2026-28387 OpenSSL Advisory
3.6.2 git commit
3.5.6 git commit
3.4.5 git commit
3.3.7 git commit
3.0.20 git commit
 
OpenSSL--OpenSSL Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. 2026-04-07 not yet calculated CVE-2026-28388 OpenSSL Advisory
3.6.2 git commit
3.5.6 git commit
3.4.5 git commit
3.3.7 git commit
3.0.20 git commit
 
OpenSSL--OpenSSL Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. 2026-04-07 not yet calculated CVE-2026-28389 OpenSSL Advisory
3.6.2 git commit
3.5.6 git commit
3.4.5 git commit
3.3.7 git commit
3.0.20 git commit
 
OpenSSL--OpenSSL Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. 2026-04-07 not yet calculated CVE-2026-28390 OpenSSL Advisory
3.6.2 git commit
3.5.6 git commit
3.4.5 git commit
3.3.7 git commit
3.0.20 git commit
 
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)--Emocheck Emocheck insecurely loads Dynamic Link Libraries (DLLs). If a crafted DLL file is placed to the same directory, an arbitrary code may be executed with the privilege of the user invoking EmoCheck. 2026-04-10 not yet calculated CVE-2026-28704 https://www.jpcert.or.jp/press/2026/PR20260410.html
https://github.com/JPCERTCC/EmoCheck/
https://jvn.jp/en/jp/JVN00263243/
 
Erlang--OTP Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6. 2026-04-07 not yet calculated CVE-2026-28808 https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f
https://cna.erlef.org/cves/CVE-2026-28808.html
https://osv.dev/vulnerability/EEF-CVE-2026-28808
https://www.erlang.org/doc/system/versions.html#order-of-versions
https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688
https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c
 
Erlang--OTP Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers. inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible. This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11. 2026-04-07 not yet calculated CVE-2026-28810 https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8
https://cna.erlef.org/cves/CVE-2026-28810.html
https://osv.dev/vulnerability/EEF-CVE-2026-28810
https://www.erlang.org/doc/system/versions.html#order-of-versions
https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5
https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd
https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8
 
Apache Software Foundation--Apache Tomcat Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. 2026-04-09 not yet calculated CVE-2026-29129 https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f
 
Apache Software Foundation--Apache Tomcat CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue. 2026-04-09 not yet calculated CVE-2026-29145 https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz
 
Apache Software Foundation--Apache Tomcat Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue. 2026-04-09 not yet calculated CVE-2026-29146 https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
 
n/a--n/a PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php. 2026-04-10 not yet calculated CVE-2026-29861 https://github.com/amanyadav78/CVE-2026-29861
 
Entechtaiwan[.]com – PowerStrip The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate privileges to SYSTEM via a crafted IOCTL request enabling unprivileged users to map arbitrary physical memory into their address space and modify critical kernel structures. 2026-04-09 not yet calculated CVE-2026-29923 https://entechtaiwan.com/util/ps.shtm
https://packetstorm.news/files/id/218394/
 
n/a-- OpenAirInterface OpenAirInterface Version 2.2.0 has a Buffer Overflow vulnerability in processing UplinkNASTransport containing Authentication Response containing a NAS PDU with oversize response (For example 100 byte). The response is decoded by AMF and passed to the AUSF component for verification. AUSF crashes on receiving this oversize response. This can prohibit users from further registration and verification and can cause Denial of Services (DoS). 2026-04-08 not yet calculated CVE-2026-30075 https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues?show=eyJpaWQiOiI2IiwiZnVsbF9wYXRoIjoib2FpL2NuNWcvb2FpLWNuNWctYXVzZiIsImlkIjo1NDE5fQ%3D%3D
https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues/6
 
n/a-- OpenAirInterface OpenAirInterface V2.2.0 AMF crashes when it receives an NGAP message with invalid procedure code or invalid PDU-type. For example when the message specification requires InitiatingMessage but sent with successfulOutcome. 2026-04-06 not yet calculated CVE-2026-30078 https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/74
https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/merge_requests/414
 
n/a-- OpenAirInterface In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication. 2026-04-07 not yet calculated CVE-2026-30079 https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77
 
n/a-- OpenAirInterface OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack. 2026-04-08 not yet calculated CVE-2026-30080 https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78
 
chartbrew--chartbrew Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5. 2026-04-10 not yet calculated CVE-2026-30232 https://github.com/chartbrew/chartbrew/security/advisories/GHSA-p4rg-967r-w4cv
https://github.com/chartbrew/chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f16407d59c2df1
 
n/a-- Daylight Studio FuelCMS Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module. 2026-04-07 not yet calculated CVE-2026-30460 https://github.com/daylightstudio/FUEL-CMS/
http://daylight.com
http://fuelcms.com
https://pentest-tools.com/PTT-2025-027-Improper-Authorization.pdf
 
Ms4w[.]com -- GatewayGeo Mapserver  A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable. 2026-04-09 not yet calculated CVE-2026-30478 https://ms4w.com
https://github.com/penjaminTester/Research/tree/main/CVE-2026-30478
 
Ms4w[.]com -- GatewayGeo Mapserver  A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable. 2026-04-09 not yet calculated CVE-2026-30479 https://mapserver.org/index.html
https://github.com/penjaminTester/Research/tree/main/CVE-2026-30479
 
Aziot[.]life -- AZIOT 1 Node Smart Switch An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch (16amp)- WiFi/Bluetooth Enabled Software Version: 1.1.9 due to improper access control on the UART debug interface. An attacker with physical access can connect to the UART interface and obtain sensitive information from the serial console without authentication. 2026-04-06 not yet calculated CVE-2026-30613 http://aziot.com
https://github.com/dumbermore/tuya/blob/main/README.md
 
TP-Link Systems Inc.--AX53 v1.0 A stack-based buffer overflow in the tmpServer module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to trigger a segmentation fault and potentially execute arbitrary code via a specially crafted configuration file. Successful exploitation may cause a crash and could allow arbitrary code execution, enabling modification of device state, exposure of sensitive data, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. 2026-04-08 not yet calculated CVE-2026-30814 https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/us/support/faq/5055/
 
TP-Link Systems Inc.--AX53 v1.0 An OS command injection vulnerability in the OpenVPN module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute system commands when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow modification of configuration files, disclosure of sensitive information, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. 2026-04-08 not yet calculated CVE-2026-30815 https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/us/support/faq/5055/
 
TP-Link Systems Inc.--AX53 v1.0 An external control of configuration vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary file when a malicious configuration file is processed.  Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. 2026-04-08 not yet calculated CVE-2026-30816 https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/us/support/faq/5055/
 
TP-Link Systems Inc.--AX53 v1.0 An external configuration control vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary files when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. 2026-04-08 not yet calculated CVE-2026-30817 https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/us/support/faq/5055/
 
TP-Link Systems Inc.--AX53 v1.0 An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbitrary code when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow the attacker to modify device configuration, access sensitive information, or further compromise system integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. 2026-04-08 not yet calculated CVE-2026-30818 https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/us/support/faq/5055/
 
n/a--n/a A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure. 2026-04-08 not yet calculated CVE-2026-31017 http://frappe.com
https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017
 
n/a--n/a A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution. 2026-04-08 not yet calculated CVE-2026-31040 https://github.com/SepineTam/stata-mcp/issues/20
https://github.com/SepineTam/stata-mcp/pull/21
https://github.com/SepineTam/stata-mcp/commit/52413ce
https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0
 
n/a--n/a A double free vulnerability exists in librz/bin/format/le/le.c in the function le_load_fixup_record(). When processing malformed or circular LE fixup chains, relocation entries may be freed multiple times during error handling. A specially crafted LE binary can trigger heap corruption and cause the application to crash, resulting in a denial-of-service condition. An attacker with a crafted binary could cause a denial of service when the tool is integrated on a service pipeline. 2026-04-06 not yet calculated CVE-2026-31053 https://github.com/rizinorg/rizin/issues/5753
https://github.com/rizinorg/rizin/pull/5795
 
n/a-- Aggressive HiPER Router 1200GW UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer overflow in the timeRangeName parameter of the formConfigDnsFilterGlobal function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet calculated CVE-2026-31058 https://github.com/zxq0408/Vul202601/blob/main/2.md
 
n/a-- Aggressive HiPER Router 520W A remote command execution (RCE) vulnerability in the /goform/formDia component of UTT Aggressive HiPER 520W v3v1.7.7-180627 allows attackers to execute arbitrary commands via a crafted string. 2026-04-06 not yet calculated CVE-2026-31059 https://github.com/zxq0408/Vul202601/blob/main/9.md
 
n/a-- Aggressive HiPER Router 810G UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the notes parameter of the formGroupConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet calculated CVE-2026-31060 https://github.com/zxq0408/Vul202601/blob/main/5.md
 
n/a-- Aggressive HiPER Router 810G UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the timestart parameter of the ConfigAdvideo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet calculated CVE-2026-31061 https://github.com/zxq0408/Vul202601/blob/main/1.md
 
n/a-- Aggressive HiPER Router 510W UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow in the filename parameter of the formFtpServerDirConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet calculated CVE-2026-31062 https://github.com/zxq0408/Vul202601/blob/main/7.md
 
n/a-- Aggressive HiPER Router 1200GW UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer overflow in the pools parameter of the formArpBindConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet calculated CVE-2026-31063 https://github.com/zxq0408/Vul202601/blob/main/4.md
 
n/a-- Aggressive HiPER Router 520W UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow in the addCommand parameter of the formConfigCliForEngineerOnly function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet calculated CVE-2026-31065 https://github.com/zxq0408/Vul202601/blob/main/8.md
 
n/a-- Aggressive HiPER Router 810G UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the selDateType parameter of the formTaskEdit function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-04-06 not yet calculated CVE-2026-31066 https://github.com/zxq0408/Vul202601/blob/main/6.md
 
n/a-- UTT Aggressive 520W A remote command execution (RCE) vulnerability in the /goform/formReleaseConnect component of UTT Aggressive 520W v3v1.7.7-180627 allows attackers to execute arbitrary commands via a crafted string. 2026-04-06 not yet calculated CVE-2026-31067 https://github.com/zxq0408/Vul202601/blob/main/10.md
 
n/a-- Kaleris YMS Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources. 2026-04-06 not yet calculated CVE-2026-31150 https://kaleris.com/solutions/yard-management/
https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150
 
n/a-- Kaleris YMS An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources. 2026-04-06 not yet calculated CVE-2026-31151 https://kaleris.com/solutions/yard-management/
https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31151
 
Bynder[.]com -- Bynder v0.1.394 A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. 2026-04-06 not yet calculated CVE-2026-31153 https://www.bynder.com/en/
https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31153
 
Totolink[.]net -- A3300R router An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi. 2026-04-09 not yet calculated CVE-2026-31170 https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection
 
Altenar[.]com -- Sportsbook Software Platform SB2 v.2.0 Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter 2026-04-10 not yet calculated CVE-2026-31262 https://github.com/nikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS
https://github.com/nikolas-ch/CVEs/blob/main/Altenar_SportsBook_Platform_SB2/ORtoXSS/ORtoXSS.txt
 
n/a--n/a megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in UserController.java lacks authentication checks, allowing unauthenticated attackers to create super administrator accounts by directly accessing the /user/insert endpoint. This leads to complete system compromise. 2026-04-07 not yet calculated CVE-2026-31271 https://github.com/clockw1se0v0/Vul/blob/main/production_ssm/Unauthorized.md
 
n/a--n/a MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication. 2026-04-07 not yet calculated CVE-2026-31272 https://github.com/clockw1se0v0/Vul/blob/main/MRCMS/Unauthorized.md
 
n/a-- Feehi CMS An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Content field. 2026-04-06 not yet calculated CVE-2026-31313 http://feehi.com
https://github.com/liufee/cms/issues/80
 
n/a-- Feehi CMS An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter. 2026-04-06 not yet calculated CVE-2026-31350 https://github.com/liufee/cms
https://github.com/liufee/cms/issues/82
 
n/a-- Feehi CMS An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter. 2026-04-06 not yet calculated CVE-2026-31351 https://github.com/liufee/cms
https://github.com/liufee/cms/issues/81
 
n/a-- Feehi CMS An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter. 2026-04-06 not yet calculated CVE-2026-31352 https://github.com/liufee/cms
https://github.com/liufee/cms/issues/83
 
n/a-- Feehi CMS An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. 2026-04-06 not yet calculated CVE-2026-31353 https://github.com/liufee/cms
https://github.com/liufee/cms/issues/84
 
n/a-- Feehi CMS Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters. 2026-04-06 not yet calculated CVE-2026-31354 https://github.com/liufee/cms
https://github.com/liufee/cms/issues/85
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded. 2026-04-06 not yet calculated CVE-2026-31405 https://git.kernel.org/stable/c/29ef43ceb121d67b87f4cbb08439e4e9e732eff8
https://git.kernel.org/stable/c/1a6da3dbb9985d00743073a1cc1f96e59f5abc30
https://git.kernel.org/stable/c/145e50c2c700fa52b840df7bab206043997dd18e
https://git.kernel.org/stable/c/8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe
https://git.kernel.org/stable/c/f2b65dcb78c8990e4c68a906627433be1fe38a92
https://git.kernel.org/stable/c/24d87712727a5017ad142d63940589a36cd25647
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work. The following is a simple race scenario: cpu0 cpu1 cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync(). 2026-04-06 not yet calculated CVE-2026-31406 https://git.kernel.org/stable/c/32d0f44c2f14d60fe8e920e69a28c11051543ec1
https://git.kernel.org/stable/c/2255ed6adbc3100d2c4a83abd9d0396d04b87792
https://git.kernel.org/stable/c/21f2fc49ca6faa393c31da33b8a4e6c41fc84c13
https://git.kernel.org/stable/c/daf8e3b253aa760ff9e96c7768a464bc1d6b3c90
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN. 2026-04-06 not yet calculated CVE-2026-31407 https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d
https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths. 2026-04-06 not yet calculated CVE-2026-31408 https://git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374714bb9de
https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1
https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3
https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e
https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361
https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path. 2026-04-06 not yet calculated CVE-2026-31409 https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e
https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921
https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca
https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772
https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60
https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION Use sb->s_uuid for a proper volume identifier as the primary choice. For filesystems that do not provide a UUID, fall back to stfs.f_fsid obtained from vfs_statfs(). 2026-04-06 not yet calculated CVE-2026-31410 https://git.kernel.org/stable/c/ce00616bc1df675bfdacc968f2bf7c51f4669227
https://git.kernel.org/stable/c/3d80ebe6d1b7bc9ad20fd9b0c1a0c56d804f8a0a
https://git.kernel.org/stable/c/c283a6ffe6d5d6e5594d991286b9ce15951572e1
https://git.kernel.org/stable/c/3a64125730cabc34fccfbc230c2667c2e14f7308
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values. Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used. Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3 2026-04-08 not yet calculated CVE-2026-31411 https://git.kernel.org/stable/c/c96549d07dfdd51aadf0722cfb40711574424840
https://git.kernel.org/stable/c/1c8bda3df028d5e54134077dcd09f46ca8cfceb5
https://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2
https://git.kernel.org/stable/c/e3f80666c2739296c3b69a127300455c43aa1067
https://git.kernel.org/stable/c/21c303fec138c002f90ed33bce60e807d53072bb
https://git.kernel.org/stable/c/69d3f9ee5489e6e8b66defcfa226e91d82393297
https://git.kernel.org/stable/c/440c9a5fc477a8ee259d8bf669531250b8398651
https://git.kernel.org/stable/c/ae88a5d2f29b69819dc7b04086734439d074a643
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_from_cmnd` is set up in `do_scsi_command()`. During initialization, there is no integer overflow check for the interaction between two variables. So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (`common->data_size_from_cmnd`), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses. Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows. 2026-04-10 not yet calculated CVE-2026-31412 https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc
https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b
https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5
https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3
https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac
https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode. 2026-04-12 not yet calculated CVE-2026-31413 https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4
https://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7
https://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455
https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5
 
OpenSSL--OpenSSL Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. 2026-04-07 not yet calculated CVE-2026-31789 OpenSSL Advisory
3.6.2 git commit
3.5.6 git commit
3.4.5 git commit
3.3.7 git commit
3.0.20 git commit
 
OpenSSL--OpenSSL Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue. 2026-04-07 not yet calculated CVE-2026-31790 OpenSSL Advisory
3.6.2 git commit
3.5.6 git commit
3.4.5 git commit
3.3.7 git commit
3.0.20 git commit
 
Sonatype--Nexus Repository A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control. 2026-04-08 not yet calculated CVE-2026-3199 https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html
https://support.sonatype.com/hc/en-us/articles/50615414548499
 
Erlang--OTP Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7. 2026-04-07 not yet calculated CVE-2026-32144 https://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm
https://cna.erlef.org/cves/CVE-2026-32144.html
https://osv.dev/vulnerability/EEF-CVE-2026-32144
https://www.erlang.org/doc/system/versions.html#order-of-versions
https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891
https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0
 
Gleam--Gleam Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation. This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files. This issue affects Gleam from 1.9.0-rc1 until 1.15.3 and 1.16.0-rc1. 2026-04-11 not yet calculated CVE-2026-32146 https://github.com/gleam-lang/gleam/security/advisories/GHSA-vq5j-55vx-wq8j
https://cna.erlef.org/cves/CVE-2026-32146.html
https://osv.dev/vulnerability/EEF-CVE-2026-32146
https://github.com/gleam-lang/gleam/commit/1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf
https://github.com/gleam-lang/gleam/commit/55bb36e6d7febfbbc48c4d001e0ae13eb0312d78
 
Go standard library--crypto/x509 During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. 2026-04-08 not yet calculated CVE-2026-32280 https://go.dev/cl/758320
https://go.dev/issue/78282
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
https://pkg.go.dev/vuln/GO-2026-4947
 
Go standard library--crypto/x509 Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. 2026-04-08 not yet calculated CVE-2026-32281 https://go.dev/cl/758061
https://go.dev/issue/78281
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
https://pkg.go.dev/vuln/GO-2026-4946
 
Go standard library--internal/syscall/unix On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. 2026-04-08 not yet calculated CVE-2026-32282 https://go.dev/cl/763761
https://go.dev/issue/78293
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
https://pkg.go.dev/vuln/GO-2026-4864
 
Go standard library--crypto/tls If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. 2026-04-08 not yet calculated CVE-2026-32283 https://go.dev/cl/763767
https://go.dev/issue/78334
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
https://pkg.go.dev/vuln/GO-2026-4870
 
Go standard library--archive/tar tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. 2026-04-08 not yet calculated CVE-2026-32288 https://go.dev/cl/763766
https://go.dev/issue/78301
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
https://pkg.go.dev/vuln/GO-2026-4869
 
Go standard library--html/template Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. 2026-04-08 not yet calculated CVE-2026-32289 https://go.dev/cl/763762
https://go.dev/issue/78331
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
https://pkg.go.dev/vuln/GO-2026-4865
 
Apache Software Foundation--Apache Cassandra Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue. 2026-04-07 not yet calculated CVE-2026-32588 https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc
 
Apache Software Foundation--Apache Tomcat Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. 2026-04-09 not yet calculated CVE-2026-32990 https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7
 
Apache Software Foundation--Apache OpenMeetings Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object. This issue affects Apache OpenMeetings: from 3.10 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. 2026-04-09 not yet calculated CVE-2026-33005 https://openmeetings.apache.org/openmeetings-db/apidocs/org.apache.openmeetings.db/org/apache/openmeetings/db/dto/file/FileItemDTO.html
https://lists.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7
 
djangoproject--Django An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. 2026-04-07 not yet calculated CVE-2026-33033 Django security archive
Django releases announcements
Django security releases issued: 6.0.4, 5.2.13, and 4.2.30
 
djangoproject--Django An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue. 2026-04-07 not yet calculated CVE-2026-33034 Django security archive
Django releases announcements
Django security releases issued: 6.0.4, 5.2.13, and 4.2.30
 
Six Apart Ltd.--Movable Type Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement. 2026-04-08 not yet calculated CVE-2026-33088 https://movabletype.org/news/2026/04/mt-907-released.html
https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html
https://jvn.jp/en/jp/JVN66473735/
 
Acronis--Acronis True Image OEM Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM (macOS) before build 42571, Acronis True Image (macOS) before build 42902. 2026-04-10 not yet calculated CVE-2026-33092 SEC-9407
 
Apache Software Foundation--Apache ActiveMQ Client Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3. 2026-04-07 not yet calculated CVE-2026-33227 https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt
 
xwiki--xwiki-platform XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1. 2026-04-08 not yet calculated CVE-2026-33229 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9
https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63
https://jira.xwiki.org/browse/XWIKI-23698
https://jira.xwiki.org/browse/XWIKI-23702
 
Apache Software Foundation--Apache OpenMeetings Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. 2026-04-09 not yet calculated CVE-2026-33266 https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66
 
ICZ Corporation--MATCHA INVOICE Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server. 2026-04-08 not yet calculated CVE-2026-33273 https://oss.icz.co.jp/news/?p=1386
https://jvn.jp/en/jp/JVN33581068/
 
OpenIdentityPlatform--OpenAM Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6. 2026-04-07 not yet calculated CVE-2026-33439 https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj
 
Checkmk GmbH--Checkmk Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins. 2026-04-10 not yet calculated CVE-2026-33455 https://checkmk.com/werk/17988
 
Checkmk GmbH--Checkmk Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description. 2026-04-10 not yet calculated CVE-2026-33456 https://checkmk.com/werk/17989
 
Checkmk GmbH--Checkmk Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value. 2026-04-10 not yet calculated CVE-2026-33457 https://checkmk.com/werk/17990
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38. 2026-04-10 not yet calculated CVE-2026-33698 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-557g-2w66-gpmf
https://github.com/chamilo/chamilo-lms/commit/d3355d7873c7e5b907c5fa84cbd5d9b62ed33e51
 
chamilo--chamilo-lms Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3. 2026-04-10 not yet calculated CVE-2026-33703 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5
 
Go standard library--crypto/x509 When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. 2026-04-08 not yet calculated CVE-2026-33810 https://go.dev/cl/763763
https://go.dev/issue/78332
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
https://pkg.go.dev/vuln/GO-2026-4866
 
github.com/jackc/pgx/v5--github.com/jackc/pgx/v5/pgproto3 Memory-safety vulnerability in github.com/jackc/pgx/v5. 2026-04-07 not yet calculated CVE-2026-33815 https://pkg.go.dev/vuln/GO-2026-4771
 
github.com/jackc/pgx/v5--github.com/jackc/pgx/v5/pgproto3 Memory-safety vulnerability in github.com/jackc/pgx/v5. 2026-04-07 not yet calculated CVE-2026-33816 https://pkg.go.dev/vuln/GO-2026-4772
 
Mlflow--Mlflow MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1 2026-04-07 not yet calculated CVE-2026-33865 https://github.com/mlflow/mlflow/pull/21435
https://cert.pl/en/posts/2026/04/CVE-2026-33865/
https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors
 
Mlflow--Mlflow MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1 2026-04-07 not yet calculated CVE-2026-33866 https://github.com/mlflow/mlflow/pull/21708
https://cert.pl/en/posts/2026/04/CVE-2026-33865/
https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors
 
Apache Software Foundation--Apache OpenMeetings Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. 2026-04-09 not yet calculated CVE-2026-34020 https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url
https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db
 
flatpak--flatpak Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4. 2026-04-07 not yet calculated CVE-2026-34078 https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg
 
flatpak--flatpak Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4. 2026-04-07 not yet calculated CVE-2026-34079 https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp
 
flatpak--xdg-dbus-proxy xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7. 2026-04-07 not yet calculated CVE-2026-34080 https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677
 
Hydrosystem--Control System Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in Hydrosystem Control System version 9.8.5 2026-04-09 not yet calculated CVE-2026-34184 https://cert.pl/posts/2026/04/CVE-2026-4901/
https://www.hydrosystem.poznan.pl/
 
Hydrosystem--Control System Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5 2026-04-09 not yet calculated CVE-2026-34185 https://cert.pl/posts/2026/04/CVE-2026-4901/
https://www.hydrosystem.poznan.pl/
 
Apache Software Foundation--Apache ActiveMQ Broker Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue 2026-04-07 not yet calculated CVE-2026-34197 https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt
 
nyariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36. 2026-04-06 not yet calculated CVE-2026-34211 https://github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26
 
nyariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an unexpected and undesired exploit. While this could allow modifying scopes inside the sandbox, code evaluation remains sandboxed and prototypes remain protected throughout the execution. This vulnerability is fixed in 0.8.36. 2026-04-06 not yet calculated CVE-2026-34217 https://github.com/nyariv/SandboxJS/security/advisories/GHSA-hg73-4w7g-q96w
 
zammad--zammad Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, customers in shared organizations (means they can see each other's tickets) could see fields which are not intended for customers - including fields not intended for them at all (e.g. priority, custom ticket attributes for internal purposes). This was the case when a customer opened a ticket from another user of the same shared organization. They are not able to modify these field. This vulnerability is fixed in 7.0.1. 2026-04-08 not yet calculated CVE-2026-34248 https://github.com/zammad/zammad/security/advisories/GHSA-prww-84vh-w978
 
Sonatype--Nexus Repository A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user interaction. 2026-04-08 not yet calculated CVE-2026-3438 https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html
https://support.sonatype.com/hc/en-us/articles/50609137161363
 
scoder--lupa Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution. 2026-04-06 not yet calculated CVE-2026-34444 https://github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm
 
Python Software Foundation--CPython When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data. 2026-04-10 not yet calculated CVE-2026-3446 https://github.com/python/cpython/pull/145267
https://github.com/python/cpython/issues/145264
https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/
https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474
https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e
https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa
 
Apache Software Foundation--Apache Log4j Core The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element. Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. 2026-04-10 not yet calculated CVE-2026-34477 https://github.com/apache/logging-log4j2/pull/4075
https://logging.apache.org/security.html#CVE-2026-34477
https://logging.apache.org/cyclonedx/vdr.xml
https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName
https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4
 
Apache Software Foundation--Apache Log4j Core Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. 2026-04-10 not yet calculated CVE-2026-34478 https://github.com/apache/logging-log4j2/pull/4074
https://logging.apache.org/security.html#CVE-2026-34478
https://logging.apache.org/cyclonedx/vdr.xml
https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout
https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt
 
Apache Software Foundation--Apache Log4j 1 to Log4j 2 bridge The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge. 2026-04-10 not yet calculated CVE-2026-34479 https://github.com/apache/logging-log4j2/pull/4078
https://logging.apache.org/security.html#CVE-2026-34479
https://logging.apache.org/cyclonedx/vdr.xml
https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html
https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
 
Apache Software Foundation--Apache Log4j Core Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output. 2026-04-10 not yet calculated CVE-2026-34480 https://github.com/apache/logging-log4j2/pull/4077
https://logging.apache.org/security.html#CVE-2026-34480
https://logging.apache.org/cyclonedx/vdr.xml
https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout
https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
 
Apache Software Foundation--Apache Log4j JSON Template Layout Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. 2026-04-10 not yet calculated CVE-2026-34481 https://github.com/apache/logging-log4j2/pull/4080
https://logging.apache.org/security.html#CVE-2026-34481
https://logging.apache.org/cyclonedx/vdr.xml
https://logging.apache.org/log4j/2.x/manual/json-template-layout.html
https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv
 
Apache Software Foundation--Apache Tomcat Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue. 2026-04-09 not yet calculated CVE-2026-34483 https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b
 
Apache Software Foundation--Apache Tomcat Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. 2026-04-09 not yet calculated CVE-2026-34486 https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly
 
Apache Software Foundation--Apache Tomcat Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. 2026-04-09 not yet calculated CVE-2026-34487 https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h
 
Apache Software Foundation--Apache Tomcat CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue. 2026-04-09 not yet calculated CVE-2026-34500 https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2
 
Apache Software Foundation--Apache Airflow Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only. Airflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and the security model documentation defines Viewer users as those who can inspect DAGs without accessing sensitive execution results. Users are recommended to upgrade to Apache Airflow 3.2.0 which resolves this issue. 2026-04-09 not yet calculated CVE-2026-34538 https://github.com/apache/airflow/pull/64415
https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9fl
 
randombit--botan Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1. 2026-04-07 not yet calculated CVE-2026-34580 https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827
 
randombit--botan Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1. 2026-04-07 not yet calculated CVE-2026-34582 https://github.com/randombit/botan/security/advisories/GHSA-pxcj-9ppx-g86g
 
AcademySoftwareFoundation--openexr OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. 2026-04-06 not yet calculated CVE-2026-34588 https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
 
AcademySoftwareFoundation--openexr OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. 2026-04-06 not yet calculated CVE-2026-34589 https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
 
Checkmk GmbH--Checkmk Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard. 2026-04-07 not yet calculated CVE-2026-3466 https://checkmk.com/werk/19033
https://www.vulncheck.com/advisories/checkmk-stored-cross-site-scripting-in-dashlet-title
 
zammad--zammad Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is rendering this content, due to applied CSP rules no harm was done by e.g., clicking such a link. This vulnerability is fixed in 7.0.1 and 6.5.4. 2026-04-08 not yet calculated CVE-2026-34718 https://github.com/zammad/zammad/security/advisories/GHSA-c2cf-9fc7-jhf3
 
zammad--zammad Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses - only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4. 2026-04-08 not yet calculated CVE-2026-34719 https://github.com/zammad/zammad/security/advisories/GHSA-2vgc-vfh2-rw75
 
zammad--zammad Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4. 2026-04-08 not yet calculated CVE-2026-34720 https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7
 
zammad--zammad Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4. 2026-04-08 not yet calculated CVE-2026-34721 https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c
 
zammad--zammad Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4. 2026-04-08 not yet calculated CVE-2026-34722 https://github.com/zammad/zammad/security/advisories/GHSA-28m3-wwgv-ppw8
 
zammad--zammad Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4. 2026-04-08 not yet calculated CVE-2026-34723 https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727
 
zammad--zammad Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environments where an attacker can control or influence type_enrichment_data (typically high-privilege administrative configuration). This vulnerability is fixed in 7.0.1. 2026-04-08 not yet calculated CVE-2026-34724 https://github.com/zammad/zammad/security/advisories/GHSA-fg9w-jg8f-4j94
 
zammad--zammad Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a user is privileged to use the text tool, resulting in being able to use it in all situations. This vulnerability is fixed in 7.0.1 and 6.5.4. 2026-04-08 not yet calculated CVE-2026-34782 https://github.com/zammad/zammad/security/advisories/GHSA-96r7-29c8-2j7q
 
zammad--zammad Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a group or organization) supplied to be used in the AI prompt were not checked if they are accessible for the current user. This leads to having data present in the AI prompt that were not authorized before being used. A user needs to have ticket.agent permission to be able to use the provided context data. This vulnerability is fixed in 7.0.1. 2026-04-08 not yet calculated CVE-2026-34837 https://github.com/zammad/zammad/security/advisories/GHSA-89vv-6639-wcv8
 

Back to top

n/a

Vulnerability Summary for the Week of February 2, 2026
Posted on Monday February 09, 2026

High Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
Insaat--Fikir Odalari AdminPando A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation). 2026-02-03 10 CVE-2025-10878 https://onurcangenc.com.tr/posts/cve-2025-10878-sql-authentication-bypass-in-fikir-odalar%C4%B1-adminpando/
https://github.com/onurcangnc/CVE-2025-10878-AdminPandov1.0.1-SQLi
 
Zenitel--TCIS-3+ This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file name of an uploaded file. 2026-02-04 10 CVE-2025-59818 Zenitel Release Notes Turbine
Zenitel Security Advisory
Zenitel Release Notes Fortitude8
Zenitel Release Notes ZIPS
Zenitel Release Notes Fortitude6
Zenitel Release Notes Display Series
 
n/a--Docan[.]co Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system. 2026-02-03 10 CVE-2025-70841 https://codecanyon.net/item/dokans-multitenancy-based-ecommerce-platform-saas/31122915
https://github.com/cod3rLucas/security-advisories/blob/main/CVE-2025-70841.md
 
Synectix--LAN 232 TRIO The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter exposes its web management interface without requiring authentication, allowing unauthenticated users to modify critical device settings or factory reset the device. 2026-02-03 10 CVE-2026-1633 https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-04
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-034-04.json
 
SignalK--signalk-server Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0. 2026-02-02 10 CVE-2026-23515 https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg
https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24
 
nyariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27. 2026-02-02 10 CVE-2026-25142 https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7
https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3
https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398
 
ci4-cms-erp--ci4ms CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0. 2026-02-03 10 CVE-2026-25510 https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px
https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653
 
nyariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29. 2026-02-06 10 CVE-2026-25520 https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4
https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3
 
nyariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to __proto__ and other blocked prototype properties, enabling host Object.prototype pollution and persistent cross-sandbox impact. This vulnerability is fixed in 0.8.29. 2026-02-06 10 CVE-2026-25586 https://github.com/nyariv/SandboxJS/security/advisories/GHSA-jjpw-65fv-8g48
https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3
 
nyariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.29. 2026-02-06 10 CVE-2026-25587 https://github.com/nyariv/SandboxJS/security/advisories/GHSA-66h4-qj4x-38xp
https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3
 
microsoft--semantic-kernel Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.70.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.70.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync  or UploadFileAsync and ensures the provided localFilePath is allow listed. 2026-02-06 10 CVE-2026-25592 https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4
https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d
https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64
 
WaterFutures--EPyT-Flow EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow's REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1. 2026-02-06 10 CVE-2026-25632 https://github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68
https://github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385
https://github.com/WaterFutures/EPyT-Flow/releases/tag/v0.16.1
 
nyariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is never enforced. So, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using hasOwnProperty(key) and a different one for when the key is used for the actual property access. This vulnerability is fixed in 0.8.29. 2026-02-06 10 CVE-2026-25641 https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7x3h-rm86-3342
https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3
https://github.com/nyariv/SandboxJS/blob/6103d7147c4666fe48cfda58a4d5f37005b43754/src/executor.ts#L304-L304
 
StreamRipper--StreamRipper32 StreamRipper32 version 2.6 contains a buffer overflow vulnerability in the Station/Song Section that allows attackers to overwrite memory by manipulating the SongPattern input. Attackers can craft a malicious payload exceeding 256 bytes to potentially execute arbitrary code and compromise the application. 2026-02-03 9.8 CVE-2020-37065 ExploitDB-48517
StreamRipper Vendor Homepage
VulnCheck Advisory: StreamRipper32 2.6 - Buffer Overflow
 
GoldWave--GoldWave GoldWave 5.70 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting malicious input in the File Open URL dialog. Attackers can generate a specially crafted text file with Unicode-encoded shellcode to trigger a stack-based overflow and execute commands when the file is opened. 2026-02-03 9.8 CVE-2020-37066 ExploitDB-48510
Official Vendor Homepage
VulnCheck Advisory: GoldWave 5.70 – Buffer Overflow (SEH Unicode)
 
Utillyty--Filetto Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers to crash the service. Attackers can send an oversized FEAT command with 11,008 bytes of repeated characters to trigger a buffer overflow and terminate the FTP service. 2026-02-03 9.8 CVE-2020-37067 ExploitDB-48503
Vendor Homepage
Software Project Repository
VulnCheck Advisory: Filetto 1.0 - 'FEAT' Denial of Service
 
Konica Minolta--FTP Utility Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the LIST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 'A' characters to crash the FTP server and potentially execute unauthorized code. 2026-02-03 9.8 CVE-2020-37068 ExploitDB-48501
Konica Minolta FTP Utility Download Page
Konica Minolta Vendor Homepage
VulnCheck Advisory: Konica Minolta FTP Utility 1.0 - 'LIST' Denial of Service
 
Konica Minolta--FTP Utility Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the NLST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 'A' characters to crash the FTP server and potentially execute unauthorized code. 2026-02-03 9.8 CVE-2020-37069 ExploitDB-48502
Konica Minolta FTP Utility Download Page
Konica Minolta Vendor Homepage
VulnCheck Advisory: Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service
 
CloudMe--CloudMe CloudMe 1.11.2 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code through crafted network packets. Attackers can exploit the vulnerability by sending a specially crafted payload to the CloudMe service running on port 8888, enabling remote code execution. 2026-02-03 9.8 CVE-2020-37070 ExploitDB-48499
CloudMe Official Homepage
VulnCheck Advisory: CloudMe 1.11.2 - Buffer Overflow (SEH,DEP,ASLR)
 
CraftCMS--CraftCMS CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request. 2026-02-03 9.8 CVE-2020-37071 ExploitDB-48492
Official CraftCMS Vendor Homepage
CraftCMS vCard Plugin Page
Researcher Exploit Disclosure
VulnCheck Advisory: CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution
 
LizardSystems--Remote Desktop Audit Remote Desktop Audit 2.3.0.157 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code during the Add Computers Wizard file import process. Attackers can craft a malicious payload file to trigger a structured exception handler (SEH) bypass and execute shellcode when importing computer lists. 2026-02-03 9.8 CVE-2020-37074 ExploitDB-48465
Remote Desktop Audit Product Webpage
VulnCheck Advisory: Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)
 
LizardSystems--LanSend LanSend 3.2 contains a buffer overflow vulnerability in the Add Computers Wizard file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious payload file to trigger a structured exception handler (SEH) overwrite and execute shellcode when importing computers from a file. 2026-02-03 9.8 CVE-2020-37075 ExploitDB-48461
LanSend Product Webpage
VulnCheck Advisory: LanSend 3.2 - Buffer Overflow (SEH)
 
luiswang--webTareas webTareas 2.0.p8 contains a file deletion vulnerability in the print_layout.php administration component that allows authenticated attackers to delete arbitrary files. Attackers can exploit the vulnerability by manipulating the 'atttmp1' parameter to specify and delete files on the server through an unauthenticated file deletion mechanism. 2026-02-03 9.8 CVE-2020-37080 ExploitDB-48430
webTareas Project Homepage
VulnCheck Advisory: webTareas 2.0.p8 - Arbitrary File Deletion
 
Weberp--webERP webERP 4.15.1 contains an unauthenticated file access vulnerability that allows remote attackers to download database backup files without authentication. Attackers can directly access generated backup files in the companies/weberp/ directory by requesting the Backup_[timestamp].sql.gz file. 2026-02-03 9.8 CVE-2020-37082 ExploitDB-48420
Official webERP Vendor Homepage
webERP SourceForge Project Page
VulnCheck Advisory: webERP 4.15.1 - Unauthenticated Backup File Access
 
Arox--School ERP Pro School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server. 2026-02-03 9.8 CVE-2020-37090 ExploitDB-48392
Archived Vendor Homepage
Archived SourceForge Product Page
VulnCheck Advisory: School ERP Pro 1.0 - Remote Code Execution
 
EspoCRM--EspoCRM EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges. 2026-02-03 9.8 CVE-2020-37094 ExploitDB-48376
EspoCRM Official Vendor Homepage
VulnCheck Advisory: EspoCRM 5.8.5 - Privilege Escalation
 
Cyberoam--Cyberoam Authentication Client Cyberoam Authentication Client 2.1.2.7 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) memory. Attackers can craft a malicious input in the 'Cyberoam Server Address' field to trigger a bind TCP shell on port 1337 with system-level access. 2026-02-06 9.8 CVE-2020-37095 ExploitDB-48148
Archived Cyberoam Authentication Client Software
VulnCheck Advisory: Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH)
 
Nsasoft--Nsauditor Nsauditor 3.0.28 and 3.2.1.0 contains a buffer overflow vulnerability in the DNS Lookup tool that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious DNS query payload to trigger a three-byte overwrite, bypass ASLR, and execute shellcode through a carefully constructed exploit. 2026-02-05 9.8 CVE-2020-37119 ExploitDB-48350
Nsauditor Homepage
VulnCheck Advisory: Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))
 
Rubo Medical Imaging--Rubo DICOM Viewer Rubo DICOM Viewer 2.0 contains a buffer overflow vulnerability in the DICOM server name input field that allows attackers to overwrite Structured Exception Handler (SEH). Attackers can craft a malicious text file with carefully constructed payload to execute arbitrary code by overwriting SEH and triggering remote code execution. 2026-02-05 9.8 CVE-2020-37120 ExploitDB-48351
Archived Rubo DICOM Viewer Product Page
VulnCheck Advisory: Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)
 
wcchandler--Pinger Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters. 2026-02-05 9.8 CVE-2020-37123 ExploitDB-48323
Pinger GitHub Repository
VulnCheck Advisory: Pinger 1.0 - Remote Code Execution
 
4Mhz--B64dec B64dec 1.1.2 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) with crafted input. Attackers can leverage an egg hunter technique and carefully constructed payload to inject and execute malicious code during base64 decoding process. 2026-02-05 9.8 CVE-2020-37124 ExploitDB-48317
Product Webpage
VulnCheck Advisory: B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)
 
EDIMAX Technology--EW-7438RPn Mini Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit the vulnerability by sending crafted POST requests with command injection payloads to download and execute malicious scripts on the device. 2026-02-05 9.8 CVE-2020-37125 ExploitDB-48318
Edimax EW-7438RPn Mini Product Page
VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution
 
Drive Software Company--Free Desktop Clock Free Desktop Clock 3.0 contains a stack overflow vulnerability in the Time Zones display name input that allows attackers to overwrite Structured Exception Handler (SEH) registers. Attackers can exploit the vulnerability by crafting a malicious Unicode input that triggers an access violation and potentially execute arbitrary code. 2026-02-05 9.8 CVE-2020-37126 ExploitDB-48314
Vendor Homepage
VulnCheck Advisory: Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)
 
Microvirt--Memu Play Memu Play 7.1.3 contains an insecure folder permissions vulnerability that allows low-privileged users to modify the MemuService.exe executable. Attackers can replace the service executable with a malicious file during system restart to gain SYSTEM-level privileges by exploiting unrestricted file modification permissions. 2026-02-05 9.8 CVE-2020-37129 ExploitDB-48283
Memu Play Official Homepage
VulnCheck Advisory: Memu Play 7.1.3 - Insecure Folder Permissions
 
10-Strike Software--Network Inventory Explorer 10-Strike Network Inventory Explorer 9.03 contains a buffer overflow vulnerability in the file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious text file with carefully constructed payload to trigger a stack-based buffer overflow and bypass data execution prevention through a ROP chain. 2026-02-05 9.8 CVE-2020-37138 ExploitDB-48264
10-Strike Software Homepage
10-Strike Network Inventory Explorer Product Page
VulnCheck Advisory: 10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)
 
Parallaxis--Cuckoo Clock Parallaxis Cuckoo Clock 5.0 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory registers in the alarm scheduling feature. Attackers can craft a malicious payload exceeding 260 bytes to overwrite EIP and EBP, enabling shellcode execution with potential remote code execution. 2026-02-06 9.8 CVE-2020-37159 ExploitDB-48087
Vendor Homepage
VulnCheck Advisory: Cuckoo Clock 5.0 - Buffer Overflow
 
Wedding Slideshow Studio--Wedding Slideshow Studio Wedding Slideshow Studio 1.36 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the registration name field with malicious payload. Attackers can craft a specially designed payload to trigger remote code execution, demonstrating the ability to run system commands like launching the calculator. 2026-02-06 9.8 CVE-2020-37161 ExploitDB-48050
Wedding Slideshow Studio Official Homepage
VulnCheck Advisory: Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow
 
Wedding Slideshow Studio--Wedding Slideshow Studio Wedding Slideshow Studio 1.36 contains a buffer overflow vulnerability in the registration key input that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload of 1608 bytes to trigger a stack-based buffer overflow and execute commands through the registration key field. 2026-02-06 9.8 CVE-2020-37162 ExploitDB-48028
Archived Wedding Slideshow Studio Webpage
VulnCheck Advisory: Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow
 
Innomic--VibroLine VLX1 HD 5.0 An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced. 2026-02-02 9.8 CVE-2022-50981 https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html
https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json
 
IBM--Common Cryptographic Architecture IBM Common Cryptographic Architecture (CCA) 7.5.52 and 8.4.82 could allow an unauthenticated user to execute arbitrary commands with elevated privileges on the system. 2026-02-04 9.8 CVE-2025-13375 https://www.ibm.com/support/pages/node/7259625
 
jayarsiech--JAY Login & Register The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_login_register_ajax_create_final_user' function. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator. 2026-02-08 9.8 CVE-2025-15027 https://www.wordfence.com/threat-intel/vulnerabilities/id/b08198a6-10e8-44ca-a1c5-8d987d85c469?source=cve
https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.5.01/includes/jay-login-register-ajax-handler.php#L788
 
Emit Informatics and Communication Technologies Industry and Trade Ltd. Co.--DIGITA Efficiency Management System Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Emit Informatics and Communication Technologies Industry and Trade Ltd. Co. DIGITA Efficiency Management System allows SQL Injection. This issue affects DIGITA Efficiency Management System: through 03022026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-03 9.8 CVE-2025-5319 https://www.usom.gov.tr/bildirim/tr-26-0016
 
Martcode Software Inc.--Delta Course Automation Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martcode Software Inc. Delta Course Automation allows SQL Injection. This issue affects Delta Course Automation: through 04022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-04 9.8 CVE-2025-5329 https://www.usom.gov.tr/bildirim/tr-26-0018
 
Unstructured-IO--unstructured The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18. 2026-02-04 9.8 CVE-2025-64712 https://github.com/Unstructured-IO/unstructured/security/advisories/GHSA-gm8q-m8mv-jj5m
https://github.com/Unstructured-IO/unstructured/commit/b01d35b2373fd087d2e15162b9c021663c97155d
 
wildfirechat--im-server Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint (/fs) that handles multipart file uploads but fails to properly sanitize the filename provided by the user. Specifically, the writeFileUploadData method directly concatenates the configured storage directory with the filename extracted from the upload request without stripping directory traversal sequences (e.g., ../../). This vulnerability allows an attacker to write arbitrary files to any location on the server's filesystem where the application process has write permissions. By uploading malicious files (such as scripts, executables, or overwriting configuration files like authorized_keys or cron jobs), an attacker can achieve Remote Code Execution (RCE) and completely compromise the server. This vulnerability is fixed in 1.4.3. 2026-02-02 9.8 CVE-2025-66480 https://github.com/wildfirechat/im-server/security/advisories/GHSA-74hq-jhx2-fq6c
https://github.com/wildfirechat/im-server/commit/2f9c4e028c01c64913cab32e7248bcca183a5230
https://github.com/wildfirechat/im-server/releases/tag/1.4.3
 
revmakx--WP Duplicate WordPress Migration Plugin The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution. 2026-02-06 9.8 CVE-2026-1499 https://www.wordfence.com/threat-intel/vulnerabilities/id/11bb7190-023b-45e1-99a5-7313c489ef45?source=cve
https://cwe.mitre.org/data/definitions/862.html
https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-admin.php#L422
https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-admin.php#L422
https://plugins.trac.wordpress.org/browser/local-sync/trunk/includes/class-local-sync-handle-server-requests.php#L389
https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/includes/class-local-sync-handle-server-requests.php#L389
https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-files-op.php#L843
https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-files-op.php#L843
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3452904%40local-sync&old=3400317%40local-sync&sfp_email=&sfph_mail=
 
Rapid7--Vulnerability Management Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM. 2026-02-03 9.6 CVE-2026-1568 https://docs.rapid7.com/insight/command-platform-release-notes/
 
RISS SRL--MOMA Seismic Station MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device. 2026-02-03 9.1 CVE-2026-1632 https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-03
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-034-03.json
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate. 2026-02-06 9.4 CVE-2026-1709 RHSA-2026:2224
RHSA-2026:2225
RHSA-2026:2298
https://access.redhat.com/security/cve/CVE-2026-1709
RHBZ#2435514
 
IP-COM--W30AP A vulnerability was detected in IP-COM W30AP up to 1.0.0.11(1340). Affected by this issue is the function R7WebsSecurityHandler of the file /goform/wx3auth of the component POST Request Handler. The manipulation of the argument data results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-06 9.8 CVE-2026-2017 VDB-344599 | IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow
VDB-344599 | CTI Indicators (IOB, IOC, IOA)
Submit #744062 | IP-COM W30APv4.0 <= v1.0.0.11(1340) Stack-based Buffer Overflow
Submit #744063 | IP-COM W30APv4.0 <= v1.0.0.11(1340) Stack-based Buffer Overflow (Duplicate)
https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md
https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md#poc
 
Fortinet--FortiClientEMS An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. 2026-02-06 9.1 CVE-2026-21643 https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
 
vllm-project--vllm vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1. 2026-02-02 9.8 CVE-2026-22778 https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv
https://github.com/vllm-project/vllm/pull/31987
https://github.com/vllm-project/vllm/pull/32319
https://github.com/vllm-project/vllm/releases/tag/v0.14.1
 
Microsoft--Azure Front Door Azure Front Door Elevation of Privilege Vulnerability 2026-02-05 9.8 CVE-2026-24300 Azure Front Door Elevation of Privilege Vulnerability
 
NixOS--nixpkgs The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05. 2026-02-02 9.1 CVE-2026-25137 https://github.com/NixOS/nixpkgs/security/advisories/GHSA-cwmq-6wv5-f3px
https://github.com/NixOS/nixpkgs/pull/485310
https://github.com/NixOS/nixpkgs/pull/485454
 
QwikDev--qwik Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0. 2026-02-03 9.3 CVE-2026-25150 https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq
https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7
 
AlistGo--alist Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0. 2026-02-04 9.1 CVE-2026-25160 https://github.com/AlistGo/alist/security/advisories/GHSA-8jmm-3xwx-w974
https://github.com/AlistGo/alist/commit/69629ca76a8f2c8c973ede3b616f93aa26ff23fb
 
Samsung Electronics--MagicINFO 9 Server A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1. 2026-02-02 9.8 CVE-2026-25200 https://security.samsungtv.com/securityUpdates
 
Samsung Electronics--MagicINFO 9 Server The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1. 2026-02-02 9.8 CVE-2026-25202 https://security.samsungtv.com/securityUpdates
 
maziggy--bambuddy Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7. 2026-02-04 9.8 CVE-2026-25505 https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf
https://github.com/maziggy/bambuddy/pull/225
https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9
https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb
https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28
https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md
https://github.com/maziggy/bambuddy/releases/tag/v0.1.7
 
HubSpot--jinjava JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3. 2026-02-04 9.8 CVE-2026-25526 https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74
https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998
https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3
 
siyuan-note--siyuan SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5. 2026-02-04 9.1 CVE-2026-25539 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9
https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb
 
payloadcms--payload Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0. 2026-02-06 9.8 CVE-2026-25544 https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8
 
blakeblackshear--frigate Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4. 2026-02-06 9.1 CVE-2026-25643 https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x
https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4
 
denpiligrim--3dp-manager 3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2. 2026-02-06 9.8 CVE-2026-25803 https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw
https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248
 
OXID-eSales--OXID eShop OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs. 2026-02-03 8.2 CVE-2019-25260 ExploitDB-48527
Official OXID eShop Vendor Homepage
OXID eShop Community Edition GitHub Repository
Archived Researcher Disclosure
Archived RIPSTech Security Blog
OXID eShop Bug Tracking Entry
VulnCheck Advisory: OXID eShop 6.3.4 - 'sorting' SQL Injection
 
VictorAlagwu--CMSsite Victor CMS 1.0 contains an authenticated file upload vulnerability that allows administrators to upload PHP files with arbitrary content through the user_image parameter. Attackers can upload a malicious PHP shell to the /img/ directory and execute system commands by accessing the uploaded file with a 'cmd' parameter. 2026-02-03 8.8 CVE-2020-37073 ExploitDB-48490
Victor CMS Project Repository
VulnCheck Advisory: Victor CMS 1.0 - Authenticated Arbitrary File Upload
 
VictorAlagwu--CMSsite Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted UNION SELECT payloads to extract database information through boolean-based, error-based, and time-based injection techniques. 2026-02-03 8.2 CVE-2020-37076 ExploitDB-48451
Victor CMS GitHub Repository
VulnCheck Advisory: Victor CMS 1.0 - 'post' SQL Injection
 
i-doit GmbH--i-doit Open Source CMDB i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server's filesystem. 2026-02-03 8.8 CVE-2020-37078 ExploitDB-48427
Official Vendor Homepage
i-doit SourceForge Project
VulnCheck Advisory: i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion
 
chatelao--PHP Address Book PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the photo.php endpoint. 2026-02-03 8.2 CVE-2020-37083 ExploitDB-48416
SourceForge Product Page
VulnCheck Advisory: addressbook 9.0.0.1 - 'id' SQL Injection
 
Arox--School ERP Pro School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete database information. 2026-02-03 8.2 CVE-2020-37089 ExploitDB-48390
Archived Vendor Homepage
Archived SourceForge Product Page
VulnCheck Advisory: School ERP Pro 1.0 - 'es_messagesid' SQL Injection
 
Davidvg--60CycleCMS 60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract or modify database contents. This issue does not involve cross-site scripting. 2026-02-03 8.2 CVE-2020-37110 ExploitDB-48177
Software Download Link
VulnCheck Advisory: 60CycleCMS 2.5.2 - 'news.php' SQL Injection Vulnerability
 
Openeclass--GUnet OpenEclass GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intended file type checks in the exercise submission feature. 2026-02-03 8.8 CVE-2020-37113 ExploitDB-48163
Official Vendor Homepage
Changelog
VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - File Upload Extension Bypass
 
Openeclass--GUnet OpenEclass GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise. 2026-02-03 8.8 CVE-2020-37116 ExploitDB-48163
Official Vendor Homepage
Changelog
VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - phpMyAdmin Remote Access
 
jizhiCMS--jizhiCMS jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads. 2026-02-05 8.8 CVE-2020-37117 ExploitDB-48361
Official Vendor Homepage
VulnCheck Advisory: jizhiCMS 1.6.7 - Arbitrary File Download
 
Odin-Secure-Ftp-Expert--Odin Secure FTP Expert Odin Secure FTP Expert 7.6.3 contains a local denial of service vulnerability that allows attackers to crash the application by manipulating site information fields. Attackers can generate a buffer overflow by pasting 108 bytes of repeated characters into connection fields, causing the application to crash. 2026-02-05 8.4 CVE-2020-37139 ExploitDB-48262
Archived Software Download
VulnCheck Advisory: Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service
 
AMSS++--AMSS++ AMSS++ version 4.31 contains a SQL injection vulnerability in the mail module's maildetail.php script through the 'id' parameter. Attackers can manipulate the 'id' parameter in /modules/mail/main/maildetail.php to inject malicious SQL queries and potentially access or modify database contents. 2026-02-06 8.2 CVE-2020-37141 ExploitDB-48109
VulnCheck Advisory: AMSS++ v 4.31 - 'id' SQL Injection
 
10-Strike Software--Network Inventory Explorer 10-Strike Network Inventory Explorer 8.54 contains a structured exception handler buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting SEH records. Attackers can craft a malicious payload targeting the 'Computer' parameter during the 'Add' function to trigger remote code execution. 2026-02-05 8.4 CVE-2020-37142 ExploitDB-48253
10-Strike Software Homepage
Archived Researcher Blog
VulnCheck Advisory: 10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)
 
EDIMAX Technology--EW-7438RPn Mini Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's privileges. 2026-02-05 8.1 CVE-2020-37149 ExploitDB-48318
Edimax EW-7438RPn Mini Product Page
VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Cross-Site Request Forgery (CSRF) to Command Execution
 
Ciprianmp--phpMyChat Plus phpMyChat Plus 1.98 contains a SQL injection vulnerability in the deluser.php page through the pmc_username parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to extract sensitive database information by crafting malicious payloads in the username field. 2026-02-05 8.2 CVE-2020-37151 ExploitDB-48066
Vendor Homepage
VulnCheck Advisory: phpMyChat Plus 1.98 'deluser.php' SQL Injection
 
QuickDate--QuickDate QuickDate 1.3.2 contains a SQL injection vulnerability that allows remote attackers to manipulate database queries through the '_located' parameter in the find_matches endpoint. Attackers can inject UNION-based SQL statements to extract database information including user credentials, database name, and system version. 2026-02-06 8.2 CVE-2020-37163 ExploitDB-48022
Archived QuickDate Script Webpage
VulnCheck Advisory: QuickDate 1.3.2 - SQL Injection
 
Innomic--VibroLine VLX1 HD 5.0 An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled. 2026-02-02 8.8 CVE-2022-50975 https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html
https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json
 
Mitsubishi Electric Corporation--FREQSHIP-mini for Windows Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation FREQSHIP-mini for Windows versions 8.0.0 to 8.0.2 allows a local attacker to execute arbitrary code with system privileges by replacing service executable files (EXE) or DLLs in the installation directory with specially crafted files. As a result, the attacker may be able to disclose, tamper with, delete, or destroy information stored on the PC where the affected product is installed, or cause a Denial of Service (DoS) condition on the affected system. 2026-02-05 8.8 CVE-2025-10314 https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-019_en.pdf
https://jvn.jp/jp/JVN64883963/
https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-01
 
roxnor--Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Vulnerability was patched in version 2.2.1 for unauthenticated users, and fully patched in version 2.2.3 for Administrator+ level users. 2026-02-04 8.2 CVE-2025-13192 https://www.wordfence.com/threat-intel/vulnerabilities/id/9db1dfde-0cba-41b2-ab7a-a1640e5fd96b?source=cve
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L50
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L133
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L382
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L413
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L99
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L133
 
IBM--Aspera Console IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. 2026-02-05 8.6 CVE-2025-13379 https://www.ibm.com/support/pages/node/7259448
 
jayarsiech--JAY Login & Register The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. 2026-02-08 8.8 CVE-2025-15100 https://www.wordfence.com/threat-intel/vulnerabilities/id/fb900810-23a2-4920-a5e8-4388c4474de0?source=cve
https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.6.01/includes/user-panel/jay-login-register-ajax-handler-user-panel.php#L624
 
Tanium--Deploy Tanium addressed an improper input validation vulnerability in Deploy. 2026-02-05 8.8 CVE-2025-15330 TAN-2025-012
 
themeboy--SportsPress Sports Club & League Manager The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. 2026-02-04 8.8 CVE-2025-15368 https://www.wordfence.com/threat-intel/vulnerabilities/id/27e40af7-5697-4482-a96d-9216886c363b?source=cve
https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/class-sp-shortcodes.php#L32
https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/class-sp-shortcodes.php#L182
https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/sp-core-functions.php#L68
 
Kubernetes--ingress-nginx A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) 2026-02-06 8.8 CVE-2025-15566 https://github.com/kubernetes/kubernetes/issues/136789
 
Ankara Hosting Website Design--Website Software Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS. This issue affects Website Software: through 03022026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-03 8.6 CVE-2025-6397 https://www.usom.gov.tr/bildirim/tr-26-0014
 
n/a--n/a An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. 2026-02-03 8.8 CVE-2025-65875 http://www.fpdf.org
https://github.com/Setasign/FPDF
https://advisories.gitlab.com/pkg/composer/tecnickcom/tc-lib-pdf-font/CVE-2024-56520/
 
N/A--Moodle[.]org A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted. 2026-02-03 8.1 CVE-2025-67848 https://access.redhat.com/security/cve/CVE-2025-67848
RHBZ#2423831
https://moodle.org/mod/forum/discuss.php?d=471298
 
AKCE Software Technology R&D Industry and Trade Inc.--SKSPro Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection. This issue affects SKSPro: through 07012026. 2026-02-02 8.6 CVE-2025-8587 https://www.usom.gov.tr/bildirim/tr-26-0011
 
themeum--Tutor LMS eLearning and online course solution The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests. 2026-02-03 8.1 CVE-2026-1375 https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463
https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1&old=3339576&old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php
 
Red Hat--Red Hat Satellite 6 A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle (MITM) attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in information disclosure and data integrity compromise. 2026-02-02 8.1 CVE-2026-1530 https://access.redhat.com/security/cve/CVE-2026-1530
RHBZ#2433784
 
Red Hat--Red Hat Satellite 6 A flaw was found in foreman_kubevirt. When configuring the connection to OpenShift, the system disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set. This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite and OpenShift, to perform a Man-in-the-Middle (MITM) attack. Such an attack could lead to the disclosure or alteration of sensitive information. 2026-02-02 8.1 CVE-2026-1531 https://access.redhat.com/security/cve/CVE-2026-1531
RHBZ#2433786
 
Kubernetes--ingress-nginx A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) 2026-02-03 8.8 CVE-2026-1580 https://github.com/kubernetes/kubernetes/issues/136677
 
skirridsystems--OS DataHub Maps The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. 2026-02-03 8.8 CVE-2026-1730 https://www.wordfence.com/threat-intel/vulnerabilities/id/c32ba2a0-a9a7-4f17-8169-912cecc40b7b?source=cve
https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L67
https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L51
https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/os-datahub-maps.php?rev=3449192#L87
https://plugins.trac.wordpress.org/changeset/3452323/os-datahub-maps
 
seezee--WP FOFT Loader The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. 2026-02-04 8.8 CVE-2026-1756 https://www.wordfence.com/threat-intel/vulnerabilities/id/cede8ff5-f739-4eb3-9672-5adb5d2ae0a9?source=cve
https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L45
https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L31
https://plugins.trac.wordpress.org/changeset/3453101/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction. 2026-02-02 8.6 CVE-2026-1761 RHSA-2026:1948
RHSA-2026:2005
RHSA-2026:2006
RHSA-2026:2007
RHSA-2026:2008
RHSA-2026:2049
RHSA-2026:2182
RHSA-2026:2214
RHSA-2026:2215
RHSA-2026:2216
https://access.redhat.com/security/cve/CVE-2026-1761
RHBZ#2435961
 
Ziroom--ZHOME A0101 A weakness has been identified in Ziroom ZHOME A0101 1.0.1.0. Impacted is an unknown function of the component Dropbear SSH Service. This manipulation causes use of default credentials. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-03 8.1 CVE-2026-1803 VDB-343976 | Ziroom ZHOME A0101 Dropbear SSH Service default credentials
VDB-343976 | CTI Indicators (IOB, IOC)
Submit #745497 | Ziroom Smart Ziroom Smart Gateway (ZH-A0101) ZH-A0101 1.0.1.0 Backdoor
Submit #745529 | Ziroom Smart Smart Gateway ZH-A0101 ZH-A0101 1.0.1.0 Credentials Management (Duplicate)
https://github.com/Blackhole23-Lab/-/blob/main/vulns/ssh-backdoor.md
https://github.com/Blackhole23-Lab/-/blob/main/vulns/ssh-backdoor.md#proof-of-concept
 
Karel Electronics Industry and Trade Inc.--ViPort Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS. This issue affects ViPort: through 23012026. 2026-02-04 8.8 CVE-2026-1819 https://www.usom.gov.tr/bildirim/tr-26-0017
 
Cisco--Cisco Meeting Management A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. This vulnerability is due to improper input validation in certain sections of the web-based management interface. An attacker could exploit this vulnerability&nbsp;by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to upload arbitrary files to the affected system. The malicious files could overwrite system files that are processed by the&nbsp;root system account and allow arbitrary command execution with&nbsp;root privileges. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of video operator. 2026-02-04 8.8 CVE-2026-20098 cisco-sa-cmm-file-up-kY47n8kK
 
UTT-- 520W A weakness has been identified in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formIpGroupConfig. Executing a manipulation of the argument groupName can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-06 8.8 CVE-2026-2066 VDB-344633 | UTT 进取 520W formIpGroupConfig strcpy buffer overflow
VDB-344633 | CTI Indicators (IOB, IOC, IOA)
Submit #745260 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/36.md
https://github.com/cymiao1978/cve/blob/main/new/36.md#poc
 
UTT-- 520W A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/formTimeGroupConfig. The manipulation of the argument year1 leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-06 8.8 CVE-2026-2067 VDB-344634 | UTT 进取 520W formTimeGroupConfig strcpy buffer overflow
VDB-344634 | CTI Indicators (IOB, IOC, IOA)
Submit #745261 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/37.md
https://github.com/cymiao1978/cve/blob/main/new/37.md#poc
 
UTT-- 520W A vulnerability was detected in UTT 进取 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/formSyslogConf. The manipulation of the argument ServerIp results in buffer overflow. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-06 8.8 CVE-2026-2068 VDB-344635 | UTT 进取 520W formSyslogConf strcpy buffer overflow
VDB-344635 | CTI Indicators (IOB, IOC, IOA)
Submit #745262 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/38.md
https://github.com/cymiao1978/cve/blob/main/new/38.md#poc
 
UTT-- 520W A vulnerability has been found in UTT 进取 520W 1.7.7-180627. The affected element is the function strcpy of the file /goform/formPolicyRouteConf. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-06 8.8 CVE-2026-2070 VDB-344637 | UTT 进取 520W formPolicyRouteConf strcpy buffer overflow
VDB-344637 | CTI Indicators (IOB, IOC, IOA)
Submit #745264 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/39.md
 
UTT-- 520W A vulnerability was found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formP2PLimitConfig. Performing a manipulation of the argument except results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-07 8.8 CVE-2026-2071 VDB-344638 | UTT 进取 520W formP2PLimitConfig strcpy buffer overflow
VDB-344638 | CTI Indicators (IOB, IOC, IOA)
Submit #745265 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/40.md
 
UTT--HiPER 810G A vulnerability was detected in UTT HiPER 810G up to 1.7.7-171114. Affected by this vulnerability is the function strcpy of the file /goform/formFireWall of the component Management Interface. The manipulation of the argument GroupName results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-07 8.8 CVE-2026-2086 VDB-344653 | UTT HiPER 810G Management formFireWall strcpy buffer overflow
VDB-344653 | CTI Indicators (IOB, IOC, IOA)
Submit #746502 | UTT (AiTai) HiPER 810G <= v3v1.7.7-171114 Buffer Overflow
https://github.com/alc9700jmo/CVE/issues/22
https://github.com/alc9700jmo/CVE/issues/22#issue-3851242657
 
Tenda--TX3 A vulnerability has been found in Tenda TX3 up to 16.03.13.11_multi. This impacts an unknown function of the file /goform/SetIpMacBind. The manipulation of the argument list leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2026-02-08 8.8 CVE-2026-2137 VDB-344772 | Tenda TX3 SetIpMacBind buffer overflow
VDB-344772 | CTI Indicators (IOB, IOC, IOA)
Submit #747239 | Tenda TX3 V16.03.13.11_multi Buffer Overflow
https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx3/fromSetIpMacBind.md
https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx3/fromSetIpMacBind.md#poc
https://www.tenda.com.cn/
 
Tenda--TX9 A vulnerability was found in Tenda TX9 up to 22.03.02.10_multi. Affected is the function sub_42D03C of the file /goform/SetStaticRouteCfg. The manipulation of the argument list results in buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used. 2026-02-08 8.8 CVE-2026-2138 VDB-344773 | Tenda TX9 SetStaticRouteCfg sub_42D03C buffer overflow
VDB-344773 | CTI Indicators (IOB, IOC, IOA)
Submit #747249 | Tenda TX9 V22.03.02.10_multi Buffer Overflow
https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/SetStaticRouteCfg.md
https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/SetStaticRouteCfg.md#poc
https://www.tenda.com.cn/
 
Tenda--TX9 A vulnerability was determined in Tenda TX9 up to 22.03.02.10_multi. Affected by this vulnerability is the function sub_432580 of the file /goform/fast_setting_wifi_set. This manipulation of the argument ssid causes buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. 2026-02-08 8.8 CVE-2026-2139 VDB-344774 | Tenda TX9 fast_setting_wifi_set sub_432580 buffer overflow
VDB-344774 | CTI Indicators (IOB, IOC, IOA)
Submit #747250 | Tenda TX9 V22.03.02.10_multi Buffer Overflow
https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/fast_setting_wifi_set.md
https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/fast_setting_wifi_set.md#poc
https://www.tenda.com.cn/
 
Tenda--TX9 A vulnerability was identified in Tenda TX9 up to 22.03.02.10_multi. Affected by this issue is the function sub_4223E0 of the file /goform/setMacFilterCfg. Such manipulation of the argument deviceList leads to buffer overflow. The attack may be launched remotely. The exploit is publicly available and might be used. 2026-02-08 8.8 CVE-2026-2140 VDB-344775 | Tenda TX9 setMacFilterCfg sub_4223E0 buffer overflow
VDB-344775 | CTI Indicators (IOB, IOC, IOA)
Submit #747251 | Tenda TX9 V22.03.02.10_multi Buffer Overflow
Submit #749747 | Tenda TX9 V22.03.02.18 Stack-based Buffer Overflow (Duplicate)
https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/setMacFilterCfg.md
https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/setMacFilterCfg.md#poc
https://www.tenda.com.cn/
 
Microsoft--Azure Functions Azure Function Information Disclosure Vulnerability 2026-02-05 8.2 CVE-2026-21532 Azure Function Information Disclosure Vulnerability
 
Tenda--RX3 A vulnerability was identified in Tenda RX3 16.03.13.11. Affected is an unknown function of the file /goform/fast_setting_wifi_set. Such manipulation of the argument ssid_5g leads to stack-based buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used. 2026-02-08 8.8 CVE-2026-2180 VDB-344883 | Tenda RX3 fast_setting_wifi_set stack-based overflow
VDB-344883 | CTI Indicators (IOB, IOC, IOA)
Submit #749703 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow
https://github.com/LX-66-LX/cve-new/issues/4
https://www.tenda.com.cn/
 
Tenda--RX3 A security flaw has been discovered in Tenda RX3 16.03.13.11. Affected by this vulnerability is an unknown functionality of the file /goform/openSchedWifi. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. 2026-02-08 8.8 CVE-2026-2181 VDB-344884 | Tenda RX3 openSchedWifi stack-based overflow
VDB-344884 | CTI Indicators (IOB, IOC, IOA)
Submit #749710 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow
https://github.com/LX-66-LX/cve-new/issues/5
https://www.tenda.com.cn/
 
Tenda--RX3 A flaw has been found in Tenda RX3 16.03.13.11. This issue affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. This manipulation of the argument devName/mac causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. 2026-02-08 8.8 CVE-2026-2185 VDB-344888 | Tenda RX3 MAC Filtering Configuration Endpoint setBlackRule set_device_name stack-based overflow
VDB-344888 | CTI Indicators (IOB, IOC, IOA)
Submit #749715 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow
https://github.com/LX-66-LX/cve-new/issues/6
https://www.tenda.com.cn/
 
Tenda--RX3 A vulnerability has been found in Tenda RX3 16.03.13.11. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. 2026-02-08 8.8 CVE-2026-2186 VDB-344889 | Tenda RX3 SetIpMacBind fromSetIpMacBind stack-based overflow
VDB-344889 | CTI Indicators (IOB, IOC, IOA)
Submit #749718 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow
https://github.com/LX-66-LX/cve-new/issues/7
https://www.tenda.com.cn/
 
Tenda--RX3 A vulnerability was found in Tenda RX3 16.03.13.11. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used. 2026-02-08 8.8 CVE-2026-2187 VDB-344890 | Tenda RX3 formSetQosBand set_qosMib_list stack-based overflow
VDB-344890 | CTI Indicators (IOB, IOC, IOA)
Submit #749721 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow
https://github.com/LX-66-LX/cve-new/issues/8
https://www.tenda.com.cn/
 
Significant-Gravitas--AutoGPT AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform's Stagehand integration blocks log API keys and authentication secrets in plaintext using logger.info() statements. This occurs in three separate block implementations (StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock) where the code explicitly calls api_key.get_secret_value() and logs the result. This issue has been patched in autogpt-platform-beta-v0.6.46. 2026-02-04 8.1 CVE-2026-22038 https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-rc89-6g7g-v5v7
https://github.com/Significant-Gravitas/AutoGPT/commit/1eabc604842fa876c09d69af43d2d1e8fb9b8eb9
 
opencloud-eu--reva REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3. 2026-02-06 8.2 CVE-2026-23989 https://github.com/opencloud-eu/reva/security/advisories/GHSA-9j2f-3rj3-wgpg
https://github.com/opencloud-eu/reva/commit/95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1
 
NeoRazorX--facturascripts FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators. 2026-02-02 8 CVE-2026-23997 https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h
 
Microsoft--Azure ARC Azure Arc Elevation of Privilege Vulnerability 2026-02-05 8.6 CVE-2026-24302 Azure Arc Elevation of Privilege Vulnerability
 
Kubernetes--ingress-nginx A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) 2026-02-03 8.8 CVE-2026-24512 https://github.com/kubernetes/kubernetes/issues/136678
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2. 2026-02-03 8.7 CVE-2026-24665 https://github.com/gunet/openeclass/security/advisories/GHSA-2qgm-m7fm-m888
 
parallax--jsPDF jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0. 2026-02-02 8.1 CVE-2026-24737 https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328
https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79
https://github.com/parallax/jsPDF/releases/tag/v4.1.0
 
clawdbot--clawdbot OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw's Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29. 2026-02-02 8.8 CVE-2026-24763 https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v
https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75
https://github.com/openclaw/openclaw/releases/tag/v2026.1.29
 
chainguard-dev--melange melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3. 2026-02-04 8.2 CVE-2026-24843 https://github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4
https://github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612b
 
node-modules--compressing Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor's handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1. 2026-02-04 8.4 CVE-2026-24884 https://github.com/node-modules/compressing/security/advisories/GHSA-cc8f-xg8v-72m3
https://github.com/node-modules/compressing/commit/8d16c196c7f1888fc1af957d9ff36117247cea6c
https://github.com/node-modules/compressing/commit/ce1c0131c401c071c77d5a1425bf8c88cfc16361
 
Huawei--HarmonyOS Out-of-bounds write vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-02-06 8.4 CVE-2026-24926 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
 
Huawei--HarmonyOS UAF concurrency vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-02-06 8.4 CVE-2026-24930 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
 
OpenListTeam--OpenList OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount. This vulnerability is fixed in 4.1.10. 2026-02-02 8.8 CVE-2026-25059 https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-qmj2-8r24-xxcq
https://github.com/OpenListTeam/OpenList/commit/7b78fed106382430c69ef351d43f5d09928fff14
https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10
 
OpenListTeam--OpenList OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10. 2026-02-02 8.1 CVE-2026-25060 https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389
https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1
https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10
 
AlistGo--alist Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0. 2026-02-04 8.8 CVE-2026-25161 https://github.com/AlistGo/alist/security/advisories/GHSA-x4q4-7phh-42j9
https://github.com/AlistGo/alist/commit/b188288525b9a35c76535139311e7c036dab057e
 
Samsung Electronics--MagicINFO 9 Server An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1. 2026-02-02 8.8 CVE-2026-25201 https://security.samsungtv.com/securityUpdates
 
OpenSlides--OpenSlides OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29. 2026-02-04 8.1 CVE-2026-25519 https://github.com/OpenSlides/OpenSlides/security/advisories/GHSA-vv4h-8wfc-pf8c
https://github.com/OpenSlides/openslides-auth-service/pull/889
https://github.com/OpenSlides/openslides-auth-service/commit/70c1aa9f5e1db59ec120ecce98d1c1169350a4ee
https://github.com/OpenSlides/OpenSlides/releases/tag/4.2.29
 
pydantic--pydantic-ai Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0. 2026-02-06 8.6 CVE-2026-25580 https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3
https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301
 
openclaw--openclaw OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20. 2026-02-06 8.4 CVE-2026-25593 https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg
 
qdrant--qdrant Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0. 2026-02-06 8.6 CVE-2026-25628 https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f
https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1
https://github.com/qdrant/qdrant/blob/48203e414e4e7f639a6d394fb6e4df695f808e51/src/actix/api/service_api.rs#L195
 
kovidgoyal--calibre calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0. 2026-02-06 8.6 CVE-2026-25635 https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr
https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9
 
kovidgoyal--calibre calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0. 2026-02-06 8.2 CVE-2026-25636 https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29
https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726
 
Anydesk--AnyDesk AnyDesk 5.4.0 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially inject malicious executables. Attackers can exploit the unquoted binary path to place malicious files in service executable locations, potentially gaining elevated system privileges. 2026-02-03 7.8 CVE-2019-25261 ExploitDB-47883
Official Vendor Homepage
VulnCheck Advisory: AnyDesk 5.4.0 - Unquoted Service Path
 
Wondershare--Wondershare Application Framework Service Wondershare Application Framework Service 2.4.3.231 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific directory locations to hijack the service's execution context. 2026-02-06 7.8 CVE-2019-25266 ExploitDB-47617
Vendor Homepage
Software Product Page
VulnCheck Advisory: Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path
 
Wftpserver--Wing FTP Server Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. 2026-02-04 7.8 CVE-2019-25267 ExploitDB-47818
Wing FTP Server Official Homepage
VulnCheck Advisory: Wing FTP Server 6.0.7 - Unquoted Service Path
 
Netgate--Amiti Antivirus Amiti Antivirus 25.0.640 contains an unquoted service path vulnerability in its Windows service configurations. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges by placing executable files in specific directory locations. 2026-02-04 7.8 CVE-2019-25269 ExploitDB-47747
Vendor Homepage
VulnCheck Advisory: Amiti Antivirus 25.0.640 - Unquoted Service Path Vulnerability
 
NETGATE--Data Backup NETGATE Data Backup 3.0.620 contains an unquoted service path vulnerability in its NGDatBckpSrv Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with LocalSystem privileges by placing executable files in specific directory locations. 2026-02-04 7.8 CVE-2019-25271 ExploitDB-47746
Vendor Homepage
VulnCheck Advisory: NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path
 
Tenaxsoft--TexasSoft CyberPlanet TexasSoft CyberPlanet 6.4.131 contains an unquoted service path vulnerability in the CCSrvProxy service that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe' to inject malicious executables and gain elevated system privileges. 2026-02-04 7.8 CVE-2019-25272 ExploitDB-47724
Vendor Homepage
VulnCheck Advisory: TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path
 
Easy-Hide-Ip--IP Easy-Hide-IP 5.0.0.3 contains an unquoted service path vulnerability in the EasyRedirect service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe' to inject malicious executables and escalate privileges. 2026-02-04 7.8 CVE-2019-25273 ExploitDB-47712
Vendor Homepage
VulnCheck Advisory: Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path
 
Photodex--ProShow Producer ProShow Producer 9.0.3797 contains an unquoted service path vulnerability in the ScsiAccess service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. 2026-02-04 7.8 CVE-2019-25274 ExploitDB-47705
Vendor Homepage
VulnCheck Advisory: ProShow Producer 9.0.3797 - Unquoted Service Path
 
FileHorse--BartVPN BartVPN 1.2.2 contains an unquoted service path vulnerability in the BartVPNService that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service's execution context. 2026-02-04 7.8 CVE-2019-25275 ExploitDB-47675
Vendor Homepage
VulnCheck Advisory: BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path
 
Rockwellautomation--Studio Studio 5000 Logix Designer 30.01.00 contains an unquoted service path vulnerability in the FactoryTalk Activation Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\ to inject malicious code that would execute with LocalSystem permissions. 2026-02-04 7.8 CVE-2019-25276 ExploitDB-47676
Rockwell Automation Homepage
VulnCheck Advisory: Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path
 
ncp-e--NCP_Secure_Entry_Client NCP Secure Entry Client 9.2 contains an unquoted service path vulnerability in multiple Windows services that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted paths in services like ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to inject malicious code that would execute with LocalSystem privileges during service startup. 2026-02-04 7.8 CVE-2019-25281 ExploitDB-47668
NCP Software Vendor Homepage
VulnCheck Advisory: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths
 
shrew--Shrew Soft VPN Client Shrew Soft VPN Client 2.2.2 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can place malicious executables in the unquoted service path to gain elevated access during service startup or system reboot. 2026-02-04 7.8 CVE-2019-25283 ExploitDB-47660
Vendor Homepage
VulnCheck Advisory: Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path
 
Alps--device Controller Alps Pointing-device Controller 8.1202.1711.04 contains an unquoted service path vulnerability in the ApHidMonitorService that allows local attackers to execute code with elevated privileges. Attackers can place a malicious executable in the service path and gain system-level access when the service restarts or the system reboots. 2026-02-04 7.8 CVE-2019-25285 ExploitDB-47637
Official Alps Homepage
VulnCheck Advisory: Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path
 
Gcafe--_GCaf GCafé 3.0 contains an unquoted service path vulnerability in the gbClientService that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with LocalSystem permissions. 2026-02-04 7.8 CVE-2019-25286 ExploitDB-47604
GCafé Official Vendor Homepage
VulnCheck Advisory: _GCafé 3.0 - 'gbClienService' Unquoted Service Path
 
Webcompanion--Adaware Web Companion version Adaware Web Companion version 4.8.2078.3950 contains an unquoted service path vulnerability in the WCAssistantService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Lavasoft\Web Companion\Application\ to inject malicious code that would execute with LocalSystem privileges during service startup. 2026-02-04 7.8 CVE-2019-25287 ExploitDB-47597
Adaware Web Companion Official Website
VulnCheck Advisory: Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path
 
Wacom--Wacom WTabletService Wacom WTabletService 6.6.7-3 contains an unquoted service path vulnerability that allows local attackers to execute malicious code with elevated privileges. Attackers can insert an executable file in the service path to run unauthorized code when the service restarts or the system reboots. 2026-02-04 7.8 CVE-2019-25288 ExploitDB-47593
Wacom Official Homepage
VulnCheck Advisory: Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path
 
Alps--Alps HID Monitor Service Alps HID Monitor Service 8.1.0.10 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\Apoint2K\HidMonitorSvc.exe to inject malicious executables and gain system-level access. 2026-02-06 7.8 CVE-2019-25292 ExploitDB-47605
Official Product Homepage
VulnCheck Advisory: Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path
 
bluestacks--Blue Stacks App Player BlueStacks App Player 2.4.44.62.57 contains an unquoted service path vulnerability in the BstHdLogRotatorSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe to inject malicious executables and escalate privileges. 2026-02-06 7.8 CVE-2019-25293 ExploitDB-47582
Official Product Homepage
VulnCheck Advisory: Blue Stacks App Player 2.4.44.62.57 - "BstHdLogRotatorSvc" Unquote Service Path
 
lolypop55--html5_snmp html5_snmp 1.11 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through Router_ID and Router_IP parameters. Attackers can exploit error-based, time-based, and union-based injection techniques to potentially extract or modify database information by sending crafted payloads. 2026-02-06 7.1 CVE-2019-25298 ExploitDB-47588
Vendor Homepage
VulnCheck Advisory: html5_snmp 1.11 - 'Router_ID' SQL Injection
 
rimbalinux--AhadPOS RimbaLinux AhadPOS 1.11 contains a SQL injection vulnerability in the 'alamatCustomer' parameter that allows attackers to manipulate database queries through crafted POST requests. Attackers can exploit time-based and boolean-based blind SQL injection techniques to extract information or potentially interact with the underlying database. 2026-02-06 7.1 CVE-2019-25299 ExploitDB-47585
Vendor Homepage
VulnCheck Advisory: rimbalinux AhadPOS 1.11 - 'alamatCustomer' SQL Injection
 
thejshen--Globitek CMS thejshen Globitek CMS 1.4 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or modify database information. 2026-02-06 7.1 CVE-2019-25300 ExploitDB-47581
Vendor Homepage
VulnCheck Advisory: thejshen Globitek CMS 1.4 - 'id' SQL Injection
 
Acer--Launch Manager Acer Launch Manager 6.1.7600.16385 contains an unquoted service path vulnerability in the DsiWMIService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Launch Manager\dsiwmis.exe to insert malicious code that would execute with system-level permissions during service startup. 2026-02-06 7.8 CVE-2019-25302 ExploitDB-47577
Acer Official Website
VulnCheck Advisory: Acer Launch Manager 6.1.7600.16385 - 'DsiWMIService' Unquoted Service Path
 
thejshen--contentManagementSystem TheJshen ContentManagementSystem 1.04 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to extract or manipulate database information by crafting malicious query payloads. 2026-02-06 7.1 CVE-2019-25303 ExploitDB-47569
Vendor Homepage
VulnCheck Advisory: TheJshen contentManagementSystem 1.04 - 'id' SQL Injection
 
Issivs--Intelligent Security System SecurOS Enterprise SecurOS Enterprise 10.2 contains an unquoted service path vulnerability in the SecurosCtrlService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\ISS\SecurOS\ to insert malicious code that would execute with system-level permissions during service startup. 2026-02-06 7.8 CVE-2019-25304 ExploitDB-47556
Vendor Product Homepage
Company Website
VulnCheck Advisory: Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path
 
Inforprograma--JumpStart JumpStart 0.6.0.0 contains an unquoted service path vulnerability in the jswpbapi service running with LocalSystem privileges. Attackers can exploit the unquoted path containing spaces to inject and execute malicious code with elevated system permissions. 2026-02-06 7.8 CVE-2019-25305 ExploitDB-47549
Official Product Homepage
VulnCheck Advisory: JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path
 
VictorAlagwu--CMSsite Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers. 2026-02-03 7.2 CVE-2020-37072 ExploitDB-48484
Victor CMS Project Repository
VulnCheck Advisory: Victor CMS 1.0 - 'comment_author' Persistent Cross-Site Scripting
 
Fishing Reservation System--Fishing Reservation System Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. Attackers can exploit vulnerable parameters like uid, pid, type, m, y, and code to compromise the database management system and web application without user interaction. 2026-02-03 7.1 CVE-2020-37081 ExploitDB-48417
Vulnerability-Lab Researcher Disclosure
Fishing Reservation System Homepage
VulnCheck Advisory: Fishing Reservation System 7.5 - 'uid' SQL Injection
 
SunnySideSoft--VirtualTablet Server VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. Attackers can exploit the vulnerability by sending a long string to the send_say() method, causing the server to become unresponsive. 2026-02-03 7.5 CVE-2020-37085 ExploitDB-48402
Official Product Homepage
VulnCheck Advisory: VirtualTablet Server 3.0.2 - Denial of Service (PoC)
 
Arox--School ERP Pro School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system credentials and configuration information. 2026-02-03 7.5 CVE-2020-37088 ExploitDB-48394
Archived Vendor Homepage
Archived SourceForge Product Page
VulnCheck Advisory: School ERP Pro 1.0 - Arbitrary File Read
 
Netis Systems Co., Ltd.--Netis E1+ Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device. 2026-02-03 7.5 CVE-2020-37092 ExploitDB-48382
Netis Systems Official Homepage
VulnCheck Advisory: Netis E1+ 1.2.32533 - Backdoor Account (root)
 
Netis Systems Co., Ltd.--Netis E1+ Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network credentials including SSID and WiFi passwords in plain text. 2026-02-03 7.5 CVE-2020-37093 ExploitDB-48384
Netis Systems Official Homepage
VulnCheck Advisory: Netis E1+ 1.2.32533 - Unauthenticated WiFi Password Leak
 
EDIMAX Technology Co., Ltd.--EW-7438RPn Mini Edimax EW-7438RPn 1.13 contains an information disclosure vulnerability that exposes WiFi network configuration details through the wlencrypt_wiz.asp file. Attackers can access the script to retrieve sensitive information including WiFi network name and plaintext password stored in device configuration variables. 2026-02-03 7.5 CVE-2020-37097 ExploitDB-48365
Edimax EW-7438RPn Product Homepage
VulnCheck Advisory: Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password)
 
DiskSorter--Disk Sorter Enterprise Disk Sorter Enterprise 12.4.16 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. 2026-02-03 7.8 CVE-2020-37098 ExploitDB-48048
Vendor Homepage
VulnCheck Advisory: Disk Sorter Enterprise 12.4.16 - Unquoted Service Path
 
DiskSavvy--Disk Savvy Enterprise Disk Savvy Enterprise 12.3.18 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe' to inject malicious executables and escalate privileges. 2026-02-03 7.8 CVE-2020-37099 ExploitDB-48049
Vendor Homepage
VulnCheck Advisory: Disk Savvy Enterprise 12.3.18 - 'disksvs.exe' Unquoted Service Path
 
SyncBreeze--Sync Breeze Enterprise Sync Breeze Enterprise 12.4.18 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service startup process. 2026-02-03 7.8 CVE-2020-37100 ExploitDB-48045
Vendor Homepage
VulnCheck Advisory: Sync Breeze Enterprise 12.4.18 - Unquoted Service Path
 
Vpnunlimitedapp--VPN unlimited VPN Unlimited 6.1 contains an unquoted service path vulnerability that allows local attackers to inject malicious executables into the service binary path. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\VPN Unlimited\' to replace the service executable and gain elevated system privileges. 2026-02-03 7.8 CVE-2020-37101 ExploitDB-47916
VPN Unlimited Official Homepage
VulnCheck Advisory: VPN unlimited 6.1 - Unquoted Service Path
 
Lavasoft--Web Companion Adaware Web Companion 4.9.2159 contains an unquoted service path vulnerability in the WCAssistantService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. 2026-02-03 7.8 CVE-2020-37102 ExploitDB-47852
Vendor Homepage
Software Download Link
VulnCheck Advisory: Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path
 
redmine--PMB PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database. 2026-02-03 7.1 CVE-2020-37105 ExploitDB-48356
Vendor Homepage
Software Download Repository
VulnCheck Advisory: PMB 5.6 - 'logid' SQL Injection
 
Core FTP--Core FTP LE Core FTP LE 2.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the account field with a large buffer. Attackers can create a text file with 20,000 repeated characters and paste it into the account field to cause the application to become unresponsive and require reinstallation. 2026-02-06 7.5 CVE-2020-37107 ExploitDB-48137
Core FTP Vendor Homepage
Core FTP Download Page
VulnCheck Advisory: Core FTP LE 2.2 - Denial of Service
 
AllHandsMarketing--PhpIX 2012 Professional PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information. 2026-02-03 7.1 CVE-2020-37108 ExploitDB-48138
Vendor Homepage
Demonstration Website
VulnCheck Advisory: PhpIX 2012 Professional - 'id' SQL Injection
 
asc Applied Software Consultants--aSc TimeTables aSc TimeTables 2020.11.4 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the Subject title field with a large buffer. Attackers can generate a 1000-character buffer and paste it into the Subject title to trigger an application crash and potential instability. 2026-02-06 7.5 CVE-2020-37109 ExploitDB-48133
Vendor Homepage
VulnCheck Advisory: aSc TimeTables 2020.11.4 - Denial of Service
 
Openeclass--GUnet OpenEclass GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. Attackers can exploit the 'month' parameter in the agenda module and other endpoints to extract sensitive database information using error-based or time-based injection techniques. 2026-02-03 7.1 CVE-2020-37112 ExploitDB-48163
Official Vendor Homepage
Changelog
VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
 
Nsauditor--FTP Password Recover SpotFTP-FTP Password Recover 2.4.8 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a text file with 1000 'Z' characters and input it as a registration code to trigger the application crash. 2026-02-06 7.5 CVE-2020-37122 ExploitDB-48132
Vendor Homepage
Software Download Page
VulnCheck Advisory: SpotFTP-FTP Password Recover 2.4.8 - Denial of Service
 
Nsauditor--Nsauditor Nsauditor 3.2.0.0 contains a denial of service vulnerability in the registration name input field that allows attackers to crash the application. Attackers can create a malicious payload of 1000 bytes of repeated characters to trigger an application crash when pasted into the registration name field. 2026-02-05 7.5 CVE-2020-37130 ExploitDB-48286
Vendor Homepage
VulnCheck Advisory: Nsauditor 3.2.0.0 - 'Name' Denial of Service
 
UltraVNC Team--UltraVNC Launcher UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allows attackers to crash the application. Attackers can paste an overly long string of 300 characters into the Repeater Host property to trigger an application crash. 2026-02-05 7.5 CVE-2020-37133 ExploitDB-48288
UltraVNC Official Homepage
VulnCheck Advisory: UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service
 
UltraVNC Team--UltraVNC Viewer UltraVNC Viewer 1.2.4.0 contains a denial of service vulnerability that allows attackers to crash the application by manipulating VNC Server input. Attackers can generate a malformed 256-byte payload and paste it into the VNC Server connection dialog to trigger an application crash. 2026-02-05 7.5 CVE-2020-37134 ExploitDB-48291
UltraVNC Official Homepage
VulnCheck Advisory: UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service
 
Amssplus--AMSS++ AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system. 2026-02-06 7.5 CVE-2020-37135 ExploitDB-48114
VulnCheck Advisory: AMSS++ 4.7 - Backdoor Admin Account
 
EmTec--ZOC Terminal ZOC Terminal 7.25.5 contains a denial of service vulnerability in the private key file input field that allows attackers to crash the application. Attackers can overwrite the private key file input with a 2000-byte buffer, causing the application to become unresponsive when attempting to create SSH key files. 2026-02-05 7.5 CVE-2020-37136 ExploitDB-48292
Vendor Homepage
VulnCheck Advisory: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service
 
GE Intelligent Platforms, Inc.--ProficySCADA for iOS ProficySCADA for iOS 5.0.25920 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the password input field. Attackers can overwrite the password field with 257 bytes of repeated characters to trigger an application crash and prevent successful authentication. 2026-02-05 7.5 CVE-2020-37143 ExploitDB-48236
Archived App Software
VulnCheck Advisory: ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service
 
ACE SECURITY--Aptina AR0130 960P 1.3MP Camera ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration files. Attackers can access the camera's configuration backup by sending a GET request to the /config_backup.bin endpoint, exposing credentials and system settings. 2026-02-06 7.5 CVE-2020-37146 ExploitDB-48127
Vendor Homepage
Product Support Page
VulnCheck Advisory: Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure
 
Atutor--ATutor ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information. 2026-02-06 7.1 CVE-2020-37147 ExploitDB-48117
ATutor Official Homepage
VulnCheck Advisory: ATutor 2.2.4 - 'id' SQL Injection
 
EDIMAX Technology--EW-7438RPn Mini Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wireless password by sending a GET request to this endpoint, exposing sensitive information without authentication. 2026-02-05 7.5 CVE-2020-37150 ExploitDB-48318
Edimax EW-7438RPn Mini Product Page
VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Unauthorized Access: Wi-Fi Password Disclosure
 
Tripath Project--eLection eLection 2.0 contains an authenticated SQL injection vulnerability in the candidate management endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers can leverage SQLMap to exploit the vulnerability, potentially gaining remote code execution by uploading backdoor files to the web application directory. 2026-02-06 7.1 CVE-2020-37154 ExploitDB-48122
eLection Project Vendor Homepage
Researcher Exploit Disclosure
VulnCheck Advisory: eLection 2.0 - 'id' SQL Injection
 
Core FTP--Core FTP Lite Core FTP Lite 1.3 contains a buffer overflow vulnerability in the username input field that allows attackers to crash the application by supplying oversized input. Attackers can generate a 7000-byte payload of repeated 'A' characters to trigger an application crash without requiring additional interaction. 2026-02-06 7.5 CVE-2020-37155 ExploitDB-48100
Core FTP Official Homepage
VulnCheck Advisory: Core FTP Lite 1.3 - Denial of Service (PoC)
 
DBPower--DBPower C300 HD Camera DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessing the /tmpfs/config_backup.bin resource. 2026-02-06 7.5 CVE-2020-37157 ExploitDB-48095
Archived Researcher Blog
VulnCheck Advisory: DBPower C300 HD Camera - Remote Configuration Disclosure
 
Innomic--VibroLine Configurator 5.0 A local attacker could cause a full device reset by resetting the device passwords using an invalid reset file via USB. 2026-02-02 7.7 CVE-2022-50976 https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html
https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json
 
Innomic--VibroLine VLX1 HD 5.0 An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP. 2026-02-02 7.5 CVE-2022-50977 https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html
https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json
 
Innomic--VibroLine VLX1 HD 5.0 An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (TCP). 2026-02-02 7.5 CVE-2022-50978 https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html
https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json
 
Talemy--Spirit Framework Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion. This issue affects Spirit Framework: from n/a through 1.2.13. 2026-02-02 7.5 CVE-2024-54263 https://patchstack.com/database/wordpress/plugin/spirit-framework/vulnerability/wordpress-spirit-framework-plugin-1-2-13-local-file-inclusion-vulnerability?_s_id=cve
 
Zyxel--ATP series firmware A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35 through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device by supplying a specially crafted string as an argument to the CLI command. 2026-02-05 7.2 CVE-2025-11730 https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-the-ddns-configuration-cli-command-of-zld-firewalls-02-05-2026
 
IBM--Business Automation Workflow containers IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 - V24.0.1-IF007, V24.0.0 - V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. 2026-02-02 7.1 CVE-2025-13096 https://www.ibm.com/support/pages/node/7259321
 
Mattermost--Mattermost Confluence Plugin Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557 2026-02-06 7.7 CVE-2025-13523 MMSA-2025-00557
 
IBM--WebSphere Application Server Liberty IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution. 2026-02-02 7.6 CVE-2025-14914 https://www.ibm.com/support/pages/node/7258224
 
infility--Infility Global The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-02-04 7.5 CVE-2025-15268 https://www.wordfence.com/threat-intel/vulnerabilities/id/648941b8-d1ab-4587-bd87-f23008ac9a00?source=cve
https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/db.class.php?marks=41#L41
https://plugins.trac.wordpress.org/browser/infility-global/trunk/infility_global.php?marks=626#L626
https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/str.class.php?marks=21#L21
 
lupsonline--SEO Flow by LupsOnline The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories. 2026-02-04 7.5 CVE-2025-15285 https://www.wordfence.com/threat-intel/vulnerabilities/id/526837cc-ed1d-4d3d-8f75-a2098445dd1d?source=cve
https://plugins.trac.wordpress.org/browser/lupsonline-link-netwerk/tags/2.2.1/includes/class-linknetwerk-api.php?marks=83-99,101-117#L83
 
Tanium--Tanium Appliance Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance. 2026-02-05 7.8 CVE-2025-15311 TAN-2025-002
 
n/a--Open5GS A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. The manipulation of the argument OGS_KEY_LEN results in stack-based buffer overflow. The attack may be launched remotely. The patch is identified as 54dda041211098730221d0ae20a2f9f9173e7a21. A patch should be applied to remediate this issue. 2026-02-04 7.3 CVE-2025-15555 VDB-343795 | Open5GS VoLTE Cx-Test hss-cx-path.c hss_ogs_diam_cx_mar_cb stack-based overflow
VDB-343795 | CTI Indicators (IOB, IOC, IOA)
Submit #741901 | Open5GS v2.7.6 Buffer Over-read
https://github.com/open5gs/open5gs/issues/4177
https://github.com/open5gs/open5gs/issues/4177#event-21256395700
https://github.com/open5gs/open5gs/commit/54dda041211098730221d0ae20a2f9f9173e7a21
https://github.com/open5gs/open5gs/
 
Qualcomm, Inc.--Snapdragon Memory Corruption when user space address is modified and passed to mem_free API, causing kernel memory to be freed inadvertently. 2026-02-02 7.8 CVE-2025-47358 https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when multiple threads simultaneously access a memory free API. 2026-02-02 7.8 CVE-2025-47359 https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input. 2026-02-02 7.1 CVE-2025-47366 https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when initiating GPU memory mapping using scatter-gather lists due to unchecked IOMMU mapping errors. 2026-02-02 7.8 CVE-2025-47397 https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption while deallocating graphics processing unit memory buffers due to improper handling of memory pointers. 2026-02-02 7.8 CVE-2025-47398 https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption while processing IOCTL call to update sensor property settings with invalid input parameters. 2026-02-02 7.8 CVE-2025-47399 https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html
 
n8n-io--n8n n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure. This issue has been patched in version 1.114.3. 2026-02-04 7.7 CVE-2025-61917 https://github.com/n8n-io/n8n/security/advisories/GHSA-49mx-fj45-q3p6
https://github.com/n8n-io/n8n/commit/2c4c2953199733c791f739a40879ae31ca129aba
 
N/A--Moodle[.]org A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated. 2026-02-03 7.3 CVE-2025-67849 https://access.redhat.com/security/cve/CVE-2025-67849
RHBZ#2423835
 
N/A--Moodle[.]org A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions. 2026-02-03 7.3 CVE-2025-67850 https://access.redhat.com/security/cve/CVE-2025-67850
RHBZ#2423838
 
N/A--Moodle[.]org A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts. 2026-02-03 7.5 CVE-2025-67853 https://access.redhat.com/security/cve/CVE-2025-67853
RHBZ#2423847
 
TriliumNext--Trilium Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0. 2026-02-06 7.4 CVE-2025-68621 https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x
https://github.com/TriliumNext/Trilium/pull/8129
 
Ofisimo Web-Based Software Technologies--Association Web Package Flora Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers. This issue affects Association Web Package Flora: from v3.0 through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-03 7.6 CVE-2025-7760 https://www.usom.gov.tr/bildirim/tr-26-0015
 
Kod8 Software Technologies Trade Ltd. Co.--Kod8 Individual and SME Website Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website allows Reflected XSS. This issue affects Kod8 Individual and SME Website: through 03022026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-03 7.6 CVE-2025-8456 https://www.usom.gov.tr/bildirim/tr-26-0012
 
Seres Software--syWEB Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS. This issue affects syWEB: through 03022026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-03 7.6 CVE-2025-8461 https://www.usom.gov.tr/bildirim/tr-26-0013
 
AKCE Software Technology R&D Industry and Trade Inc.--SKSPro Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS. This issue affects SKSPro: through 07012026. 2026-02-03 7.6 CVE-2025-8589 https://www.usom.gov.tr/bildirim/tr-26-0011
 
AKCE Software Technology R&D Industry and Trade Inc.--SKSPro Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Directory Indexing. This issue affects SKSPro: through 07012026. 2026-02-03 7.5 CVE-2025-8590 https://www.usom.gov.tr/bildirim/tr-26-0011
 
Autodesk--3ds Max A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. 2026-02-04 7.8 CVE-2026-0536 https://www.autodesk.com/products/autodesk-access/overview
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002
 
Autodesk--3ds Max A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. 2026-02-04 7.8 CVE-2026-0537 https://www.autodesk.com/products/autodesk-access/overview
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002
 
Autodesk--3ds Max A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. 2026-02-04 7.8 CVE-2026-0538 https://www.autodesk.com/products/autodesk-access/overview
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002
 
latepoint--LatePoint Calendar Booking Plugin for Appointments and Events The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history. 2026-02-03 7.2 CVE-2026-0617 https://www.wordfence.com/threat-intel/vulnerabilities/id/22bcfd36-ecf9-4d2c-ac94-94ffa0340c4c?source=cve
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/views/activities/view.php#L27
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/controllers/activities_controller.php
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/activity_model.php
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3449263%40latepoint%2Ftrunk&old=3408660%40latepoint%2Ftrunk&sfp_email=&sfph_mail=
 
Autodesk--USD for Arnold A maliciously crafted USD file, when loaded or imported into Autodesk Arnold or Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. 2026-02-04 7.8 CVE-2026-0659 https://www.autodesk.com/products/autodesk-access/overview
https://github.com/Autodesk/arnold-usd
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0003
 
Autodesk--3ds Max A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. 2026-02-04 7.8 CVE-2026-0660 https://www.autodesk.com/products/autodesk-access/overview
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002
 
Autodesk--3ds Max A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. 2026-02-04 7.8 CVE-2026-0661 https://www.autodesk.com/products/autodesk-access/overview
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002
 
Autodesk--3ds Max A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized. 2026-02-04 7.8 CVE-2026-0662 https://www.autodesk.com/products/autodesk-access/overview
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002
 
10web--Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list. 2026-02-03 7.1 CVE-2026-1058 https://www.wordfence.com/threat-intel/vulnerabilities/id/e0ec0027-2792-4069-b413-8fdd951f5fe7?source=cve
https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/admin/views/Submissions_fm.php#L759
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail=
 
10web--Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms. 2026-02-03 7.2 CVE-2026-1065 https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d?source=cve
https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/js/add_field.js#L2364
https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1744
https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1855
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail=
 
bplugins--All In One Image Viewer Block Gutenberg block to create image viewer with hyperlink The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. 2026-02-05 7.2 CVE-2026-1294 https://www.wordfence.com/threat-intel/vulnerabilities/id/7c3f7108-eb32-425a-a705-4f032e7da6b0?source=cve
https://plugins.trac.wordpress.org/browser/image-viewer/tags/1.0.2/image-viewer-block.php#L10
https://plugins.trac.wordpress.org/changeset/3449642/image-viewer/tags/1.0.3/image-viewer-block.php?old=3405983&old_path=image-viewer%2Ftags%2F1.0.2%2Fimage-viewer-block.php
 
pgadmin.org--pgAdmin 4 pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`. This results in reliable command execution on the pgAdmin host during the restore operation. 2026-02-05 7.4 CVE-2026-1707 https://github.com/pgadmin-org/pgadmin4/issues/9518
 
EFM--ipTIME A8004T A vulnerability was found in EFM ipTIME A8004T 14.18.2. This impacts the function httpcon_check_session_url of the file /cgi/timepro.cgi of the component Hidden Hiddenloginsetup Interface. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-02 7.3 CVE-2026-1740 VDB-343639 | EFM ipTIME A8004T Hidden Hiddenloginsetup timepro.cgi httpcon_check_session_url improper authentication
VDB-343639 | CTI Indicators (IOB, IOC, IOA)
Submit #741422 | IPTIME A8004T 14.18.2 Authentication Bypass & Arbitrary Password Reset
https://github.com/LX-LX88/cve/issues/27
 
AWS--SageMaker Python SDK The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output location may have the ability to upload arbitrary artifacts which are executed the next time the Training Job is invoked. 2026-02-02 7.2 CVE-2026-1777 https://aws.amazon.com/security/security-bulletins/2026-004-AWS/
https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-rjrp-m2jw-pv9c
https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.2.0
https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0
 
Ziroom--ZHOME A0101 A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file luci\controller\api\zrMacClone.lua. The manipulation of the argument macType results in command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-03 7.3 CVE-2026-1802 VDB-343975 | Ziroom ZHOME A0101 zrMacClone.lua macAddrClone command injection
VDB-343975 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #741842 | https://sh.ziroom.com/ ZHOME A0101 Command Injection
https://github.com/jinhao118/cve/blob/main/ziru_router_command_injection.md
 
itsourcecode--Student Management System A vulnerability was found in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /ramonsys/enrollment/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. 2026-02-06 7.3 CVE-2026-2011 VDB-344593 | itsourcecode Student Management System controller.php sql injection
VDB-344593 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743498 | itsourcecode Student Management System V1.0 SQL Injection
https://github.com/tianrenu/CVE-Discoveries/issues/1
https://itsourcecode.com/
 
Cisco--Cisco RoomOS Software A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of input received by an affected device. An attacker could exploit this vulnerability by getting the affected device to render crafted text, for example, a crafted meeting invitation. As indicated in the CVSS score, no user interaction is required, such as accepting the meeting invitation. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. 2026-02-04 7.5 CVE-2026-20119 cisco-sa-tce-roomos-dos-9V9jrC2q
 
itsourcecode--Student Management System A vulnerability was determined in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /ramonsys/facultyloading/index.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. 2026-02-06 7.3 CVE-2026-2012 VDB-344594 | itsourcecode Student Management System index.php sql injection
VDB-344594 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743499 | itsourcecode Student Management System V1.0 SQL Injection
https://github.com/tianrenu/CVE-Discoveries/issues/2
https://itsourcecode.com/
 
itsourcecode--Student Management System A vulnerability was identified in itsourcecode Student Management System 1.0. This affects an unknown function of the file /ramonsys/soa/index.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. 2026-02-06 7.3 CVE-2026-2013 VDB-344595 | itsourcecode Student Management System index.php sql injection
VDB-344595 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743500 | itsourcecode Student Management System V1.0 SQL Injection
https://github.com/tianrenu/CVE-Discoveries/issues/3
https://itsourcecode.com/
 
itsourcecode--Student Management System A security flaw has been discovered in itsourcecode Student Management System 1.0. This impacts an unknown function of the file /ramonsys/billing/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. 2026-02-06 7.3 CVE-2026-2014 VDB-344596 | itsourcecode Student Management System index.php sql injection
VDB-344596 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #744048 | itsourcecode Student Management System V1.0 SQL Injection
https://github.com/ltranquility/CVE/issues/35
https://itsourcecode.com/
 
itsourcecode--School Management System A flaw has been found in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/settings/controller.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. 2026-02-06 7.3 CVE-2026-2018 VDB-344600 | itsourcecode School Management System controller.php sql injection
VDB-344600 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #744075 | itsourcecode School Management System V1.0 SQL Injection
https://github.com/ltranquility/CVE/issues/36
https://itsourcecode.com/
 
SourceCodester--Medical Center Portal Management System A vulnerability was detected in SourceCodester Medical Center Portal Management System 1.0. This affects an unknown function of the file /login.php. The manipulation of the argument User results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. 2026-02-06 7.3 CVE-2026-2057 VDB-344617 | SourceCodester Medical Center Portal Management System login.php sql injection
VDB-344617 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #744233 | SourceCodester Medical Center Portal Management System 1.0 SQL Injection
https://github.com/Roger-Adventures/CVE/issues/1
https://www.sourcecodester.com/
 
mathurvishal--CloudClassroom-PHP-Project A flaw has been found in mathurvishal CloudClassroom-PHP-Project up to 5dadec098bfbbf3300d60c3494db3fb95b66e7be. This impacts an unknown function of the file /postquerypublic.php of the component Post Query Details Page. This manipulation of the argument gnamex causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-06 7.3 CVE-2026-2058 VDB-344618 | mathurvishal CloudClassroom-PHP-Project Post Query Details postquerypublic.php sql injection
VDB-344618 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #744236 | https://github.com/mathurvishal/CloudClassroom-PHP-Project CloudClassroom PHP Project 1.0 SQL Injection
https://github.com/carlosalbertotuma/CLOUD-CLASSROOMS-php-1.0
https://github.com/carlosalbertotuma/CLOUD-CLASSROOMS-php-1.0#impact
 
SourceCodester--Medical Center Portal Management System A vulnerability has been found in SourceCodester Medical Center Portal Management System 1.0. Affected is an unknown function of the file /emp_edit1.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. 2026-02-06 7.3 CVE-2026-2059 VDB-344619 | SourceCodester Medical Center Portal Management System emp_edit1.php sql injection
VDB-344619 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #744261 | SourceCodester Medical Center Portal Management System 1.0 SQL Injection
https://github.com/Roger-Adventures/CVE/issues/2
https://www.sourcecodester.com/
 
code-projects--Simple Blood Donor Management System A vulnerability was found in code-projects Simple Blood Donor Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /simpleblooddonor/editcampaignform.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. 2026-02-06 7.3 CVE-2026-2060 VDB-344620 | code-projects Simple Blood Donor Management System editcampaignform.php sql injection
VDB-344620 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #744262 | code-projects Simple Blood Donor Management System V1.0 SQL Injection
https://github.com/kyxh001/CVE/issues/1
https://code-projects.org/
 
itsourcecode--School Management System A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. 2026-02-07 7.3 CVE-2026-2073 VDB-344639 | itsourcecode School Management System index.php sql injection
VDB-344639 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745482 | itsourcecode School Management System V1.0 SQL Injection
https://github.com/Sherlocksbs/CVE/issues/1
https://itsourcecode.com/
 
UTT--HiPER 810 A vulnerability has been found in UTT HiPER 810 1.7.4-141218. This issue affects the function setSysAdm of the file /goform/formUser. The manipulation of the argument passwd1 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-07 7.2 CVE-2026-2080 VDB-344646 | UTT HiPER 810 formUser setSysAdm command injection
VDB-344646 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745521 | UTT HiPER 810 / nv810v4 nv810v4v1.7.4-141218 Command Injection
https://github.com/cha0yang1/UTT810CVE/blob/main/README.md
https://github.com/cha0yang1/UTT810CVE/blob/main/README.md#reproduction-steps
 
code-projects--Social Networking Site A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file /delete_post.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. 2026-02-07 7.3 CVE-2026-2083 VDB-344650 | code-projects Social Networking Site delete_post.php sql injection
VDB-344650 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745937 | code-projects Social Networking Site V1.0 SQL Injection
https://github.com/6Justdododo6/CVE/issues/1
https://code-projects.org/
 
D-Link--DIR-823X A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/set_language. Executing a manipulation of the argument langSelection can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. 2026-02-07 7.2 CVE-2026-2084 VDB-344651 | D-Link DIR-823X set_language os command injection
VDB-344651 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746379 | D-Link DIR 250416 OS Command Injection
Submit #746380 | D-Link DIR-823X 250416 OS Command Injection (Duplicate)
https://github.com/master-abc/cve/issues/24
https://www.dlink.com/
 
D-Link--DWR-M921 A security vulnerability has been detected in D-Link DWR-M921 1.1.50. Affected is the function sub_419F20 of the file /boafrm/formUSSDSetup of the component USSD Configuration Endpoint. The manipulation of the argument ussdValue leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. 2026-02-07 7.2 CVE-2026-2085 VDB-344652 | D-Link DWR-M921 USSD Configuration Endpoint formUSSDSetup sub_419F20 command injection
VDB-344652 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746400 | D-Link DWR-M921 V1.1.50 Command Injection
https://github.com/LX-66-LX/cve-new/issues/1
https://github.com/LX-66-LX/cve-new/issues/1#issue-3851345029
https://www.dlink.com/
 
SourceCodester--Online Class Record System A flaw has been found in SourceCodester Online Class Record System 1.0. Affected by this issue is some unknown functionality of the file /admin/login.php. This manipulation of the argument user_email causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. 2026-02-07 7.3 CVE-2026-2087 VDB-344654 | SourceCodester Online Class Record System login.php sql injection
VDB-344654 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746510 | SourceCodester Online Class Record System 1.0 SQL Injection
https://github.com/xiaoccm07/cve/issues/1
https://www.sourcecodester.com/
 
PHPGurukul--Beauty Parlour Management System A vulnerability has been found in PHPGurukul Beauty Parlour Management System 1.1. This affects an unknown part of the file /admin/accepted-appointment.php. Such manipulation of the argument delid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2026-02-07 7.3 CVE-2026-2088 VDB-344655 | PHPGurukul Beauty Parlour Management System accepted-appointment.php sql injection
VDB-344655 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746520 | PHPgurukul Beauty Parlour Management System V1.1 SQL Injection
https://github.com/Shaon-Xis/cve/issues/1
https://phpgurukul.com/
 
SourceCodester--Online Class Record System A vulnerability was found in SourceCodester Online Class Record System 1.0. This vulnerability affects unknown code of the file /admin/subject/controller.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. 2026-02-07 7.3 CVE-2026-2089 VDB-344656 | SourceCodester Online Class Record System controller.php sql injection
VDB-344656 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746550 | SourceCodester Online Class Record System 1.0 SQL Injection
https://github.com/xiaoccm07/cve/issues/2
https://www.sourcecodester.com/
 
SourceCodester--Online Class Record System A vulnerability was determined in SourceCodester Online Class Record System 1.0. This issue affects some unknown processing of the file /admin/message/search.php. Executing a manipulation of the argument term can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. 2026-02-07 7.3 CVE-2026-2090 VDB-344657 | SourceCodester Online Class Record System search.php sql injection
VDB-344657 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746551 | SourceCodester Online Class Record System 1.0 SQL Injection
https://github.com/xiaoccm07/cve/issues/3
https://www.sourcecodester.com/
 
Infor--SyteLine ERP Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all stored credentials. 2026-02-06 7.1 CVE-2026-2103 https://blog.blacklanternsecurity.com/p/cve-2026-2103-infor-syteline-erp
 
yuan1994--tpadmin A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. 2026-02-07 7.3 CVE-2026-2113 VDB-344688 | yuan1994 tpadmin WebUploader preview.php deserialization
VDB-344688 | CTI Indicators (IOB, IOC, IOA)
Submit #746795 | https://github.com/yuan1994/tpadmin cms v1.3 RCE
https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md
 
itsourcecode--Society Management System A vulnerability was detected in itsourcecode Society Management System 1.0. This vulnerability affects unknown code of the file /admin/edit_admin.php. The manipulation of the argument admin_id results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. 2026-02-07 7.3 CVE-2026-2114 VDB-344689 | itsourcecode Society Management System edit_admin.php sql injection
VDB-344689 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746796 | itsourcecode Society Management System V1.0 SQL injection
https://github.com/zpf7029/oblong/issues/3
https://itsourcecode.com/
 
itsourcecode--Society Management System A flaw has been found in itsourcecode Society Management System 1.0. This issue affects some unknown processing of the file /admin/delete_expenses.php. This manipulation of the argument expenses_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. 2026-02-07 7.3 CVE-2026-2115 VDB-344690 | itsourcecode Society Management System delete_expenses.php sql injection
VDB-344690 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746797 | itsourcecode Society Management System V1.0 SQL injection
https://github.com/zpf7029/oblong/issues/2
https://itsourcecode.com/
 
itsourcecode--Society Management System A vulnerability has been found in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/edit_expenses.php. Such manipulation of the argument expenses_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2026-02-07 7.3 CVE-2026-2116 VDB-344691 | itsourcecode Society Management System edit_expenses.php sql injection
VDB-344691 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746798 | itsourcecode Society Management System V1.0 SQL injection
https://github.com/zpf7029/oblong/issues/1
https://itsourcecode.com/
 
itsourcecode--Society Management System A vulnerability was found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. 2026-02-07 7.3 CVE-2026-2117 VDB-344692 | itsourcecode Society Management System edit_activity.php sql injection
VDB-344692 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746884 | itsourcecode Society Management System V1.0 SQL injection
https://github.com/ZooNJarway/CVE/issues/4
https://itsourcecode.com/
 
UTT--HiPER 810 A vulnerability was determined in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_4407D4 of the file /goform/formReleaseConnect of the component rehttpd. Executing a manipulation of the argument Isp_Name can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. 2026-02-08 7.2 CVE-2026-2118 VDB-344693 | UTT HiPER 810 rehttpd formReleaseConnect sub_4407D4 command injection
VDB-344693 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746802 | UTT (艾泰) HiPER 810 nv810v4v1.7.4-141218 Command Injection
https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme1.md
https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme1.md#poc
 
D-Link--DIR-823X A vulnerability was identified in D-Link DIR-823X 250416. This affects an unknown function of the file /goform/set_server_settings of the component Configuration Parameter Handler. The manipulation of the argument terminal_addr/server_ip/server_port leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. 2026-02-08 7.2 CVE-2026-2120 VDB-344694 | D-Link DIR-823X Configuration Parameter set_server_settings os command injection
VDB-344694 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746916 | D-Link DIR-823X 250416 OS Command Injection
https://github.com/master-abc/cve/issues/26
https://www.dlink.com/
 
D-Link--DIR-823X A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. 2026-02-08 7.2 CVE-2026-2129 VDB-344764 | D-Link DIR-823X set_ac_status os command injection
VDB-344764 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746935 | D-Link DIR-823X 250416 OS Command Injection
https://github.com/master-abc/cve/issues/23
https://www.dlink.com/
 
code-projects--Online Music Site A security flaw has been discovered in code-projects Online Music Site 1.0. This issue affects some unknown processing of the file /Administrator/PHP/AdminUpdateCategory.php. The manipulation of the argument txtcat results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. 2026-02-08 7.3 CVE-2026-2132 VDB-344767 | code-projects Online Music Site AdminUpdateCategory.php sql injection
VDB-344767 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747210 | code-projects ONLINE MUSIC SITE V1.0 SQL Injection
https://github.com/Volije/AdminUpdateCategory/issues/1
https://code-projects.org/
 
code-projects--Online Music Site A weakness has been identified in code-projects Online Music Site 1.0. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. 2026-02-08 7.3 CVE-2026-2133 VDB-344768 | code-projects Online Music Site AdminUpdateCategory.php unrestricted upload
VDB-344768 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747213 | code-projects ONLINE MUSIC SITE V1.0 Arbitrary file upload vulnerability
https://github.com/Volije/cve2/issues/1
https://code-projects.org/
 
projectworlds--Online Food Ordering System A flaw has been found in projectworlds Online Food Ordering System 1.0. This affects an unknown function of the file /view-ticket.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. 2026-02-08 7.3 CVE-2026-2136 VDB-344771 | projectworlds Online Food Ordering System view-ticket.php sql injection
VDB-344771 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747230 | projectworlds Online Food Ordering System Project in PHP V1.0 SQL Injection
https://github.com/hater-us/CVE/issues/4
 
D-Link--DIR-823X A weakness has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420688 of the file /goform/set_qos. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. 2026-02-08 7.2 CVE-2026-2142 VDB-344777 | D-Link DIR-823X set_qos sub_420688 os command injection
VDB-344777 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747428 | D-Link DIR-823X 250416 OS Command Injection
https://github.com/master-abc/cve/issues/29
https://www.dlink.com/
 
D-Link--DIR-823X A security vulnerability has been detected in D-Link DIR-823X 250416. This issue affects some unknown processing of the file /goform/set_ddns of the component DDNS Service. The manipulation of the argument ddnsType/ddnsDomainName/ddnsUserName/ddnsPwd leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. 2026-02-08 7.2 CVE-2026-2143 VDB-344778 | D-Link DIR-823X DDNS Service set_ddns os command injection
VDB-344778 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747492 | D-Link DIR-823X 250416 OS Command Injection
https://github.com/master-abc/cve/issues/25
https://www.dlink.com/
 
D-Link--DIR-615 A vulnerability has been found in D-Link DIR-615 4.10. This affects an unknown part of the file adv_firewall.php of the component DMZ Host Feature. Such manipulation of the argument dmz_ipaddr  leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. 2026-02-08 7.2 CVE-2026-2151 VDB-344853 | D-Link DIR-615 DMZ Host Feature adv_firewall.php os command injection
VDB-344853 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #748031 | Dlink DIR-615 v4.10 OS Command Injection
https://pentagonal-time-3a7.notion.site/DIR-615-OS-Command-Injection-2f6e5dd4c5a58053b2b4f166c2a503ba
https://www.dlink.com/
 
D-Link--DIR-615 A vulnerability was found in D-Link DIR-615 4.10. This vulnerability affects unknown code of the file adv_routing.php of the component Web Configuration Interface. Performing a manipulation of the argument dest_ip/ submask/ gw results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. 2026-02-08 7.2 CVE-2026-2152 VDB-344854 | D-Link DIR-615 Web Configuration adv_routing.php os command injection
VDB-344854 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #748032 | Dlink DIR-615 v4.10 OS Command Injection
https://pentagonal-time-3a7.notion.site/DIR-615-routing-command-injection-2f6e5dd4c5a580089587f5e78a1bbf70?pvs=74
https://www.dlink.com/
 
D-Link--DIR-823X A security flaw has been discovered in D-Link DIR-823X 250416. The affected element is the function sub_4208A0 of the file /goform/set_dmz of the component Configuration Handler. The manipulation of the argument dmz_host/dmz_enable results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. 2026-02-08 7.2 CVE-2026-2155 VDB-344857 | D-Link DIR-823X Configuration set_dmz sub_4208A0 os command injection
VDB-344857 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #748236 | D-Link DIR-823X 250416 OS Command Injection
Submit #750038 | D-Link DIR-823X 250416 OS Command Injection (Duplicate)
https://github.com/master-abc/cve/issues/32
https://www.dlink.com/
 
D-Link--DIR-823X A security vulnerability has been detected in D-Link DIR-823X 250416. This affects the function sub_4175CC of the file /goform/set_static_route_table. Such manipulation of the argument interface/destip/netmask/gateway/metric leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. 2026-02-08 7.2 CVE-2026-2157 VDB-344859 | D-Link DIR-823X set_static_route_table sub_4175CC os command injection
VDB-344859 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #748376 | D-Link DIR-823X 250416 OS Command Injection
https://github.com/master-abc/cve/issues/28
https://www.dlink.com/
 
code-projects--Student Web Portal A vulnerability was detected in code-projects Student Web Portal 1.0. This impacts an unknown function of the file /check_user.php. Performing a manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. 2026-02-08 7.3 CVE-2026-2158 VDB-344860 | code-projects Student Web Portal check_user.php sql injection
VDB-344860 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #748816 | code-projects.org STUDENT WEB PORTAL IN PHP WITH SOURCE CODE 1.0 SQL Injection
https://github.com/Qing-420/cve/blob/main/sql.md
https://code-projects.org/
 
itsourcecode--Directory Management System A vulnerability was found in itsourcecode Directory Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/forget-password.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. 2026-02-08 7.3 CVE-2026-2161 VDB-344863 | itsourcecode Directory Management System forget-password.php sql injection
VDB-344863 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #751082 | itsourcecode Directory Management System V1.0 SQL Injection
https://github.com/Wzl731/test/issues/1
https://itsourcecode.com/
 
detronetdip--E-commerce A security flaw has been discovered in detronetdip E-commerce 1.0.0. This issue affects some unknown processing of the file /seller/assets/backend/profile/addadhar.php. Performing a manipulation of the argument File results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-08 7.3 CVE-2026-2164 VDB-344866 | detronetdip E-commerce addadhar.php unrestricted upload
VDB-344866 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #751853 | detronetdip E-commerce 1.0 Remote Code Execution
https://github.com/detronetdip/E-commerce/issues/23
https://github.com/Nixon-H/PHP-Unrestricted-Upload-RCE
https://github.com/detronetdip/E-commerce/
 
detronetdip--E-commerce A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-08 7.3 CVE-2026-2165 VDB-344867 | detronetdip E-commerce Account Creation Endpoint add_seller.php missing authentication
VDB-344867 | CTI Indicators (IOB, IOC, IOA)
Submit #751857 | detronetdip E-commerce 1.0 Access Control Violation
https://github.com/detronetdip/E-commerce/issues/23
https://github.com/Nixon-H/Unauthenticated-Admin-Account-Creation
https://github.com/detronetdip/E-commerce/
 
code-projects--Online Reviewer System A security vulnerability has been detected in code-projects Online Reviewer System 1.0. The affected element is an unknown function of the file /login/index.php of the component Login. The manipulation of the argument username/password leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. 2026-02-08 7.3 CVE-2026-2166 VDB-344868 | code-projects Online Reviewer System Login index.php sql injection
VDB-344868 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #751858 | code-projects OnlineReviewerSystem 1.0 SQL Injection
Submit #750018 | code-projects ONLINE REVIEWER SYSTEM V1.0 SQL Injection (Duplicate)
https://github.com/liaoliao-hla/cve/issues/2
https://code-projects.org/
 
code-projects--Online Student Management System A vulnerability was found in code-projects Online Student Management System 1.0. Affected is an unknown function of the file accounts.php of the component Login. Performing a manipulation of the argument username/password results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. 2026-02-08 7.3 CVE-2026-2171 VDB-344872 | code-projects Online Student Management System Login accounts.php sql injection
VDB-344872 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749233 | code-projects Online Student Management System in PHP unknown SQL Injection
https://code-projects.org/
 
code-projects--Online Application System for Admission A vulnerability was determined in code-projects Online Application System for Admission 1.0. Affected by this vulnerability is an unknown functionality of the file enrollment/index.php of the component Login Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. 2026-02-08 7.3 CVE-2026-2172 VDB-344873 | code-projects Online Application System for Admission Login Endpoint index.php sql injection
VDB-344873 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749253 | code-projects Online Application System for Admission in PHP unknown SQL Injection
https://code-projects.org/
 
code-projects--Online Examination System A vulnerability was identified in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. 2026-02-08 7.3 CVE-2026-2173 VDB-344874 | code-projects Online Examination System login.php sql injection
VDB-344874 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749255 | code-projects Online Examination System in PHP unknown sql
https://code-projects.org/
 
code-projects--Contact Management System A security flaw has been discovered in code-projects Contact Management System 1.0. This affects an unknown part of the component CRUD Endpoint. The manipulation of the argument ID results in improper authentication. The attack may be launched remotely. 2026-02-08 7.3 CVE-2026-2174 VDB-344875 | code-projects Contact Management System CRUD Endpoint improper authentication
VDB-344875 | CTI Indicators (IOB, IOC, IOA)
Submit #749262 | code-projects Contact Management System in PHP unknown Authentication Bypass Issues
https://code-projects.org/
 
D-Link--DIR-823X A weakness has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420618 of the file /goform/set_upnp. This manipulation of the argument upnp_enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. 2026-02-08 7.2 CVE-2026-2175 VDB-344876 | D-Link DIR-823X set_upnp sub_420618 os command injection
VDB-344876 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749263 | D-Link DIR-823X 250416 OS Command Injection
https://github.com/master-abc/cve/issues/31
https://www.dlink.com/
 
SourceCodester--Prison Management System A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 2026-02-08 7.3 CVE-2026-2177 VDB-344880 | SourceCodester Prison Management System Login session fixiation
VDB-344880 | CTI Indicators (IOB, IOC)
Submit #749485 | SourceCodester Prison Management System Using PHP V1.0 Session Fixiation
https://github.com/hater-us/CVE/issues/10
https://www.sourcecodester.com/
 
UTT-- 521G A weakness has been identified in UTT 进取 521G 3.1.1-190816. Affected by this issue is the function doSystem of the file /goform/setSysAdm. Executing a manipulation of the argument passwd1 can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. 2026-02-08 7.2 CVE-2026-2182 VDB-344885 | UTT 进取 521G setSysAdm doSystem command injection
VDB-344885 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749712 | UTT (艾泰) UTT521G NV521Gv2v3.1.1-190816 Command Injection
https://github.com/cha0yang1/UTT521G/blob/main/RCE1.md
https://github.com/cha0yang1/UTT521G/blob/main/RCE1.md#poc
 
Great Developers--Certificate Generation System A vulnerability was detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This vulnerability affects unknown code of the file /restructured/csv.php. The manipulation of the argument photo results in os command injection. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The code repository of the project has not been active for many years. 2026-02-08 7.3 CVE-2026-2184 VDB-344887 | Great Developers Certificate Generation System csv.php os command injection
VDB-344887 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749714 | Great Developers Certificate Generator System 1.0 Improper Neutralization of Special Elements
https://github.com/lakshayyverma/CVE-Discovery/blob/main/Certificate2.md
 
UTT-- 521G A vulnerability was determined in UTT 进取 521G 3.1.1-190816. The impacted element is the function sub_446B18 of the file /goform/formPdbUpConfig. Executing a manipulation of the argument policyNames can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. 2026-02-08 7.2 CVE-2026-2188 VDB-344891 | UTT 进取 521G formPdbUpConfig sub_446B18 os command injection
VDB-344891 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749733 | UTT (艾泰) UTT521G NV521Gv2v3.1.1-190816 Command Injection
https://github.com/cha0yang1/UTT521G/blob/main/RCE2.md
 
itsourcecode--School Management System A vulnerability was identified in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/report/index.php. The manipulation of the argument ay leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. 2026-02-08 7.3 CVE-2026-2189 VDB-344892 | itsourcecode School Management System index.php sql injection
VDB-344892 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749746 | itsourcecode School Management System V1.0 SQL Injection
https://github.com/angtas/cve/issues/1
https://itsourcecode.com/
 
itsourcecode--School Management System A security flaw has been discovered in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/user/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. 2026-02-08 7.3 CVE-2026-2190 VDB-344893 | itsourcecode School Management System controller.php sql injection
VDB-344893 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749783 | itsourcecode School Management System V1.0 SQL Injection
https://github.com/yyue02/cve/issues/2
https://itsourcecode.com/
 
Tenda--AC9 A weakness has been identified in Tenda AC9 15.03.06.42_multi. Affected is the function formGetDdosDefenceList. This manipulation of the argument security.ddos.map causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. 2026-02-08 7.2 CVE-2026-2191 VDB-344894 | Tenda AC9 formGetDdosDefenceList stack-based overflow
VDB-344894 | CTI Indicators (IOB, IOC, IOA)
Submit #749800 | Tenda AC9 v1.0/V3.0 V15.03.06.42_multi Stack-based Buffer Overflow
https://github.com/glkfc/IoT-Vulnerability/blob/main/Tenda/tenda3.md
https://www.tenda.com.cn/
 
Tenda--AC9 A security vulnerability has been detected in Tenda AC9 15.03.06.42_multi. Affected by this vulnerability is the function formGetRebootTimer. Such manipulation of the argument sys.schedulereboot.start_time/sys.schedulereboot.end_time leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. 2026-02-08 7.2 CVE-2026-2192 VDB-344895 | Tenda AC9 formGetRebootTimer stack-based overflow
VDB-344895 | CTI Indicators (IOB, IOC, IOA)
Submit #749801 | Tenda AC9 v1.0/V3.0 V15.03.06.42_multi Stack-based Buffer Overflow
https://github.com/glkfc/IoT-Vulnerability/blob/main/Tenda/tenda4.md
https://www.tenda.com.cn/
 
code-projects--Online Reviewer System A vulnerability has been found in code-projects Online Reviewer System 1.0. This vulnerability affects unknown code of the file /system/system/admins/assessments/pretest/questions-view.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. 2026-02-08 7.3 CVE-2026-2195 VDB-344898 | code-projects Online Reviewer System questions-view.php sql injection
VDB-344898 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #750005 | code-projects Online Reviewer System V1 SQL Injection
https://github.com/tiancesec/CVE/issues/16
https://code-projects.org/
 
TeamViewer--Remote Improper access control in the TeamViewer Full and Host clients (Windows, macOS, Linux) prior version 15.74.5 allows an authenticated user to bypass additional access controls with "Allow after confirmation" configuration in a remote session. An exploit could result in unauthorized access prior to local confirmation. The user needs to be authenticated for the remote session via ID/password, Session Link, or Easy Access as a prerequisite to exploit this vulnerability. 2026-02-05 7.2 CVE-2026-23572 https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1003/
 
apollographql--apollo-server Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer. 2026-02-04 7.5 CVE-2026-23897 https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7
https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643
https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4
 
open-telemetry--opentelemetry-go OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0. 2026-02-02 7 CVE-2026-24051 https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq
https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53
 
NVIDIA--Megatron-LM NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering. 2026-02-03 7.8 CVE-2026-24149 NVD
Mitre
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potential account takeover. This issue has been patched in version 4.2. 2026-02-03 7.8 CVE-2026-24669 https://github.com/gunet/openeclass/security/advisories/GHSA-gcqq-fxw6-f866
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2. 2026-02-03 7.3 CVE-2026-24672 https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user identifiers. This issue has been patched in version 4.2. 2026-02-03 7.5 CVE-2026-24773 https://github.com/gunet/openeclass/security/advisories/GHSA-63pm-pff4-xc9c
 
chainguard-dev--melange melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3. 2026-02-04 7.8 CVE-2026-24844 https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2
https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8
 
Huawei--HarmonyOS Heap-based buffer overflow vulnerability in the image module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-02-06 7.3 CVE-2026-24925 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
 
chainguard-dev--apko apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1. 2026-02-04 7.5 CVE-2026-25121 https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw
https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14
 
chainguard-dev--apko apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1. 2026-02-04 7.5 CVE-2026-25140 https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6
https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09
 
chainguard-dev--melange melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions $(…), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process. This issue has been patched in version 0.40.3. 2026-02-04 7.8 CVE-2026-25143 https://github.com/chainguard-dev/melange/security/advisories/GHSA-rf4g-89h5-crcr
https://github.com/chainguard-dev/melange/commit/bd132535cd9f57d4bd39d9ead0633598941af030
 
openclaw--openclaw OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29. 2026-02-04 7.8 CVE-2026-25157 https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585
 
fastify--fastify Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2. 2026-02-03 7.5 CVE-2026-25223 https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq
https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821
https://hackerone.com/reports/3464114
https://fastify.dev/docs/latest/Reference/Validation-and-Serialization
https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, stack-based buffer overflow in icFixXml() function when processing malformed ICC profiles, allows potential arbitrary code execution through crafted NamedColor2 tags. This issue has been patched in version 2.3.1.2. 2026-02-03 7.8 CVE-2026-25502 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c2qq-jf7w-rm27
https://github.com/InternationalColorConsortium/iccDEV/issues/537
https://github.com/InternationalColorConsortium/iccDEV/pull/545
https://github.com/InternationalColorConsortium/iccDEV/commit/be5d7ec5cc137c084c08006aee8cd3ed378c7ac2
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing denial of service. This issue has been patched in version 2.3.1.2. 2026-02-03 7.1 CVE-2026-25503 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pf84-4c7q-x764
https://github.com/InternationalColorConsortium/iccDEV/issues/539
https://github.com/InternationalColorConsortium/iccDEV/pull/547
https://github.com/InternationalColorConsortium/iccDEV/commit/353e6517a31cb6ac9fdd44ac0103bc2fadb25175
 
modelcontextprotocol--typescript-sdk MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0. 2026-02-04 7.1 CVE-2026-25536 https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7
https://github.com/modelcontextprotocol/typescript-sdk/issues/204
https://github.com/modelcontextprotocol/typescript-sdk/issues/243
 
Coding-Solo--godot-mcp Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input (e.g., projectPath) directly to exec(), which spawns a shell. An attacker could inject shell metacharacters like $(command) or &calc to execute arbitrary commands with the privileges of the MCP server process. This affects any tool that accepts projectPath, including create_scene, add_node, load_sprite, and others. This issue has been patched in version 0.1.1. 2026-02-04 7.8 CVE-2026-25546 https://github.com/Coding-Solo/godot-mcp/security/advisories/GHSA-8jx2-rhfh-q928
https://github.com/Coding-Solo/godot-mcp/issues/64
https://github.com/Coding-Solo/godot-mcp/pull/67
https://github.com/Coding-Solo/godot-mcp/commit/21c785d923cfdb471ea60323c13807d62dfecc5a
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow (read) vulnerability in CIccIO::WriteUInt16Float() when converting malformed XML to ICC profiles via iccFromXml tool. This issue has been patched in version 2.3.1.3. 2026-02-04 7.8 CVE-2026-25582 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-46hq-fphp-jggf
https://github.com/InternationalColorConsortium/iccDEV/issues/559
https://github.com/InternationalColorConsortium/iccDEV/pull/561
https://github.com/InternationalColorConsortium/iccDEV/commit/b5e5dd238f609ec1a4efb25674e7fa4bd29d894a
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow vulnerability in CIccFileIO::Read8() when processing malformed ICC profile files via unchecked fread operation. This issue has been patched in version 2.3.1.3. 2026-02-04 7.8 CVE-2026-25583 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5ffg-r52h-fgw3
https://github.com/InternationalColorConsortium/iccDEV/issues/558
https://github.com/InternationalColorConsortium/iccDEV/pull/562
https://github.com/InternationalColorConsortium/iccDEV/commit/8a6df2d8dac1e971a18be66fa36e3a0d6584f919
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a stack-buffer-overflow vulnerability in CIccTagFloatNum<>::GetValues(). This is triggered when processing a malformed ICC profile. The vulnerability allows an out-of-bounds write on the stack, potentially leading to memory corruption, information disclosure, or code execution when processing specially crafted ICC files. This issue has been patched in version 2.3.1.3. 2026-02-04 7.8 CVE-2026-25584 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xjr3-v3vr-5794
https://github.com/InternationalColorConsortium/iccDEV/issues/551
https://github.com/InternationalColorConsortium/iccDEV/pull/565
https://github.com/InternationalColorConsortium/iccDEV/commit/c9cb108f58683bd87afca616dea3e4cdb884c23f
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a vulnerability IccCmm.cpp:5793 when reading through index during ICC profile processing. The malformed ICC profile triggers improper array bounds validation in the color management module, resulting in an out-of-bounds read that can lead to memory disclosure or segmentation fault from accessing memory beyond the array boundary. This issue has been patched in version 2.3.1.3. 2026-02-04 7.8 CVE-2026-25585 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pmqx-q624-jg6w
https://github.com/InternationalColorConsortium/iccDEV/issues/552
https://github.com/InternationalColorConsortium/iccDEV/pull/563
https://github.com/InternationalColorConsortium/iccDEV/commit/ba81cd94b9c82b1d3905d45427badbd9d8adfa15
 
Blesta--Blesta Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. 2026-02-03 7.5 CVE-2026-25614 https://www.blesta.com/2026/01/28/security-advisory/
 
Blesta--Blesta Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. 2026-02-03 7.2 CVE-2026-25615 https://www.blesta.com/2026/01/28/security-advisory/
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers overlap in CIccTagMultiProcessElement::Apply() int IccTagMPE.cpp. This vulnerability is fixed in 2.3.1.4. 2026-02-06 7.8 CVE-2026-25634 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-35rg-jcmp-583h
https://github.com/InternationalColorConsortium/iccDEV/issues/577
https://github.com/InternationalColorConsortium/iccDEV/pull/579
https://github.com/InternationalColorConsortium/iccDEV/commit/9206e0b8684e4cf4186d9ae768f16760bc1af9ff
https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.4
 
pydantic--pydantic-ai Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0. 2026-02-06 7.1 CVE-2026-25640 https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7
https://github.com/pydantic/pydantic-ai/releases/tag/v1.51.0
 
datahub-project--datahub DataHub is an open-source metadata platform. Prior to version 1.3.1.8, the LDAP ingestion source is vulnerable to MITM attack through TLS downgrade. This issue has been patched in version 1.3.1.8. 2026-02-06 7.5 CVE-2026-25644 https://github.com/datahub-project/datahub/security/advisories/GHSA-j34h-x7qg-4qw5
 
kovidgoyal--calibre calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0. 2026-02-06 7.8 CVE-2026-25731 https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc
https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379
 
zauberzeug--nicegui NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0. 2026-02-06 7.5 CVE-2026-25732 https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh
https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115
https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82
 
adonisjs--core AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9. 2026-02-06 7.2 CVE-2026-25754 https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c
https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed
https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9
 
adonisjs--core AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination. This issue has been patched in versions 10.1.3 and 11.0.0-next.9. 2026-02-06 7.5 CVE-2026-25762 https://github.com/adonisjs/core/security/advisories/GHSA-xx9g-fh25-4q64
https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3
https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9
 

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
Sweethawk--Zendesk App SweetHawk Survey Zendesk SweetHawk Survey 1.6 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through support ticket submissions. Attackers can insert XSS payloads like script tags into ticket text that automatically execute when survey pages are loaded by other users. 2026-02-03 6.4 CVE-2019-25263 ExploitDB-47781
SweetHawk Survey App Vendor Homepage
Zendesk Survey App Software Page
VulnCheck Advisory: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting
 
Snipeitapp--IT Open Source Asset Management Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users. 2026-02-03 6.4 CVE-2019-25264 ExploitDB-47756
Official Vendor Homepage
Snipe-IT Software Release v4.7.5
VulnCheck Advisory: Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting
 
Bigprof--Online Inventory Manager Online Inventory Manager 3.2 contains a stored cross-site scripting vulnerability in the group description field of the admin edit groups section. Attackers can inject malicious JavaScript through the description field that will execute when the groups page is viewed, allowing potential cookie theft and client-side script execution. 2026-02-03 6.4 CVE-2019-25265 ExploitDB-47725
Vendor Homepage
Software Download Page
VulnCheck Advisory: Online Inventory Manager 3.2 - Persistent Cross-Site Scripting
 
lolypop55--html5_snmp html5_snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the 'Remark' parameter in add_router_operation.php. Attackers can craft a POST request with a script payload in the Remark field to execute arbitrary JavaScript in victim browsers when the page is loaded. 2026-02-06 6.4 CVE-2019-25294 ExploitDB-47587
Vendor Homepage
VulnCheck Advisory: html5_snmp 1.11 - 'Remark' Persistent Cross-Site Scripting
 
thrsrossi--Millhouse Project Millhouse-Project 1.414 contains a persistent cross-site scripting vulnerability in the comment submission functionality that allows attackers to inject malicious scripts. Attackers can post comments with embedded JavaScript through the 'content' parameter in add_comment_sql.php to execute arbitrary scripts in victim browsers. 2026-02-06 6.4 CVE-2019-25301 ExploitDB-47583
Vendor Homepage
VulnCheck Advisory: thrsrossi Millhouse-Project 1.414 - 'content' Persistent Cross-Site Scripting
 
Twinkle Toes Software--Booked Scheduler Booked Scheduler 2.7.7 contains a directory traversal vulnerability in the manage_email_templates.php script that allows authenticated administrators to access unauthorized files. Attackers can exploit the vulnerable 'tn' parameter to read files outside the intended directory by manipulating directory path traversal techniques. 2026-02-03 6.5 CVE-2020-37077 ExploitDB-48428
Booked Scheduler Official Website
Archived Booked Scheduler SourceForge Page
VulnCheck Advisory: Booked Scheduler 2.7.7 - Authenticated Directory Traversal
 
Rubikon Teknoloji--Easy Transfer Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. Attackers can exploit the vulnerability by manipulating path parameters in GET and POST requests to list or download sensitive system files and inject malicious scripts into application parameters. 2026-02-03 6.2 CVE-2020-37086 ExploitDB-48395
Vulnerability-Lab Advisory
Official App Store Product Page
VulnCheck Advisory: Easy Transfer 1.7 for iOS - Directory Traversal
 
Dnnsoftware--DotNetNuke DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks. 2026-02-03 6.4 CVE-2020-37103 ExploitDB-48124
DotNetNuke Official Vendor Homepage
Vulnerability Analysis Blog Post
VulnCheck Advisory: DotNetNuke 9.5 - Persistent Cross-Site Scripting
 
Davidvg--60CycleCMS 60CycleCMS 2.5.2 contains a cross-site scripting (XSS) vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. Attackers can craft malicious URLs with XSS payloads targeting the 'etsu' and 'ltsu' parameters to execute arbitrary scripts in victim's browsers. This issue does not involve SQL injection. 2026-02-03 6.1 CVE-2020-37111 ExploitDB-48177
Vendor Homepage
Software Download Link
VulnCheck Advisory: 60CycleCMS 2.5.2 - 'news.php' Cross-site Scripting (XSS) Vulnerability
 
Openeclass--GUnet OpenEclass GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access. 2026-02-03 6.5 CVE-2020-37115 ExploitDB-48163
Official Vendor Homepage
Changelog
VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - Plaintext Password Storage
 
EmTec--ZOC Terminal ZOC Terminal 7.25.5 contains a script processing vulnerability that allows local attackers to crash the application by loading a maliciously crafted REXX script file. Attackers can generate an oversized script with 20,000 repeated characters to trigger an application crash and cause a denial of service. 2026-02-05 6.2 CVE-2020-37128 ExploitDB-48302
Vendor Homepage
VulnCheck Advisory: ZOC Terminal 7.25.5 - 'Script' Denial of Service
 
Nsauditor--Product Key Explorer Nsauditor Product Key Explorer 4.2.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by inputting a specially crafted registration key. Attackers can generate a payload of 1000 bytes of repeated characters and paste it into the 'Key' input field to trigger the application crash. 2026-02-05 6.2 CVE-2020-37131 ExploitDB-48284
Vendor Homepage
VulnCheck Advisory: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service
 
UltraVNC Team--UltraVNC Launcher UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allows local attackers to crash the application. Attackers can paste an overly long 300-character string into the password field to trigger an application crash and prevent normal launcher functionality. 2026-02-05 6.2 CVE-2020-37132 ExploitDB-48290
UltraVNC Official Homepage
VulnCheck Advisory: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service
 
PHP Fusion--PHP Fusion PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the panels.php administration endpoint to execute malicious code. 2026-02-05 6.1 CVE-2020-37137 ExploitDB-48278
PHP Fusion Official Website
VulnCheck Advisory: PHP-Fusion 9.03.50 - 'panels.php' Eval Injection
 
Veridium--SprintWork SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. Local unprivileged users can exploit missing executable files and weak service configurations to create a new administrative user and gain complete system access. 2026-02-06 6.2 CVE-2020-37160 ExploitDB-48070
Vendor Homepage
Product Information Page
VulnCheck Advisory: SprintWork 2.3.1 - Local Privilege Escalation
 
Celestial Software--AbsoluteTelnet AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character payload and paste it into the license entry field to trigger an application crash. 2026-02-06 6.2 CVE-2020-37164 ExploitDB-48005
Vendor Homepage
VulnCheck Advisory: AbsoluteTelnet 11.12 - "license entry" Denial of Service
 
Celestial Software--AbsoluteTelnet AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character payload and paste it into the license name field to trigger an application crash. 2026-02-06 6.2 CVE-2020-37165 ExploitDB-48006
Vendor Homepage
VulnCheck Advisory: AbsoluteTelnet 11.12 - "license name" Denial of Service
 
Celestial Software--AbsoluteTelnet AbsoluteTelnet 11.12 contains a denial of service vulnerability in the SSH2 username input field that allows local attackers to crash the application. Attackers can overwrite the username field with a 1000-byte buffer, causing the application to become unresponsive and terminate. 2026-02-06 6.2 CVE-2020-37166 ExploitDB-48010
Vendor Homepage
VulnCheck Advisory: AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service
 
Raimersoft--TapinRadio TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy address configuration that allows local attackers to crash the application. Attackers can overwrite the address field with 3000 bytes of arbitrary data to trigger an application crash and prevent normal program functionality. 2026-02-06 6.2 CVE-2020-37170 ExploitDB-48011
TapinRadio Product Webpage
VulnCheck Advisory: TapinRadio 2.12.3 - 'address' Denial of Service
 
Raimersoft--TapinRadio TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy username configuration that allows local attackers to crash the application. Attackers can overwrite the username field with 10,000 bytes of arbitrary data to trigger an application crash and prevent normal program functionality. 2026-02-06 6.2 CVE-2020-37171 ExploitDB-48013
TapinRadio Product Webpage
VulnCheck Advisory: TapinRadio 2.12.3 - 'username' Denial of Service
 
Innomic--VibroLine VLX1 HD 5.0 An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485). 2026-02-02 6.5 CVE-2022-50979 https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html
https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json
 
Innomic--VibroLine VLX1 HD 5.0 A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN. 2026-02-02 6.5 CVE-2022-50980 https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html
https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json
 
IBM--Concert IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. 2026-02-04 6.3 CVE-2024-43181 https://www.ibm.com/support/pages/node/7257006
 
IBM--Concert IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. 2026-02-04 6.5 CVE-2024-51451 https://www.ibm.com/support/pages/node/7257006
 
boldthemes--Bold Page Builder The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-07 6.4 CVE-2025-12159 https://www.wordfence.com/threat-intel/vulnerabilities/id/f492dcb6-0aa7-476d-bb85-c81a136d02a6?source=cve
https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_raw_content/bt_bb_raw_content.php#L25
 
boldthemes--Bold Page Builder The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-07 6.4 CVE-2025-12803 https://www.wordfence.com/threat-intel/vulnerabilities/id/64f30329-ecf2-4e30-bc23-9d447e239e08?source=cve
https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php
https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php#L65
 
boldthemes--Bold Page Builder The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-07 6.4 CVE-2025-13463 https://www.wordfence.com/threat-intel/vulnerabilities/id/865ff4bf-608e-45f0-a160-35581b82cc2b?source=cve
https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.3/content_elements/bt_bb_css_post_grid/bt_bb_css_post_grid.php#L46
https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.3/content_elements/bt_bb_css_post_grid/bt_bb_css_post_grid.js#L8
 
IBM--webMethods Integration (on prem) - Integration Server IBM webMethods Integration (on prem) - Integration Server 10.15 through IS_10.15_Core_Fix2411.1 to IS_11.1_Core_Fix8 IBM webMethods Integration could disclose sensitive user information in server responses. 2026-02-05 6.5 CVE-2025-14150 https://www.ibm.com/support/pages/node/7259518
 
Docker Inc.--Docker Desktop Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. The installer creates this directory without proper ownership verification, creating two exploitation scenarios: Scenario 1 (Persistent Attack): If a low-privileged attacker pre-creates C:\ProgramData\DockerDesktop before Docker Desktop installation, the attacker retains ownership of the directory even after the installer applies restrictive ACLs. At any time after installation completes, the attacker can modify the directory ACL (as the owner) and tamper with critical configuration files such as install-settings.json to specify a malicious credentialHelper, causing arbitrary code execution when any user runs Docker Desktop. Scenario 2 (TOCTOU Attack): During installation, there is a time-of-check-time-of-use (TOCTOU) race condition between when the installer creates C:\ProgramData\DockerDesktop and when it sets secure ACLs. A low-privileged attacker actively monitoring for the installation can inject malicious files (such as install-settings.json) with attacker-controlled ACLs during this window, achieving the same code execution outcome. 2026-02-04 6.7 CVE-2025-14740 https://docs.docker.com/security/
https://www.zerodayinitiative.com/advisories/ZDI-CAN-28542/
https://www.zerodayinitiative.com/advisories/ZDI-CAN-28190/
 
lwsdevelopers--MyRewards Loyalty Points and Rewards for WooCommerce Reward orders, referrals, product reviews and more The MyRewards - Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it possible for authenticated attackers, with subscriber level access and above, to modify, add, or delete loyalty program earning rules, including manipulating point multipliers to arbitrary values. 2026-02-04 6.5 CVE-2025-15260 https://www.wordfence.com/threat-intel/vulnerabilities/id/2591f473-44ff-4319-8b17-b0f793a29d66?source=cve
https://plugins.trac.wordpress.org/browser/woorewards/tags/5.6.0/assets/lws-adminpanel/include/internal/editlistcontroler.php#L76
 
boldthemes--Bold Page Builder The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-07 6.4 CVE-2025-15267 https://www.wordfence.com/threat-intel/vulnerabilities/id/38a3b3bf-9538-4ae8-9da4-d4b48805763b?source=cve
https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.7/content_elements/bt_bb_accordion_item/bt_bb_accordion_item.php?marks=28#L28
 
Tanium--Tanium Appliance Tanium addressed an improper output sanitization vulnerability in Tanium Appliance. 2026-02-05 6.6 CVE-2025-15312 TAN-2025-003
 
Tanium--Engage Tanium addressed a documentation issue in Engage. 2026-02-05 6.6 CVE-2025-15324 TAN-2025-004
 
Tanium--Discover Tanium addressed an improper input validation vulnerability in Discover. 2026-02-05 6.3 CVE-2025-15325 TAN-2025-005
 
Tanium--Performance Tanium addressed an incorrect default permissions vulnerability in Performance. 2026-02-05 6.5 CVE-2025-15336 TAN-2025-029
 
Tanium--Patch Tanium addressed an incorrect default permissions vulnerability in Patch. 2026-02-05 6.5 CVE-2025-15337 TAN-2025-029
 
Tanium--Partner Integration Tanium addressed an incorrect default permissions vulnerability in Partner Integration. 2026-02-05 6.5 CVE-2025-15338 TAN-2025-029
 
Tanium--Discover Tanium addressed an incorrect default permissions vulnerability in Discover. 2026-02-05 6.5 CVE-2025-15339 TAN-2025-029
 
Tanium--Comply Tanium addressed an incorrect default permissions vulnerability in Comply. 2026-02-05 6.5 CVE-2025-15340 TAN-2025-029
 
Tanium--Benchmark Tanium addressed an incorrect default permissions vulnerability in Benchmark. 2026-02-05 6.5 CVE-2025-15341 TAN-2025-029
 
Tanium--Enforce Tanium addressed an incorrect default permissions vulnerability in Enforce. 2026-02-05 6.5 CVE-2025-15343 TAN-2025-032
 
simonfairbairn--The Bucketlister The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-02-07 6.5 CVE-2025-15477 https://www.wordfence.com/threat-intel/vulnerabilities/id/fba36ebc-a396-4eb8-8cb6-afc50b9c974e?source=cve
https://plugins.trac.wordpress.org/browser/the-bucketlister/tags/0.1.5/bucketlister.php#L19
 
HCLSoftware--HCL DevOps Velocity Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service (DoS) attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerability is fixed in 5.1.7. 2026-02-07 6.8 CVE-2025-31990 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128585
 
IBM--PowerVM Hypervisor IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 could allow a local user with administration privileges to obtain sensitive information from a Virtual TPM through a series of PowerVM service procedures. 2026-02-02 6 CVE-2025-36238 https://www.ibm.com/support/pages/node/7257556
 
IBM--Cloud Pak for Business Automation IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007  is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. 2026-02-02 6.4 CVE-2025-36436 https://www.ibm.com/support/pages/node/7259318
 
Qualcomm, Inc.--Snapdragon Memory corruption when calculating oversized partition sizes without proper checks. 2026-02-02 6.8 CVE-2025-47363 https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while calculating offset from partition start point. 2026-02-02 6.8 CVE-2025-47364 https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Transient DOS when processing a received frame with an excessively large authentication information element. 2026-02-02 6.5 CVE-2025-47402 https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html
 
N/A--Moodle[.]org A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet. 2026-02-03 6.1 CVE-2025-67851 https://access.redhat.com/security/cve/CVE-2025-67851
RHBZ#2423841
https://moodle.org/mod/forum/discuss.php?d=471301
 
nanomq--nanomq NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7. 2026-02-04 6.5 CVE-2025-68699 https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h
https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b
 
Microsoft--Microsoft Edge (Chromium-based) User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. 2026-02-05 6.5 CVE-2026-0391 Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
 
premmerce--Premmerce The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premmerce_wizard_actions' AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing capability checks and insufficient input sanitization and output escaping on the `state` parameter. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the Premmerce Wizard admin page). 2026-02-07 6.4 CVE-2026-0555 https://www.wordfence.com/threat-intel/vulnerabilities/id/90b2a644-19a0-43a1-8ff6-7486d7ef29b3?source=cve
https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Admin/Admin.php?marks=41#L41
https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Admin/Handlers/WizardHandler.php?marks=42,50,52#L42
https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Api/WizardApi.php?marks=38#L38
https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/views/admin/tabs/wizard.php?marks=30#L30
 
webpurify--WebPurify Profanity Filter The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settings. 2026-02-04 6.5 CVE-2026-0572 https://www.wordfence.com/threat-intel/vulnerabilities/id/9283f6ea-8bc4-4fdd-a0b9-05de127f34e4?source=cve
https://plugins.trac.wordpress.org/browser/webpurifytextreplace/trunk/webpurifytextreplace-options.php?rev=2343695#L92
 
zealopensource--Smart Appointment & Booking The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-04 6.4 CVE-2026-0742 https://www.wordfence.com/threat-intel/vulnerabilities/id/bf332c0d-5481-412d-b44a-b3de346d7b60?source=cve
https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/admin/class.saab.admin.action.php#L1203
https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/admin/class.saab.admin.action.php#L1203
https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/front/class.saab.front.action.php#L2189
https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/front/class.saab.front.action.php#L2189
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3450387%40smart-appointment-booking&new=3450387%40smart-appointment-booking&sfp_email=&sfph_mail=
 
catchthemes--Essential Widgets The Essential Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ew-author, ew-archive, ew-category, ew-page, and ew-menu shortcodes in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 3.0. 2026-02-05 6.4 CVE-2026-0867 https://www.wordfence.com/threat-intel/vulnerabilities/id/08d4ed49-1338-422f-b55f-a102f2d1d6c8?source=cve
https://plugins.trac.wordpress.org/changeset/3440541/essential-widgets
https://plugins.trac.wordpress.org/changeset/3447282/essential-widgets
 
thehappymonster--Happy Addons for Elementor The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-03 6.4 CVE-2026-1210 https://www.wordfence.com/threat-intel/vulnerabilities/id/df4b554a-0336-404c-b06c-2bc98c99997d?source=cve
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/svg-draw/widget.php#L732
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/svg-draw/widget.php#L732
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2055
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2055
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2120
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2120
https://plugins.trac.wordpress.org/changeset/3451894/happy-elementor-addons/trunk/widgets/svg-draw/widget.php?old=3312461&old_path=happy-elementor-addons%2Ftrunk%2Fwidgets%2Fsvg-draw%2Fwidget.php
 
jackdewey--Events Listing Widget The Events Listing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Event URL' parameter in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-06 6.4 CVE-2026-1252 https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3b13a5-0711-4ad3-b11c-f8556e1ca9f9?source=cve
https://plugins.trac.wordpress.org/browser/events-listing-widget/trunk/events-listing-widget.php#L266
https://plugins.trac.wordpress.org/browser/events-listing-widget/tags/1.3.4/events-listing-widget.php#L266
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451446%40events-listing-widget&new=3451446%40events-listing-widget&sfp_email=&sfph_mail=
 
brechtvds--Dynamic Widget Content The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-05 6.4 CVE-2026-1268 https://www.wordfence.com/threat-intel/vulnerabilities/id/5324ca6d-37cb-41e4-8355-80ca113f855e?source=cve
https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L64
https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L70
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444655%40dynamic-widget-content&new=3444655%40dynamic-widget-content&sfp_email=&sfph_mail=
 
cyberlord92--Employee Directory Staff Directory and Listing The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_title' parameter in the `search_employee_directory` shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-06 6.4 CVE-2026-1279 https://www.wordfence.com/threat-intel/vulnerabilities/id/f0d3b54c-6244-4776-be3c-afe3a28a2b8a?source=cve
https://plugins.trac.wordpress.org/browser/employee-staff-directory/trunk/handler/mo-empdir-search_handler.php#L29
https://wordpress.org/plugins/employee-staff-directory
https://plugins.trac.wordpress.org/browser/employee-staff-directory/tags/1.2.1/handler/mo-empdir-search_handler.php#L29
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448620%40employee-staff-directory&new=3448620%40employee-staff-directory
 
yoast--Yoast SEO Advanced SEO with real-time guidance and built-in AI The Yoast SEO - Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-06 6.4 CVE-2026-1293 https://www.wordfence.com/threat-intel/vulnerabilities/id/8b2e7c2d-ed2f-439b-9cee-f2e5d46121b6?source=cve
https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/presenters/schema-presenter.php#L49
https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/inc/class-wpseo-utils.php#L915
https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/generators/schema-generator.php#L188
 
themeisle--Robin Image Optimizer Unlimited Image Optimization & WebP Converter The Robin Image Optimizer - Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-05 6.4 CVE-2026-1319 https://www.wordfence.com/threat-intel/vulnerabilities/id/288cd86b-8d13-46bf-99ef-76698cd62a41?source=cve
https://plugins.trac.wordpress.org/changeset/3445467/robin-image-optimizer/tags/2.0.3/libs/addons/includes/classes/webp/vendor/rosell-dk/dom-util-for-webp/src/PictureTags.php
 
jackdewey--Tune Library The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode. 2026-02-06 6.4 CVE-2026-1401 https://www.wordfence.com/threat-intel/vulnerabilities/id/cd600810-b1bc-4025-b441-5c90da7240de?source=cve
https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L219
https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L235
https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/writeNodes.php#L113
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451457%40tune-library&new=3451457%40tune-library&sfp_email=&sfph_mail=
 
dannycarlton--Simple Bible Verse via Shortcode The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `verse` shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-07 6.4 CVE-2026-1570 https://www.wordfence.com/threat-intel/vulnerabilities/id/098b979f-337d-4fbd-bfcc-0e8a281e6982?source=cve
https://plugins.trac.wordpress.org/browser/simple-bible-verse-via-shortcode/trunk/index.php#L40
 
omi-mexico--OMIGO The OMIGO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `omigo_donate_button` shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-07 6.4 CVE-2026-1573 https://www.wordfence.com/threat-intel/vulnerabilities/id/f2cf46e6-a732-45c4-ad18-607009d7a586?source=cve
https://plugins.trac.wordpress.org/browser/omigo/trunk/omigo.php?rev=2778497#L386
 
Foxit Software Inc.--pdfonline.foxit.com Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the file upload feature. A malicious username is embedded into the upload file list without proper escaping, allowing arbitrary JavaScript execution when the list is displayed. This issue affects pdfonline.foxit.com: before 2026‑02‑03. 2026-02-03 6.3 CVE-2026-1591 https://www.foxit.com/support/security-bulletins.html
 
Foxit Software Inc.--pdfonline.foxit.com Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the Create New Layer feature. Unsanitized user input is embedded into the HTML output, allowing arbitrary JavaScript execution when the layer is referenced. This issue affects pdfonline.foxit.com: before 2026‑02‑03. 2026-02-03 6.3 CVE-2026-1592 https://www.foxit.com/support/security-bulletins.html
 
tigor4eg--Video Onclick The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `youtube` shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-07 6.4 CVE-2026-1608 https://www.wordfence.com/threat-intel/vulnerabilities/id/73ddf729-da69-4d0b-866f-34a92ec72800?source=cve
https://plugins.trac.wordpress.org/browser/video-onclick/tags/0.4.7/video-onclick.php#L109
 
jmrukkers--Wikiloops Track Player The Wikiloops Track Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wikiloops` shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-07 6.4 CVE-2026-1611 https://www.wordfence.com/threat-intel/vulnerabilities/id/cb472bdb-de35-45e4-bcea-04f27d425817?source=cve
https://plugins.trac.wordpress.org/browser/wikiloops-track-player/tags/1.0.1/Wikiloops-Track-Player.php#L19
 
mrlister1--Wonka Slide The Wonka Slide plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `list_class` shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-07 6.4 CVE-2026-1613 https://www.wordfence.com/threat-intel/vulnerabilities/id/f15f0211-724d-45b5-bf2f-7482f77c474d?source=cve
https://plugins.trac.wordpress.org/browser/wonka-slide/trunk/admin/class-wonka-slide-build.php#L65
 
alexdtn--Subitem AL Slider The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-02-07 6.1 CVE-2026-1634 https://www.wordfence.com/threat-intel/vulnerabilities/id/4bfeff72-27de-46a9-b947-f60255b5d062?source=cve
https://wordpress.org/plugins/subitem-al-slider/
https://plugins.trac.wordpress.org/browser/subitem-al-slider/trunk/templates/tab1_block1.tpl#L11
https://plugins.trac.wordpress.org/browser/subitem-al-slider/tags/1.0.0/templates/tab1_block1.tpl#L11
 
ariagle--MP-Ukagaka The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-02-07 6.1 CVE-2026-1643 https://www.wordfence.com/threat-intel/vulnerabilities/id/14c3b53c-ba98-4e93-ba65-6da11816d7a6?source=cve
https://wordpress.org/plugins/mp-ukagaka/
https://plugins.trac.wordpress.org/browser/mp-ukagaka/trunk/options.php#L160
https://plugins.trac.wordpress.org/browser/mp-ukagaka/tags/1.5.2/options.php#L160
 
pkthree--Peters Date Countdown The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-02-05 6.1 CVE-2026-1654 https://www.wordfence.com/threat-intel/vulnerabilities/id/f8f8e436-2679-4ecb-831e-2b22dd99be32?source=cve
https://plugins.trac.wordpress.org/browser/peters-date-countdown/tags/2.0.0/datecountdown.php#L246
https://plugins.trac.wordpress.org/changeset/3450122/
 
EFM--ipTIME A8004T A vulnerability was determined in EFM ipTIME A8004T 14.18.2. Affected is the function httpcon_check_session_url of the file /sess-bin/d.cgi of the component Debug Interface. This manipulation of the argument cmd causes backdoor. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-02 6.6 CVE-2026-1741 VDB-343640 | EFM ipTIME A8004T Debug d.cgi httpcon_check_session_url backdoor
VDB-343640 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #741423 | EFM IPTIME A8004T 14.18.2 Command Injection
https://github.com/LX-LX88/cve/issues/28
 
n/a--JeecgBoot A vulnerability was identified in JeecgBoot 3.9.0. This vulnerability affects unknown code of the file /JeecgBoot/sys/api/loadDictItemByKeyword of the component Online Report API. Such manipulation of the argument keyword leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-02 6.3 CVE-2026-1746 VDB-343677 | JeecgBoot Online Report API loadDictItemByKeyword sql injection
VDB-343677 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #741647 | Beijing Guoju Information Technology Co., Ltd JeecgBoot 3.9.0 SQL Injection
https://www.yuque.com/meizhiyuwai/sks4nu/clircmda9b8q66lo?singleDoc
 
themeisle--Menu Icons by ThemeIsle The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_wp_attachment_image_alt' post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-03 6.4 CVE-2026-1755 https://www.wordfence.com/threat-intel/vulnerabilities/id/30bfa616-c7f3-4ff0-85b3-468debc8a73e?source=cve
https://plugins.trac.wordpress.org/browser/menu-icons/tags/0.13.20/includes/front.php#L497
https://plugins.trac.wordpress.org/changeset/3452685/menu-icons
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system. 2026-02-02 6.2 CVE-2026-1757 https://access.redhat.com/security/cve/CVE-2026-1757
RHBZ#2435940
 
ravanh--Orange Comfort+ accessibility toolbar for WordPress The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplus_button shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-06 6.4 CVE-2026-1808 https://www.wordfence.com/threat-intel/vulnerabilities/id/89cb81c3-25d7-4a4e-beed-558ea8ce721d?source=cve
https://plugins.trac.wordpress.org/browser/orange-confort-plus/trunk/inc/class-shortcode.php#L50
https://plugins.trac.wordpress.org/browser/orange-confort-plus/tags/0.7/inc/class-shortcode.php#L50
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3453313%40orange-confort-plus&new=3453313%40orange-confort-plus&sfp_email=&sfph_mail=
 
bolo-blog--bolo-solo A vulnerability was detected in bolo-blog bolo-solo up to 2.6.4. The impacted element is the function unpackFilteredZip of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component ZIP File Handler. Performing a manipulation of the argument File results in path traversal. The attack is possible to be carried out remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-03 6.3 CVE-2026-1810 VDB-343978 | bolo-blog bolo-solo ZIP File BackupService.java unpackFilteredZip path traversal
VDB-343978 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742422 | https://github.com/bolo-blog/bolo-solo/ bolo-solo V2.6.4 Write any file
https://github.com/bolo-blog/bolo-solo/issues/326
https://github.com/bolo-blog/bolo-solo/
 
bolo-blog--bolo-solo A flaw has been found in bolo-blog bolo-solo up to 2.6.4. This affects the function importFromMarkdown of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. Executing a manipulation of the argument File can lead to path traversal. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-03 6.3 CVE-2026-1811 VDB-343979 | bolo-blog bolo-solo Filename BackupService.java importFromMarkdown path traversal
VDB-343979 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742437 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary File Write and Remote Code Execution
https://github.com/bolo-blog/bolo-solo/issues/327
https://github.com/bolo-blog/bolo-solo/
 
bolo-blog--bolo-solo A vulnerability has been found in bolo-blog bolo-solo up to 2.6.4. This impacts the function importFromCnblogs of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. The manipulation of the argument File leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-03 6.3 CVE-2026-1812 VDB-343980 | bolo-blog bolo-solo Filename BackupService.java importFromCnblogs path traversal
VDB-343980 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742582 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary file write
https://github.com/bolo-blog/bolo-solo/issues/328
https://github.com/bolo-blog/bolo-solo/
 
bolo-blog--bolo-solo A vulnerability was found in bolo-blog bolo-solo up to 2.6.4. Affected is an unknown function of the file src/main/java/org/b3log/solo/bolo/pic/PicUploadProcessor.java of the component FreeMarker Template Handler. The manipulation of the argument File results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-03 6.3 CVE-2026-1813 VDB-343981 | bolo-blog bolo-solo FreeMarker Template PicUploadProcessor.java unrestricted upload
VDB-343981 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743402 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary File Write and RCE
https://github.com/bolo-blog/bolo-solo/issues/329
https://github.com/bolo-blog/bolo-solo/
 
htplugins--Docus YouTube Video Playlist The Docus - YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-06 6.4 CVE-2026-1888 https://www.wordfence.com/threat-intel/vulnerabilities/id/16c6fec8-81ec-477a-9942-10fd3adb8fa4?source=cve
https://plugins.trac.wordpress.org/browser/docus/trunk/includes/class.shortcode.php#L55
https://plugins.trac.wordpress.org/browser/docus/tags/1.0.6/includes/class.shortcode.php#L55
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454510%40docus&new=3454510%40docus&sfp_email=&sfph_mail=
 
n/a--WeKan A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. The patch is named 251d49eea94834cf351bb395808f4a56fb4dbb44. Upgrading the affected component is recommended. 2026-02-04 6.3 CVE-2026-1894 VDB-344266 | WeKan REST API checklistItems.js Checklist REST Bleed improper authorization
VDB-344266 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742663 | Wekan <8.21 IDOR via REST API / improper object relationship validation
https://github.com/wekan/wekan/commit/251d49eea94834cf351bb395808f4a56fb4dbb44
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
n/a--WeKan A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. Upgrading to version 8.21 is able to address this issue. This patch is called 8c0b4f79d8582932528ec2fdf2a4487c86770fb9. It is recommended to upgrade the affected component. 2026-02-04 6.3 CVE-2026-1895 VDB-344267 | WeKan Attachment Storage lists.js applyWipLimit ListWIPBleed access control
VDB-344267 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742666 | Wekan <8.21 Improper access control (CWE-284)
https://github.com/wekan/wekan/commit/8c0b4f79d8582932528ec2fdf2a4487c86770fb9
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
n/a--WeKan A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affected component is advised. 2026-02-04 6.3 CVE-2026-1896 VDB-344268 | WeKan Migration Operation comprehensiveBoardMigration.js ComprehensiveBoardMigration MigrationBleed access control
VDB-344268 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742670 | Wekan <8.21 Improper access control on administrative migration methods (CWE
https://github.com/wekan/wekan/commit/cc35dafef57ef6e44a514a523f9a8d891e74ad8f
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
n/a--WeKan A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to mitigate this issue. Patch name: 146905a459106b5d00b4f09453a6554255e6965a. You should upgrade the affected component. 2026-02-05 6.3 CVE-2026-1898 VDB-344270 | WeKan LDAP User Sync syncUser.js SyncLDAPBleed access control
VDB-344270 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742676 | Wekan <8.21 Missing authorization on admin function (CWE-284)
https://github.com/wekan/wekan/commit/146905a459106b5d00b4f09453a6554255e6965a
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
x-raym--WaveSurfer-WP The WaveSurfer-WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's audio shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on the 'src' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-06 6.4 CVE-2026-1909 https://www.wordfence.com/threat-intel/vulnerabilities/id/b507462d-1ce2-4463-93bf-635ee78274f6?source=cve
https://plugins.trac.wordpress.org/browser/wavesurfer-wp/trunk/wavesurfer-wp.php#L739
https://plugins.trac.wordpress.org/browser/wavesurfer-wp/tags/2.8.3/wavesurfer-wp.php#L739
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454006%40wavesurfer-wp&new=3454006%40wavesurfer-wp&sfp_email=&sfph_mail=
 
n/a--WeKan A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component. 2026-02-05 6.3 CVE-2026-1962 VDB-344484 | WeKan Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control
VDB-344484 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742677 | Wekan <8.21 Improper access control on migration endpoints (CWE-284)
https://github.com/wekan/wekan/commit/053bf1dfb76ef230db162c64a6ed50ebedf67eee
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
n/a--WeKan A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates this issue. The patch is identified as c413a7e860bc4d93fe2adcf82516228570bf382d. Upgrading the affected component is advised. 2026-02-05 6.3 CVE-2026-1963 VDB-344485 | WeKan Attachment Storage attachments.js MoveStorageBleed access control
VDB-344485 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742678 | Wekan <8.21 Improper access control (CWE-284)
https://github.com/wekan/wekan/commit/c413a7e860bc4d93fe2adcf82516228570bf382d
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
isaacwasserman--mcp-vegalite-server A security vulnerability has been detected in isaacwasserman mcp-vegalite-server up to 16aefed598b8cd897b78e99b907f6e2984572c61. Affected by this vulnerability is the function eval of the component visualize_data. Such manipulation of the argument vegalite_specification leads to code injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-06 6.3 CVE-2026-1977 VDB-344499 | isaacwasserman mcp-vegalite-server visualize_data eval code injection
VDB-344499 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743246 | GitHub mcp-vegalite-server master Code Injection
https://github.com/isaacwasserman/mcp-vegalite-server/issues/9
https://github.com/isaacwasserman/mcp-vegalite-server/
 
abhiphile--fermat-mcp A vulnerability was detected in abhiphile fermat-mcp up to 47f11def1cd37e45dd060f30cdce346cbdbd6f0a. This vulnerability affects the function eqn_chart of the file fmcp/mpl_mcp/core/eqn_chart.py. Performing a manipulation of the argument equations results in code injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-06 6.3 CVE-2026-2008 VDB-344590 | abhiphile fermat-mcp eqn_chart.py eqn_chart code injection
VDB-344590 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743458 | GitHub fermat-mcp master Code Injection
https://github.com/abhiphile/fermat-mcp/issues/9
https://github.com/abhiphile/fermat-mcp/issues/9#issue-3837794397
https://github.com/abhiphile/fermat-mcp/
 
SourceCodester--Gas Agency Management System A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/php_action/createUser.php. Executing a manipulation can lead to improper access controls. It is possible to launch the attack remotely. The exploit has been published and may be used. 2026-02-06 6.3 CVE-2026-2009 VDB-344591 | SourceCodester Gas Agency Management System createUser.php access control
VDB-344591 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743459 | SourceCodester Gas Agency Management System 1.0 Improper Access Controls
https://github.com/Asim-QAZi/Improper-Access-Control-in-SourceCodester-Gas-Agency-Management-System
https://www.sourcecodester.com/
 
Portabilis--i-Educar A weakness has been identified in Portabilis i-Educar up to 2.10. Affected is an unknown function of the file FinalStatusImportService.php of the component Final Status Import. Executing a manipulation of the argument school_id can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-06 6.3 CVE-2026-2015 VDB-344597 | Portabilis i-Educar Final Status Import FinalStatusImportService.php improper authorization
VDB-344597 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743760 | Portabilis i-Educar 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 Improper Authorization
https://github.com/ViniCastro2001/Security_Reports/tree/main/i-educar/BFLA-Final-Status-Import
https://github.com/ViniCastro2001/Security_Reports/tree/main/i-educar/BFLA-Final-Status-Import#proof-of-concept-poc
 
Flycatcher Toys--smART Pixelator A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-06 6.3 CVE-2026-2065 VDB-344632 | Flycatcher Toys smART Pixelator Bluetooth Low Energy missing authentication
VDB-344632 | CTI Indicators (IOB, IOC)
Submit #745129 | Flycatcher Toys smART Pixelator 2.0 2.0 Missing Authentication
https://github.com/davidrxchester/smart-pixelator-upload
https://github.com/davidrxchester/smart-pixelator-upload/blob/main/poc.py
 
n/a--O2OA A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-07 6.3 CVE-2026-2074 VDB-344640 | O2OA HTTP POST Request check xml external entity reference
VDB-344640 | CTI Indicators (IOB, IOC, IOA)
Submit #745486 | 浙江兰德纵横网络技术股份有限公司 O2OA v6.1.0 至 v9.0.0 XML实体注入漏洞
Submit #745489 | O2OA开发平台 O2OA v6.1.0 至 v9.0.0 XML实体注入漏洞 (Duplicate)
https://github.com/SourByte05/SourByte-Lab/issues/7
 
yeqifu--warehouse A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected is the function saveRolePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role-Permission Binding Handler. The manipulation results in improper access controls. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-07 6.3 CVE-2026-2075 VDB-344641 | yeqifu warehouse Role-Permission Binding RoleController.java saveRolePermission access control
VDB-344641 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745508 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Im
https://github.com/yeqifu/warehouse/issues/52
https://github.com/yeqifu/warehouse/issues/52#issue-3846645856
https://github.com/yeqifu/warehouse/
 
yeqifu--warehouse A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this vulnerability is the function addUser/updateUser/deleteUser of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component User Management Endpoint. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-07 6.3 CVE-2026-2076 VDB-344642 | yeqifu warehouse User Management Endpoint UserController.java deleteUser improper authorization
VDB-344642 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745509 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls
https://github.com/yeqifu/warehouse/issues/53
https://github.com/yeqifu/warehouse/issues/53#issue-3846651070
https://github.com/yeqifu/warehouse/
 
yeqifu--warehouse A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role Management Handler. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-07 6.3 CVE-2026-2077 VDB-344643 | yeqifu warehouse Role Management RoleController.java deleteRole improper authorization
VDB-344643 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745512 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls
https://github.com/yeqifu/warehouse/issues/54
https://github.com/yeqifu/warehouse/issues/54#issue-3846654129
https://github.com/yeqifu/warehouse/
 
yeqifu--warehouse A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\PermissionController.java of the component Permission Management. Performing a manipulation results in improper authorization. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-07 6.3 CVE-2026-2078 VDB-344644 | yeqifu warehouse Permission Management PermissionController.java deletePermission improper authorization
VDB-344644 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745513 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls
https://github.com/yeqifu/warehouse/issues/55
https://github.com/yeqifu/warehouse/issues/55#issue-3846656775
https://github.com/yeqifu/warehouse/
 
yeqifu--warehouse A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\MenuController.java of the component Menu Management. Executing a manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-07 6.3 CVE-2026-2079 VDB-344645 | yeqifu warehouse Menu Management MenuController.java deleteMenu improper authorization
VDB-344645 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745514 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls
https://github.com/yeqifu/warehouse/issues/56
https://github.com/yeqifu/warehouse/issues/56#issue-3846659524
https://github.com/yeqifu/warehouse/
 
yeqifu--warehouse A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\DeptController.java of the component Department Management. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-07 6.3 CVE-2026-2105 VDB-344681 | yeqifu warehouse Department Management DeptController.java deleteDept improper authorization
VDB-344681 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745515 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls
https://github.com/yeqifu/warehouse/issues/57
https://github.com/yeqifu/warehouse/issues/57#issue-3846662068
https://github.com/yeqifu/warehouse/
 
yeqifu--warehouse A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\NoticeController.java of the component Notice Management. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-07 6.3 CVE-2026-2106 VDB-344682 | yeqifu warehouse Notice Management NoticeController.java batchDeleteNotice improper authorization
VDB-344682 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745516 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls
https://github.com/yeqifu/warehouse/issues/58
https://github.com/yeqifu/warehouse/issues/58#issue-3846664260
https://github.com/yeqifu/warehouse/
 
yeqifu--warehouse A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\LoginfoController.java of the component Log Info Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-07 6.3 CVE-2026-2107 VDB-344683 | yeqifu warehouse Log Info LoginfoController.java batchDeleteLoginfo improper authorization
VDB-344683 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745517 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls
https://github.com/yeqifu/warehouse/issues/59
https://github.com/yeqifu/warehouse/issues/59#issue-3846665806
https://github.com/yeqifu/warehouse/
 
Xiaopi--Panel A security flaw has been discovered in Xiaopi Panel up to 20260126. This impacts an unknown function of the file /demo.php of the component WAF Firewall. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-08 6.3 CVE-2026-2122 VDB-344695 | Xiaopi Panel WAF Firewall demo.php sql injection
VDB-344695 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746917 | Xiaopi Web Application Firewall V1.0.0 Bypass
https://github.com/ltranquility/CVE/issues/37
 
BurtTheCoder--mcp-maigret A vulnerability was determined in BurtTheCoder mcp-maigret up to 1.0.12. This affects an unknown part of the file src/index.ts of the component search_username. Executing a manipulation of the argument Username can lead to command injection. The attack may be launched remotely. Upgrading to version 1.0.13 is able to mitigate this issue. This patch is called b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a. Upgrading the affected component is advised. 2026-02-08 6.3 CVE-2026-2130 VDB-344765 | BurtTheCoder mcp-maigret search_username index.ts command injection
VDB-344765 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747171 | GitHub mcp-maigret v1.0.12 Command Injection
https://github.com/BurtTheCoder/mcp-maigret/issues/9
https://github.com/BurtTheCoder/mcp-maigret/pull/10
https://github.com/BurtTheCoder/mcp-maigret/commit/b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a
https://github.com/BurtTheCoder/mcp-maigret/releases/tag/v1.0.13
https://github.com/BurtTheCoder/mcp-maigret/
 
XixianLiang--HarmonyOS-mcp-server A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. 2026-02-08 6.3 CVE-2026-2131 VDB-344766 | XixianLiang HarmonyOS-mcp-server input_text os command injection
VDB-344766 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747209 | GitHub HarmonyOS-mcp-server v0.1.0 Command Injection
https://github.com/scanleale/MCP_sec/blob/main/HarmonyOS-mcp-server%20RCE%20vulnerability.md
 
UTT--HiPER 810 A vulnerability was detected in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_43F020 of the file /goform/formPdbUpConfig. Performing a manipulation of the argument policyNames results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. 2026-02-08 6.3 CVE-2026-2135 VDB-344770 | UTT HiPER 810 formPdbUpConfig sub_43F020 command injection
VDB-344770 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747222 | UTT (艾泰) HiPER 810 nv810v4v1.7.4-141218 Command Injection
https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme2.md
 
WuKongOpenSource--WukongCRM A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-08 6.3 CVE-2026-2141 VDB-344776 | WuKongOpenSource WukongCRM URL PermissionServiceImpl.java improper authorization
VDB-344776 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747264 | 郑州卡卡罗特软件科技有限公司 WukongCRM WukongCRM-11.x-JAVA logical flaw vulnerability
https://github.com/SourByte05/SourByte-Lab/issues/8
 
guchengwuyue--yshopmall A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-08 6.3 CVE-2026-2146 VDB-344848 | guchengwuyue yshopmall co.yixiang.utils.FileUtil updateAvatar unrestricted upload
VDB-344848 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747409 | https://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 Incomplete Identification of Uploaded File Variables
https://github.com/guchengwuyue/yshopmall/issues/40
https://github.com/guchengwuyue/yshopmall/issues/40#issue-3860542812
https://github.com/guchengwuyue/yshopmall/
 
Totolink--WA300 A vulnerability was detected in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setAPNetwork of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument Ipaddr results in os command injection. The attack may be performed from remote. The exploit is now public and may be used. 2026-02-08 6.3 CVE-2026-2167 VDB-344869 | Totolink WA300 cstecgi.cgi setAPNetwork os command injection
VDB-344869 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #752063 | TOTOLINK WA300 V5.2cu.7112_B20190227 OS Command Injection
https://github.com/master-abc/cve/issues/36
https://www.totolink.net/
 
D-Link--DWR-M921 A flaw has been found in D-Link DWR-M921 1.1.50. This affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. 2026-02-08 6.3 CVE-2026-2168 VDB-344870 | D-Link DWR-M921 formLtefotaUpgradeQuectel sub_419920 command injection
VDB-344870 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #748838 | D-Link DWR-M921 V1.1.50 Command Injection
https://github.com/LX-66-LX/cve-new/issues/2
https://www.dlink.com/
 
D-Link--DWR-M921 A vulnerability has been found in D-Link DWR-M921 1.1.50. This impacts an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2026-02-08 6.3 CVE-2026-2169 VDB-344871 | D-Link DWR-M921 formLtefotaUpgradeFibocom command injection
VDB-344871 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #748930 | D-Link DWR-M921 V1.1.50 Command Injection
https://github.com/LX-66-LX/cve-new/issues/3
https://www.dlink.com/
 
code-projects--Contact Management System A security vulnerability has been detected in code-projects Contact Management System 1.0. This issue affects some unknown processing of the file index.py. Such manipulation of the argument selecteditem[0] leads to sql injection. The attack can be executed remotely. 2026-02-08 6.3 CVE-2026-2176 VDB-344877 | code-projects Contact Management System index.py sql injection
VDB-344877 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749264 | code-projects Contact Management System in Python unknown SQL Injection
https://code-projects.org/
 
r-huijts--xcode-mcp-server A vulnerability was found in r-huijts xcode-mcp-server up to f3419f00117aa9949e326f78cc940166c88f18cb. This affects the function registerXcodeTools of the file src/tools/xcode/index.ts of the component run_lldb. The manipulation of the argument args results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The patch is identified as 11f8d6bacadd153beee649f92a78a9dad761f56f. Applying a patch is advised to resolve this issue. 2026-02-08 6.3 CVE-2026-2178 VDB-344881 | r-huijts xcode-mcp-server run_lldb index.ts registerXcodeTools command injection
VDB-344881 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749569 | GitHub xcode-mcp-server master Command Injection
https://github.com/r-huijts/xcode-mcp-server/issues/13
https://github.com/r-huijts/xcode-mcp-server/issues/13#issue-3878065790
https://github.com/r-huijts/xcode-mcp-server/commit/11f8d6bacadd153beee649f92a78a9dad761f56f
https://github.com/r-huijts/xcode-mcp-server/
 
Great Developers--Certificate Generation System A security vulnerability has been detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This affects an unknown part of the file /restructured/csv.php. The manipulation leads to unrestricted upload. Remote exploitation of the attack is possible. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The code repository of the project has not been active for many years. 2026-02-08 6.3 CVE-2026-2183 VDB-344886 | Great Developers Certificate Generation System csv.php unrestricted upload
VDB-344886 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749713 | Great Developers Certificate Generator System 1.0 Unrestricted Upload
https://github.com/lakshayyverma/CVE-Discovery/blob/main/Certificate.md
 
D-Link--DI-7100G C1 A vulnerability was detected in D-Link DI-7100G C1 24.04.18D1. Affected by this issue is the function set_jhttpd_info. Performing a manipulation of the argument usb_username results in command injection. Remote exploitation of the attack is possible. 2026-02-08 6.3 CVE-2026-2193 VDB-344896 | D-Link DI-7100G C1 set_jhttpd_info command injection
VDB-344896 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749803 | D-Link DI-7100G C1, 24.04.18D1 Command Injection
https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_4.md
https://www.dlink.com/
 
D-Link--DI-7100G C1 A flaw has been found in D-Link DI-7100G C1 24.04.18D1. This affects the function start_proxy_client_email. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been published and may be used. 2026-02-08 6.3 CVE-2026-2194 VDB-344897 | D-Link DI-7100G C1 start_proxy_client_email command injection
VDB-344897 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749804 | D-Link DI-7100G C1: 2020/02/21, 24.04.18D1: 2024/04/18 Command Injection
https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_3.md
https://www.dlink.com/
 
glpi-project--glpi GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23. 2026-02-04 6.5 CVE-2026-22044 https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385
https://github.com/glpi-project/glpi/releases/tag/10.0.23
 
n/a--WeKan A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component. 2026-02-08 6.3 CVE-2026-2206 VDB-344920 | WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control
VDB-344920 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #752162 | Wekan <8.21 Improper access control on administrative repair method
https://github.com/wekan/wekan/commit/4ce181d17249778094f73d21515f7f863f554743
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
n/a--WeKan A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotely. Upgrading to version 8.19 is sufficient to fix this issue. The patch is identified as f244a43771f6ebf40218b83b9f46dba6b940d7de. It is suggested to upgrade the affected component. 2026-02-08 6.3 CVE-2026-2209 VDB-344923 | WeKan Custom Translation translationBody.js setCreateTranslation improper authorization
VDB-344923 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #752269 | Wekan <8.20 IDOR in setCreateTranslation. Non-admin could change Custom Tran
https://github.com/wekan/wekan/commit/f244a43771f6ebf40218b83b9f46dba6b940d7de
https://github.com/wekan/wekan/releases/tag/v8.19
https://github.com/wekan/wekan/
 
gogs--gogs Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev. 2026-02-06 6.5 CVE-2026-22592 https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57
 
gogs--gogs Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev. 2026-02-06 6.5 CVE-2026-23632 https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr
 
gogs--gogs Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev. 2026-02-06 6.5 CVE-2026-23633 https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g
 
Kubernetes--ingress-nginx A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory. 2026-02-03 6.5 CVE-2026-24514 https://github.com/kubernetes/kubernetes/issues/136680
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted endpoints allows attackers to induce authenticated teachers to perform unintended actions, such as modifying assignment grades, via crafted requests. This issue has been patched in version 4.2. 2026-02-03 6.5 CVE-2026-24666 https://github.com/gunet/openeclass/security/advisories/GHSA-cgmh-73qg-28fm
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2. 2026-02-03 6.5 CVE-2026-24668 https://github.com/gunet/openeclass/security/advisories/GHSA-22cq-9fr7-fq6v
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create new course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2. 2026-02-03 6.5 CVE-2026-24670 https://github.com/gunet/openeclass/security/advisories/GHSA-4jf5-636r-hv9v
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-privileged users (teachers or administrators) to inject malicious JavaScript into multiple user-controllable input fields across the application, which is executed when other users access affected pages. This issue has been patched in version 4.2. 2026-02-03 6.1 CVE-2026-24671 https://github.com/gunet/openeclass/security/advisories/GHSA-2x83-4fh2-fcw7
 
Huawei--HarmonyOS Out-of-bounds read issue in the media subsystem. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. 2026-02-06 6.2 CVE-2026-24915 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
https://consumer.huawei.com/en/support/bulletinwearables/2026/2/
https://consumer.huawei.com/en/support/bulletinvision/2026/2/
 
Huawei--HarmonyOS UAF vulnerability in the security module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-02-06 6.5 CVE-2026-24917 https://consumer.huawei.com/en/support/bulletin/2026/2/
 
Huawei--HarmonyOS Address read vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-02-06 6.8 CVE-2026-24918 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
https://consumer.huawei.com/en/support/bulletinwearables/2026/2/
https://consumer.huawei.com/en/support/bulletinvision/2026/2/
 
Huawei--HarmonyOS Out-of-bounds write vulnerability in the DFX module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-02-06 6 CVE-2026-24919 https://consumer.huawei.com/en/support/bulletin/2026/2/
 
Huawei--HarmonyOS Permission control vulnerability in the AMS module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-02-06 6.2 CVE-2026-24920 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinvision/2026/2/
 
Huawei--HarmonyOS Buffer overflow vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-02-06 6.9 CVE-2026-24922 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
https://consumer.huawei.com/en/support/bulletinwearables/2026/2/
 
Huawei--HarmonyOS Permission control vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2026-02-06 6.3 CVE-2026-24923 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
https://consumer.huawei.com/en/support/bulletinwearables/2026/2/
 
Huawei--HarmonyOS Vulnerability of improper permission control in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2026-02-06 6.1 CVE-2026-24924 https://consumer.huawei.com/en/support/bulletin/2026/2/
 
openclaw--openclaw OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30. 2026-02-04 6.5 CVE-2026-25475 https://github.com/openclaw/openclaw/security/advisories/GHSA-r8g4-86fx-92mq
 
espressif--esp-idf ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. 2026-02-04 6.3 CVE-2026-25507 https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmg
https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9
https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7
https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70
https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6
https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf
https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663
https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63
 
espressif--esp-idf ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. 2026-02-04 6.3 CVE-2026-25508 https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9
https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9
https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7
https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70
https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6
https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf
https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663
https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63
 
zauberzeug--nicegui NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0. 2026-02-06 6.1 CVE-2026-25516 https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282
https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561
 
espressif--esp-idf ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a vulnerability exists in the WPS (Wi-Fi Protected Setup) Enrollee implementation where malformed EAP-WSC packets with truncated payloads can cause integer underflow during fragment length calculation. When processing EAP-Expanded (WSC) messages, the code computes frag_len by subtracting header sizes from the total packet length. If an attacker sends a packet where the EAP Length field covers only the header and flags but omits the expected payload (such as the 2-byte Message Length field when WPS_MSG_FLAG_LEN is set), frag_len becomes negative. This negative value is then implicitly cast to size_t when passed to wpabuf_put_data(), resulting in a very large unsigned value. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. 2026-02-04 6.3 CVE-2026-25532 https://github.com/espressif/esp-idf/security/advisories/GHSA-m2h2-683f-9mw7
https://github.com/espressif/esp-idf/commit/60f992a26de17bb5406f2149a2f8282dd7ad1c59
https://github.com/espressif/esp-idf/commit/6f6766f917bc940ffbcc97eac4765a6ab15d5f79
https://github.com/espressif/esp-idf/commit/73a587d42a57ece1962b6a4c530b574600650f63
https://github.com/espressif/esp-idf/commit/b209fae993d795255827ce6b2b0d6942a377f5d4
https://github.com/espressif/esp-idf/commit/b88befde6b5addcdd8d7373ce55c8052dea1e855
https://github.com/espressif/esp-idf/commit/cad36beb4cde27abcf316cd90d8d8dddbc6f213a
https://github.com/espressif/esp-idf/commit/de28801e8ea6a736b6f0db6fc0c682739363bb41
 
mastodon--mastodon Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6. 2026-02-04 6.5 CVE-2026-25540 https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr
 
navidrome--navidrome Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0. 2026-02-04 6.1 CVE-2026-25578 https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w
https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6
https://github.com/navidrome/navidrome/releases/tag/v0.60.0
 
tgies--client-certificate-auth client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0. 2026-02-06 6.1 CVE-2026-25651 https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4
https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0
 
vim--vim Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132. 2026-02-06 6.6 CVE-2026-25749 https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43
https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9
https://github.com/vim/vim/releases/tag/v9.1.2132
 
BishopFox--sliver Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.6.11, a path traversal in the website content subsystem lets an authenticated operator read arbitrary files on the Sliver server host. This is an authenticated path traversal / arbitrary file read issue, and it can expose credentials, configs, and keys. This vulnerability is fixed in 1.6.11. 2026-02-06 6.5 CVE-2026-25760 https://github.com/BishopFox/sliver/security/advisories/GHSA-2286-hxv5-cmp2
https://github.com/BishopFox/sliver/commit/818127349ccec812876693c4ca74ebf4350ec6b7
 
Maian Media--Maian Support Helpdesk Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload capabilities through the FAQ attachment system. 2026-02-03 5.3 CVE-2020-37091 ExploitDB-48386
Vendor Homepage
VulnCheck Advisory: Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)
 
EDIMAX Technology Co., Ltd.--EW-7438RPn Mini Edimax EW-7438RPn 1.13 contains a cross-site request forgery vulnerability in the MAC filtering configuration interface. Attackers can craft malicious web pages to trick users into adding unauthorized MAC addresses to the device's filtering rules without their consent. 2026-02-03 5.3 CVE-2020-37096 ExploitDB-48366
Edimax EW-7438RPn Product Homepage
VulnCheck Advisory: Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)
 
Bdtask--Business Live Chat Software Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with administrative access parameters. 2026-02-06 5.3 CVE-2020-37106 ExploitDB-48141
Business Live Chat Software Vendor Homepage
VulnCheck Advisory: Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)
 
Code::Blocks--Code::Blocks CODE::BLOCKS 16.01 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler with crafted Unicode characters. Attackers can create a malicious M3U playlist file with 536 bytes of buffer and shellcode to trigger remote code execution. 2026-02-05 5.5 CVE-2020-37121 ExploitDB-48344
CODE::BLOCKS Product Homepage
CODE::BLOCKS SourceForge Repository
VulnCheck Advisory: CODE::BLOCKS 16.01 - Buffer Overflow (SEH) UNICODE
 
dnsmasq--dnsmasq-utils Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters. 2026-02-05 5.5 CVE-2020-37127 ExploitDB-48301
Software Link for dnsmasq 2.79-1
VulnCheck Advisory: dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service
 
FinalWire--Everest Everest, later referred to as AIDA64, 5.50.2100 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating file open functionality. Attackers can generate a 450-byte buffer of repeated characters and paste it into the file open dialog to trigger an application crash. 2026-02-05 5.5 CVE-2020-37140 ExploitDB-48259
Archived Product Page
VulnCheck Advisory: Everest 5.50.2100 - 'Open File' Denial of Service
 
Exagate--Sysguard 6001 Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without the victim's consent. 2026-02-05 5.3 CVE-2020-37144 ExploitDB-48234
Exagate Vendor Homepage
Archived Sysguard 6001 Product Page
VulnCheck Advisory: Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)
 
IBM--Cloud Pak System IBM Cloud Pak System displays sensitive information in user messages that could aid in further attacks against the system. 2026-02-04 5.3 CVE-2023-38010 https://www.ibm.com/support/pages/node/7254419
 
IBM--Cloud Pak System IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. 2026-02-04 5.3 CVE-2023-38017 https://www.ibm.com/support/pages/node/7254419
 
IBM--Cloud Pak System IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. 2026-02-04 5.3 CVE-2023-38281 https://www.ibm.com/support/pages/node/7254419
 
IBM--Db2 Big SQL on Cloud Pak for Data IBM Db2 Big SQL on Cloud Pak for Data versions 7.6 (on CP4D 4.8), 7.7 (on CP4D 5.0), and 7.8 (on CP4D 5.1) do not properly limit the allocation of system resources. An authenticated user with internal knowledge of the environment could exploit this weakness to cause a denial of service. 2026-02-04 5.3 CVE-2024-39724 https://www.ibm.com/support/pages/node/7257907
 
cyberlord92--OAuth Single Sign On SSO (OAuth Client) The OAuth Single Sign On - SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the 'oauthredirect' option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly. 2026-02-06 5.3 CVE-2025-10753 https://www.wordfence.com/threat-intel/vulnerabilities/id/915e1a6e-ad9c-4849-8ae0-3ded18720a1f?source=cve
https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L260
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399223%40miniorange-login-with-eve-online-google-facebook&new=3399223%40miniorange-login-with-eve-online-google-facebook&sfp_email=&sfph_mail=
 
IBM--App Connect Operator IBM App Connect Enterprise Certified Container up to 12.19.0 (Continuous Delivery) and 12.0 LTS (Long Term Support) could allow an attacker to access sensitive files or modify configurations due to an untrusted search path. 2026-02-05 5.1 CVE-2025-13491 https://www.ibm.com/support/pages/node/7259746
 
elextensions--ELEX WordPress HelpDesk & Customer Ticketing System The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action. 2026-02-05 5.3 CVE-2025-14079 https://www.wordfence.com/threat-intel/vulnerabilities/id/6fd3ea16-4706-4573-b905-93dff434968d?source=cve
https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.4/includes/class-crm-ajax-functions-one.php#L15
https://plugins.trac.wordpress.org/changeset/3449609/
 
unitecms--Unlimited Elements For Elementor The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget's Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-03 5.4 CVE-2025-14274 https://www.wordfence.com/threat-intel/vulnerabilities/id/482c4986-3677-4754-992b-ea9be7573d2e?source=cve
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/framework/functions.class.php#L2859
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_params_processor.class.php#L1518
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3429507%40unlimited-elements-for-elementor%2Ftrunk&old=3403331%40unlimited-elements-for-elementor%2Ftrunk&sfp_email=&sfph_mail=#file15
 
tpixendit--Xendit Payment The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern and a `status` of 'PAID' or 'SETTLED', granted they can enumerate order IDs (which are sequential integers). This leads to orders being fraudulently marked as completed without any actual payment, resulting in financial loss and inventory depletion. 2026-02-04 5.3 CVE-2025-14461 https://www.wordfence.com/threat-intel/vulnerabilities/id/2791bbd5-9101-4484-a352-0e4d2ce04e5d?source=cve
https://plugins.trac.wordpress.org/browser/woo-xendit-virtual-accounts/trunk/woocommerce-xendit-pg.php#L252
https://plugins.trac.wordpress.org/browser/woo-xendit-virtual-accounts/tags/6.0.2/woocommerce-xendit-pg.php#L252
 
Tanium--Enforce Tanium addressed an improper link resolution before file access vulnerability in Enforce. 2026-02-05 5 CVE-2025-15328 TAN-2025-007
 
chapaet--Chapa Payment Gateway Plugin for WooCommerce The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key. 2026-02-04 5.3 CVE-2025-15482 https://www.wordfence.com/threat-intel/vulnerabilities/id/190492ec-5982-4dce-9e97-16a518a01a27?source=cve
https://plugins.trac.wordpress.org/browser/chapa-payment-gateway-for-woocommerce/tags/1.0.3/includes/class-waf-wc-chapa-gateway.php#L418
 
magicimport--Magic Import Document Extractor The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance. 2026-02-04 5.3 CVE-2025-15507 https://www.wordfence.com/threat-intel/vulnerabilities/id/6854e470-26ac-4747-b72c-164e79e1a1b1?source=cve
https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L225
 
magicimport--Magic Import Document Extractor The Magic Import Document Extractor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4 via the get_frontend_settings() function. This makes it possible for unauthenticated attackers to extract the site's magicimport.ai license key from the page source on any page containing the plugin's shortcode. 2026-02-04 5.3 CVE-2025-15508 https://www.wordfence.com/threat-intel/vulnerabilities/id/9ec72ac5-1851-4074-bea4-ccfd684b9c8d?source=cve
https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L379
 
IBM--Engineering Lifecycle Management - Global Configuration Management IBM Engineering Lifecycle Management - Global Configuration Management 7.0.3 through 7.0.3 Interim Fix 017, and 7.1.0 through 7.1.0 Interim Fix 004 IBM Global Configuration Management is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. 2026-02-03 5.4 CVE-2025-36033 https://www.ibm.com/support/pages/node/7258063
 
IBM--Cloud Pak for Business Automation IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 could allow an authenticated user to cause a denial of service or corrupt existing data due to the improper validation of input length. 2026-02-03 5.4 CVE-2025-36094 https://www.ibm.com/support/pages/node/7259318
 
IBM--Concert IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. 2026-02-02 5.9 CVE-2025-36253 https://www.ibm.com/support/pages/node/7257565
 
HCL--AION Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes. This issue affects AION: 2.0. 2026-02-03 5.5 CVE-2025-52627 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972
 
N/A--Moodle[.]org A flaw was found in Moodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser. 2026-02-03 5.4 CVE-2025-67855 https://access.redhat.com/security/cve/CVE-2025-67855
RHBZ#2423861
 
N/A--Moodle[.]org A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features. 2026-02-03 5.4 CVE-2025-67856 https://access.redhat.com/security/cve/CVE-2025-67856
RHBZ#2423864
 
khoj-ai--khoj Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index. This attack requires knowing the user's UUID which can be leaked through shared conversations where an AI generated image is present. This vulnerability is fixed in 2.0.0-beta.23. 2026-02-02 5.4 CVE-2025-69207 https://github.com/khoj-ai/khoj/security/advisories/GHSA-6whj-7qmg-86qj
https://github.com/khoj-ai/khoj/commit/1b7ccd141d47f365edeccc57d7316cb0913d748b
https://github.com/khoj-ai/khoj/releases/tag/2.0.0-beta.23
 
fortispay--Fortis for WooCommerce The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order statuses to paid/processing/completed, effectively allowing them to mark orders as paid without payment. 2026-02-04 5.3 CVE-2026-0679 https://www.wordfence.com/threat-intel/vulnerabilities/id/9f16c098-3e99-4506-b517-ae4b838a0925?source=cve
https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/trunk/classes/WC_Gateway_Fortis.php#L1674
https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/tags/1.2.0/classes/WC_Gateway_Fortis.php#L1674
 
alimir--WP ULike Engagement Analytics & Interactive Buttons to Understand Your Audience The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.8.3.1. This is due to the `wp_ulike_delete_history_api` AJAX action not verifying that the log entry being deleted belongs to the current user. This makes it possible for authenticated attackers, with Subscriber-level access and above (granted the 'stats' capability is assigned to their role), to delete arbitrary log entries belonging to other users via the 'id' parameter. 2026-02-03 5.3 CVE-2026-0909 https://www.wordfence.com/threat-intel/vulnerabilities/id/bee2e520-46cc-4b54-9849-fafb9b37ba19?source=cve
https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/admin/admin-ajax.php#L94
https://plugins.trac.wordpress.org/browser/wp-ulike/tags/4.8.3.1/admin/admin-ajax.php#L94
https://plugins.trac.wordpress.org/changeset/3451296/wp-ulike/trunk/admin/admin-ajax.php
 
brainstormforce--Spectra Gutenberg Blocks Website Builder for the Block Editor The Spectra Gutenberg Blocks - Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block. 2026-02-03 5.3 CVE-2026-0950 https://www.wordfence.com/threat-intel/vulnerabilities/id/ccaccf03-4162-4365-9f12-0363a78e91d4?source=cve
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1303
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1303
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1621
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1621
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L2196
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L2196
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-helper.php#L1403
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/classes/class-uagb-helper.php#L1403
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3443216%40ultimate-addons-for-gutenberg%2Ftrunk&old=3410395%40ultimate-addons-for-gutenberg%2Ftrunk&sfp_email=&sfph_mail=
 
metagauss--ProfileGrid User Profiles, Groups and Communities The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user's profile picture or cover image, including administrators. 2026-02-05 5.3 CVE-2026-1271 https://www.wordfence.com/threat-intel/vulnerabilities/id/712535ce-8c38-4944-aa0a-36d9bacaeb67?source=cve
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/crop.php#L73
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/coverimg_crop.php#L60
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/crop.php#L73
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/coverimg_crop.php#L60
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail=
 
themeum--Tutor LMS eLearning and online course solution The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications. 2026-02-03 5.3 CVE-2026-1371 https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5c5f64-a864-4ce1-9080-19f7c4418307?source=cve
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L106
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L658
https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/ecommerce/CouponController.php?contextall=1&old=3422766&old_path=%2Ftutor%2Ftrunk%2Fecommerce%2FCouponController.php
 
getwpfunnels--Mail Mint Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting. 2026-02-03 5.4 CVE-2026-1447 https://www.wordfence.com/threat-intel/vulnerabilities/id/e67ae204-2848-4389-a78d-7b3798e4ee54?source=cve
https://plugins.trac.wordpress.org/browser/mail-mint/trunk/app/API/Routes/Admin/Contact/ContactProfileRoute.php#L105
https://plugins.trac.wordpress.org/browser/mail-mint/tags/1.19.2/app/API/Routes/Admin/Contact/ContactProfileRoute.php#L105
https://plugins.trac.wordpress.org/browser/mail-mint/trunk/app/API/Actions/Admin/Contact/ContactProfileAction.php#L85
https://plugins.trac.wordpress.org/browser/mail-mint/tags/1.19.2/app/API/Actions/Admin/Contact/ContactProfileAction.php#L85
https://plugins.trac.wordpress.org/changeset/3449536/mail-mint/trunk/app/API/Actions/Admin/Contact/ContactProfileAction.php?old=3032077&old_path=mail-mint%2Ftrunk%2Fapp%2FAPI%2FActions%2FAdmin%2FContact%2FContactProfileAction.php
 
F5--NGINX Open Source A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side-along with conditions beyond the attacker's control-may be able to inject plain text data into the response from an upstream proxied server.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. 2026-02-04 5.9 CVE-2026-1642 https://my.f5.com/manage/s/article/K000159824
 
brstefanovic--Advanced Country Blocker The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for unauthenticated attackers to bypass the geolocation blocking mechanism by appending the key to any URL on sites where the administrator has not changed the default value. 2026-02-07 5.3 CVE-2026-1675 https://www.wordfence.com/threat-intel/vulnerabilities/id/30747988-83f9-41f9-9bc5-1f533bc4cb94?source=cve
https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L278
https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L336
https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L420
 
n/a--Open5GS A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c of the component SGWC. Such manipulation leads to reachable assertion. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. A patch should be applied to remediate this issue. The issue report is flagged as already-fixed. 2026-02-02 5.3 CVE-2026-1736 VDB-343635 | Open5GS SGWC s11-handler.c assertion
VDB-343635 | CTI Indicators (IOB, IOC, IOA)
Submit #741191 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4270
https://github.com/open5gs/open5gs/issues/4270#event-21968624624
https://github.com/open5gs/open5gs/issues/4270#issue-3795141303
https://github.com/open5gs/open5gs/
 
n/a--Open5GS A vulnerability was detected in Open5GS up to 2.7.6. The affected element is the function sgwc_s5c_handle_create_bearer_request of the file /src/sgwc/s5c-handler.c of the component CreateBearerRequest Handler. Performing a manipulation results in reachable assertion. Remote exploitation of the attack is possible. The exploit is now public and may be used. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed. 2026-02-02 5.3 CVE-2026-1737 VDB-343636 | Open5GS CreateBearerRequest s5c-handler.c sgwc_s5c_handle_create_bearer_request assertion
VDB-343636 | CTI Indicators (IOB, IOC, IOA)
Submit #741192 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4271
https://github.com/open5gs/open5gs/issues/4271#event-21968630023
https://github.com/open5gs/open5gs/issues/4271#issue-3795147720
https://github.com/open5gs/open5gs/
 
n/a--Open5GS A flaw has been found in Open5GS up to 2.7.6. The impacted element is the function sgwc_tunnel_add of the file /src/sgwc/context.c of the component SGWC. Executing a manipulation of the argument pdr can lead to reachable assertion. The attack can be executed remotely. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed. 2026-02-02 5.3 CVE-2026-1738 VDB-343637 | Open5GS SGWC context.c sgwc_tunnel_add assertion
VDB-343637 | CTI Indicators (IOB, IOC, IOA)
Submit #741193 | Open5gs SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4261
https://github.com/open5gs/open5gs/issues/4261#event-21968563677
https://github.com/open5gs/open5gs/issues/4261#issue-3787803578
https://github.com/open5gs/open5gs/
 
Free5GC--pcf A vulnerability has been found in Free5GC pcf up to 1.4.1. This affects the function HandleCreateSmPolicyRequest of the file internal/sbi/processor/smpolicy.go. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is df535f5524314620715e842baf9723efbeb481a7. Applying a patch is the recommended action to fix this issue. 2026-02-02 5.3 CVE-2026-1739 VDB-343638 | Free5GC pcf smpolicy.go HandleCreateSmPolicyRequest null pointer dereference
VDB-343638 | CTI Indicators (IOB, IOC, IOA)
Submit #741194 | free5gc PCF v4.1.0 Denial of Service
https://github.com/free5gc/free5gc/issues/803
https://github.com/free5gc/pcf/pull/62
https://github.com/free5gc/free5gc/issues/803#issue-3815770007
https://github.com/free5gc/pcf/commit/df535f5524314620715e842baf9723efbeb481a7
https://github.com/free5gc/pcf/
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests, causing SoupServer to fail to close the connection as required by RFC 9112. This allows the attacker to smuggle additional requests over the persistent connection, leading to unintended request processing and potential denial-of-service (DoS) conditions. 2026-02-02 5.3 CVE-2026-1760 https://access.redhat.com/security/cve/CVE-2026-1760
RHBZ#2435951
 
Xerox--CentreWare Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS. This issue affects CentreWare: through 7.0.6.  Consider upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com 2026-02-06 5.3 CVE-2026-1769 https://securitydocs.business.xerox.com/wp-content/uploads/2026/02/Xerox-Security-Bulletin-XRX26-003-for-Xerox-CentreWare-Web.pdf
 
AWS--SageMaker Python SDK Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed. 2026-02-02 5.9 CVE-2026-1778 https://aws.amazon.com/security/security-bulletins/2026-004-AWS/
https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543
https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1
https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure. 2026-02-03 5.3 CVE-2026-1801 https://access.redhat.com/security/cve/CVE-2026-1801
RHBZ#2436315
 
n/a--WeKan A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. The attack may be launched remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. Upgrading to version 8.21 mitigates this issue. The name of the patch is cabfeed9a68e21c469bf206d8655941444b9912c. It is suggested to upgrade the affected component. 2026-02-04 5 CVE-2026-1892 VDB-344265 | WeKan REST API boards.js setBoardOrgs improper authorization
VDB-344265 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742662 | Wekan <8.21 IDOR via REST API / improper object relationship validation
https://github.com/wekan/wekan/commit/cabfeed9a68e21c469bf206d8655941444b9912c
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
Edimax--BR-6208AC A vulnerability was found in Edimax BR-6208AC 2_1.02. The affected element is the function auth_check_userpass2. Performing a manipulation of the argument Username/Password results in use of default credentials. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer. 2026-02-06 5.3 CVE-2026-1972 VDB-344494 | Edimax BR-6208AC auth_check_userpass2 default credentials
VDB-344494 | CTI Indicators (IOB, IOC, IOA)
Submit #744032 | Edimax BR-6208AC V2_1.02 Weak Authentication
https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Weak-Password-Authentication-Vulnerability-in-auth_check_userpass2-Functi-2f0b5c52018a801c9645dd5261717901?source=copy_link
 
n/a--Free5GC A vulnerability was determined in Free5GC up to 4.1.0. The impacted element is the function establishPfcpSession of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. It is best practice to apply a patch to resolve this issue. 2026-02-06 5.3 CVE-2026-1973 VDB-344495 | Free5GC SMF establishPfcpSession null pointer dereference
VDB-344495 | CTI Indicators (IOB, IOC, IOA)
Submit #743236 | free5gc SMF v4.1.0 Denial of Service
https://github.com/free5gc/free5gc/issues/815
https://github.com/free5gc/free5gc/issues/815#issue-3832032062
https://github.com/free5gc/smf/pull/189
https://github.com/free5gc/free5gc/
 
n/a--Free5GC A vulnerability was identified in Free5GC up to 4.1.0. This affects the function ResolveNodeIdToIp of the file internal/sbi/processor/datapath.go of the component SMF. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. It is recommended to apply a patch to fix this issue. 2026-02-06 5.3 CVE-2026-1974 VDB-344496 | Free5GC SMF datapath.go ResolveNodeIdToIp denial of service
VDB-344496 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743237 | free5gc SMF v4.1.0 Denial of Service
https://github.com/free5gc/free5gc/issues/816
https://github.com/free5gc/free5gc/issues/816#issue-3832055233
https://github.com/free5gc/smf/pull/189
https://github.com/free5gc/free5gc/
 
n/a--Free5GC A security flaw has been discovered in Free5GC up to 4.1.0. This impacts the function identityTriggerType of the file pfcp_reports.go. The manipulation results in null pointer dereference. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Applying a patch is advised to resolve this issue. 2026-02-06 5.3 CVE-2026-1975 VDB-344497 | Free5GC pfcp_reports.go identityTriggerType null pointer dereference
VDB-344497 | CTI Indicators (IOB, IOC, IOA)
Submit #743238 | free5gc SMF v4.1.0 Denial of Service
https://github.com/free5gc/free5gc/issues/814
https://github.com/free5gc/free5gc/issues/814#issue-3831993593
https://github.com/free5gc/smf/pull/189
https://github.com/free5gc/free5gc/
 
n/a--Free5GC A weakness has been identified in Free5GC up to 4.1.0. Affected is the function SessionDeletionResponse of the component SMF. This manipulation causes null pointer dereference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. It is suggested to install a patch to address this issue. 2026-02-06 5.3 CVE-2026-1976 VDB-344498 | Free5GC SMF SessionDeletionResponse null pointer dereference
VDB-344498 | CTI Indicators (IOB, IOC, IOA)
Submit #743239 | free5gc SMF v4.1.0 Denial of Service
https://github.com/free5gc/free5gc/issues/817
https://github.com/free5gc/free5gc/issues/817#issue-3832188092
https://github.com/free5gc/smf/pull/189
https://github.com/free5gc/free5gc/
 
kalyan02--NanoCMS A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings. 2026-02-06 5.3 CVE-2026-1978 VDB-344500 | kalyan02 NanoCMS User Information pagesdata.txt direct request
VDB-344500 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743260 | SourceCodester NanoCMS V0.4 Sensitive document leak
https://github.com/kalyan02/NanoCMS/blob/master/data/pagesdata.txt
https://github.com/kalyan02/NanoCMS/
 
n/a--mruby A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. It is advisable to implement a patch to correct this issue. 2026-02-06 5.3 CVE-2026-1979 VDB-344501 | mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free
VDB-344501 | CTI Indicators (IOB, IOC, IOA)
Submit #743377 | mruby cda2567 Use After Free
https://github.com/mruby/mruby/issues/6701
https://github.com/mruby/mruby/issues/6701#issue-3802609843
https://github.com/sysfce2/mruby/commit/e50f15c1c6e131fa7934355eb02b8173b13df415
https://github.com/mruby/mruby/
 
happyfish100--libfastcommon A security vulnerability has been detected in happyfish100 libfastcommon up to 1.0.84. Affected by this vulnerability is the function base64_decode of the file src/base64.c. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 82f66af3e252e3e137dba0c3891570f085e79adf. Applying a patch is the recommended action to fix this issue. 2026-02-06 5.3 CVE-2026-2016 VDB-344598 | happyfish100 libfastcommon base64.c base64_decode stack-based overflow
VDB-344598 | CTI Indicators (IOB, IOC, IOA)
Submit #743873 | happyfish100 libfastcommon V1.0.84 and earlier Heap-based Buffer Overflow
https://github.com/happyfish100/libfastcommon/issues/55
https://github.com/happyfish100/libfastcommon/issues/55#issuecomment-3776757848
https://github.com/happyfish100/libfastcommon/issues/55#issue-3836362577
https://github.com/happyfish100/libfastcommon/commit/82f66af3e252e3e137dba0c3891570f085e79adf
https://github.com/happyfish100/libfastcommon/
 
D-Link--DIR-605L A security flaw has been discovered in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. Impacted is an unknown function of the component Wifi Setting Handler. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. 2026-02-06 5.3 CVE-2026-2054 VDB-344614 | D-Link DIR-605L/DIR-619L Wifi Setting information disclosure
VDB-344614 | CTI Indicators (IOB, IOC, TTP)
Submit #744224 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls
https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_81/81.md
https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_81/81.md#poc--result
https://www.dlink.com/
 
D-Link--DIR-605L A weakness has been identified in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. The affected element is an unknown function of the component DHCP Client Information Handler. Executing a manipulation can lead to information disclosure. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. 2026-02-06 5.3 CVE-2026-2055 VDB-344615 | D-Link DIR-605L/DIR-619L DHCP Client Information information disclosure
VDB-344615 | CTI Indicators (IOB, IOC, TTP)
Submit #744225 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls
https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md
https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md#poc--result
https://www.dlink.com/
 
D-Link--DIR-605L A security vulnerability has been detected in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. The impacted element is an unknown function of the file /wan_connection_status.asp of the component DHCP Connection Status Handler. The manipulation leads to information disclosure. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. 2026-02-06 5.3 CVE-2026-2056 VDB-344616 | D-Link DIR-605L/DIR-619L DHCP Connection Status wan_connection_status.asp information disclosure
VDB-344616 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #744226 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls
https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_83/83.md
https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md#poc--result
https://www.dlink.com/
 
n/a--Open5GS A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_modify_bearer_response/sgwc_sxa_handle_session_modification_response of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The exploit is publicly available and might be used. The identifier of the patch is f1bbd7b57f831e2a070780a7d8d5d4c73babdb59. Applying a patch is the recommended action to fix this issue. 2026-02-06 5.3 CVE-2026-2062 VDB-344622 | Open5GS PGW S5U Address sgwc_sxa_handle_session_modification_response null pointer dereference
VDB-344622 | CTI Indicators (IOB, IOC, IOA)
Submit #744719 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4257
https://github.com/open5gs/open5gs/issues/4257#issue-3787701521
https://github.com/open5gs/open5gs/commit/f1bbd7b57f831e2a070780a7d8d5d4c73babdb59
https://github.com/open5gs/open5gs/
 
jsbroks--COCO Annotator A vulnerability was determined in jsbroks COCO Annotator up to 0.11.1. This impacts an unknown function of the file /api/info/long_task of the component Endpoint. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-07 5.3 CVE-2026-2108 VDB-344684 | jsbroks COCO Annotator Endpoint long_task denial of service
VDB-344684 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745547 | coco-annotator 0.11.1 Denial of Service
https://github.com/nmmorette/vulnerability-research/blob/main/coco-anotator/Unauthenticated%20Task%20Queue%20Flood%20in%20COCO%20Annotator%202f1ef09b873680f99d39e3f7db9886fa.md
 
jsbroks--COCO Annotator A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-07 5.4 CVE-2026-2109 VDB-344685 | jsbroks COCO Annotator Delete Category undo improper authorization
VDB-344685 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745579 | coco-annotator v0.11.1 Broken Function Level Authorization
https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md
 
Tenda--AC21 A weakness has been identified in Tenda AC21 16.03.08.16. This impacts an unknown function of the file /cgi-bin/DownloadLog of the component Web Management Interface. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. 2026-02-08 5.3 CVE-2026-2147 VDB-344849 | Tenda AC21 Web Management DownloadLog information disclosure
VDB-344849 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747429 | Tenda AC21 V16.03.08.16 Missing Critical Step in Authentication
https://github.com/master-abc/cve/issues/30
https://www.tenda.com.cn/
 
Tenda--AC21 A security vulnerability has been detected in Tenda AC21 16.03.08.16. Affected is an unknown function of the file /cgi-bin/DownloadFlash of the component Web Management Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. 2026-02-08 5.3 CVE-2026-2148 VDB-344850 | Tenda AC21 Web Management DownloadFlash information disclosure
VDB-344850 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747557 | Tenda AC21 V16.03.08.16 Missing Critical Step in Authentication
https://github.com/master-abc/cve/issues/27
https://www.tenda.com.cn/
 
n/a--WeKan A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the attack remotely. Upgrading to version 8.21 is capable of addressing this issue. This patch is called 91a936e07d2976d4246dfe834281c3aaa87f9503. You should upgrade the affected component. 2026-02-08 5.3 CVE-2026-2207 VDB-344921 | WeKan Activity Publication activities.js LinkedBoardActivitiesBleed information disclosure
VDB-344921 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #752163 | Wekan <8.21 Information disclosure via insufficient authorization filtering
https://github.com/wekan/wekan/commit/91a936e07d2976d4246dfe834281c3aaa87f9503
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
F5--BIG-IP When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker's control can cause the bd process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. 2026-02-04 5.9 CVE-2026-22548 https://my.f5.com/manage/s/article/K000158072
 
NeoRazorX--facturascripts FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig's | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8. 2026-02-02 5.4 CVE-2026-23476 https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4
https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3
https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8
 
CollaboraOnline--online Collabora Online is a collaborative online office suite based on LibreOffice technology. Prior to Collabora Online Development Edition version 25.04.08.2 and prior to Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5, a user with view-only rights and no download privileges can obtain a local copy of a shared file. Although there are no corresponding buttons in the interface, pressing Ctrl+Shift+S initiates the file download process. This allows the user to bypass the access restrictions and leads to unauthorized data retrieval. This issue has been patched in Collabora Online Development Edition version 25.04.08.2 and Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5. 2026-02-05 5.3 CVE-2026-23623 https://github.com/CollaboraOnline/online/security/advisories/GHSA-68v6-r6qq-mmq2
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2. 2026-02-03 5.3 CVE-2026-24664 https://github.com/gunet/openeclass/security/advisories/GHSA-c3wq-m629-5h2j
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, potentially enabling unauthorized continued access to user accounts. This issue has been patched in version 4.2. 2026-02-03 5 CVE-2026-24667 https://github.com/gunet/openeclass/security/advisories/GHSA-5h73-53mh-m224
 
Huawei--HarmonyOS Identity authentication bypass vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2026-02-06 5.9 CVE-2026-24916 https://consumer.huawei.com/en/support/bulletin/2026/2/
 
Huawei--HarmonyOS Out-of-bounds access vulnerability in the frequency modulation module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-02-06 5.5 CVE-2026-24927 https://consumer.huawei.com/en/support/bulletin/2026/2/
 
Huawei--HarmonyOS Out-of-bounds write vulnerability in the file system module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2026-02-06 5.8 CVE-2026-24928 https://consumer.huawei.com/en/support/bulletin/2026/2/
 
Huawei--HarmonyOS Out-of-bounds read vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-02-06 5.9 CVE-2026-24929 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
 
Huawei--HarmonyOS Vulnerability of improper criterion security check in the card module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2026-02-06 5.9 CVE-2026-24931 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
 
chainguard-dev--apko apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The Split function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. This issue has been patched in version 1.1.0. 2026-02-04 5.5 CVE-2026-25122 https://github.com/chainguard-dev/apko/security/advisories/GHSA-6p9p-q6wh-9j89
https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09
 
homarr-labs--homarr Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behavior and a reliable port-scanning primitive (open vs closed ports can be inferred from statusCode vs fetch failed and timing). This vulnerability is fixed in 1.52.0. 2026-02-06 5.3 CVE-2026-25123 https://github.com/homarr-labs/homarr/security/advisories/GHSA-c6rh-8wj4-gv74
 
Talishar--Talishar Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. The playerID parameter in SubmitChat.php and is saved without sanitization and executed whenever a user view the current page game. This vulnerability is fixed by 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4. 2026-02-02 5.3 CVE-2026-25144 https://github.com/Talishar/Talishar/security/advisories/GHSA-rrr4-h2pc-57g6
https://github.com/Talishar/Talishar/commit/09dd00e5452e3cd998eb1406a88e5b0fa868e6b4
 
chainguard-dev--melange melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3. 2026-02-04 5.5 CVE-2026-25145 https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9
https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4
 
QwikDev--qwik Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City's server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0. 2026-02-03 5.9 CVE-2026-25151 https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f
https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed
 
QwikDev--qwik Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0. 2026-02-03 5.9 CVE-2026-25155 https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8
https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75
 
SignalK--signalk-server Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3. 2026-02-02 5 CVE-2026-25228 https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx
https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7
 
ci4-cms-erp--ci4ms CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. This issue has been patched in version 0.28.5.0. 2026-02-03 5.3 CVE-2026-25509 https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-654x-9q7r-g966
https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653
 
cert-manager--cert-manager cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3. 2026-02-04 5.9 CVE-2026-25518 https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv
https://github.com/cert-manager/cert-manager/pull/8467
https://github.com/cert-manager/cert-manager/pull/8468
https://github.com/cert-manager/cert-manager/pull/8469
https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc
https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d
https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2
 
OpenMage--magento-lts Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1. 2026-02-04 5.3 CVE-2026-25523 https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f
https://hackerone.com/bugs?subject=openmage&report_id=3416312
 
payloadcms--payload Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0. 2026-02-06 5.4 CVE-2026-25574 https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955
 
samclarke--SCEditor SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1. 2026-02-06 5.4 CVE-2026-25581 https://github.com/samclarke/SCEditor/security/advisories/GHSA-25fq-6qgg-qpj8
https://github.com/samclarke/SCEditor/commit/5733aed4f0e257cb78e1ba191715fc458cbd473d
 
PrestaShop--PrestaShop PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3. 2026-02-06 5.3 CVE-2026-25597 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2
https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4
https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3
 
Wing FTP Server--Wing FTP Server Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user account without proper authorization. 2026-02-06 4.3 CVE-2020-37079 ExploitDB-48200
Wing FTP Server Official Homepage
Wing FTP Server Version History
VulnCheck Advisory: Wing FTP Server < 6.2.7 - Cross-site Request Forgery
 
Openeclass--GUnet OpenEclass GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students' uploaded assessments, due to improper access controls and information disclosure flaws in various modules. Attackers can retrieve system info, version info, and view or download other users' files without proper authorization. 2026-02-03 4.3 CVE-2020-37114 ExploitDB-48163
Official Vendor Homepage
Changelog
VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform - Information Disclosure
 
HRSALE--HRSALE HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user accounts with elevated privileges. 2026-02-05 4.3 CVE-2020-37145 ExploitDB-48205
Archived Product Webpage
VulnCheck Advisory: HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)
 
IBM--Operations Analytics - Log Analysis IBM Operations Analytics - Log Analysis versions 1.3.5.0 through 1.3.8.3 and IBM SmartCloud Analytics - Log Analysis are vulnerable to a cross-site request forgery (CSRF) vulnerability that could allow an attacker to trick a trusted user into performing unauthorized actions. 2026-02-04 4.3 CVE-2024-40685 https://www.ibm.com/support/pages/node/7256429
 
metagauss--ProfileGrid User Profiles, Groups and Communities The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action. 2026-02-05 4.3 CVE-2025-13416 https://www.wordfence.com/threat-intel/vulnerabilities/id/31c2cd54-f258-43ea-8db2-8d98ad7014d1?source=cve
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L3167
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.5/public/class-profile-magic-public.php#L3167
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail=
 
Tanium--Patch Tanium addressed an improper access controls vulnerability in Patch. 2026-02-05 4.3 CVE-2025-15326 TAN-2025-006
 
Tanium--Deploy Tanium addressed an improper access controls vulnerability in Deploy. 2026-02-05 4.3 CVE-2025-15327 TAN-2025-006
 
Tanium--Threat Response Tanium addressed an information disclosure vulnerability in Threat Response. 2026-02-05 4.9 CVE-2025-15329 TAN-2025-019
 
Tanium--Connect Tanium addressed an uncontrolled resource consumption vulnerability in Connect. 2026-02-05 4.3 CVE-2025-15331 TAN-2025-015
 
Tanium--Threat Response Tanium addressed an information disclosure vulnerability in Threat Response. 2026-02-05 4.9 CVE-2025-15332 TAN-2025-020
 
Tanium--Threat Response Tanium addressed an information disclosure vulnerability in Threat Response. 2026-02-05 4.3 CVE-2025-15333 TAN-2025-025
 
Tanium--Threat Response Tanium addressed an information disclosure vulnerability in Threat Response. 2026-02-05 4.3 CVE-2025-15334 TAN-2025-026
 
Tanium--Threat Response Tanium addressed an information disclosure vulnerability in Threat Response. 2026-02-05 4.3 CVE-2025-15335 TAN-2025-027
 
Tanium--Reputation Tanium addressed an improper access controls vulnerability in Reputation. 2026-02-05 4.3 CVE-2025-15342 TAN-2025-030
 
IBM--Jazz Foundation IBM Jazz Foundation 7.0.3 through 7.0.3 iFix019 and 7.1.0 through 7.1.0 iFix005 is vulnerable to access control violations that allows the users to view or access/perform actions beyond their expected capability. 2026-02-02 4.3 CVE-2025-15395 https://www.ibm.com/support/pages/node/7258304
 
simonfairbairn--The Bucketlister The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items. 2026-02-07 4.3 CVE-2025-15476 https://www.wordfence.com/threat-intel/vulnerabilities/id/fc9e6374-8f9e-4c60-a86b-46cd4122abf9?source=cve
https://plugins.trac.wordpress.org/browser/the-bucketlister/tags/0.1.5/bucketlister.php#L185
 
qriouslad--Code Explorer The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. 2026-02-04 4.9 CVE-2025-15487 https://www.wordfence.com/threat-intel/vulnerabilities/id/fad8ad54-56eb-40fa-a357-77b7d656d378?source=cve
https://plugins.trac.wordpress.org/browser/code-explorer/tags/1.4.6/admin/class-code-explorer-admin.php#L211
 
HCL--AION A Potential Command Injection vulnerability in HCL AION.  An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system. This issue affects AION: 2.0 2026-02-03 4.5 CVE-2025-52626 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972
 
HCL--AION HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0. 2026-02-03 4.6 CVE-2025-52628 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972
 
N/A--Moodle[.]org A flaw was found in Moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure. 2026-02-03 4.3 CVE-2025-67857 https://access.redhat.com/security/cve/CVE-2025-67857
RHBZ#2423868
https://moodle.org/mod/forum/discuss.php?d=471307
 
Red Hat--Red Hat Ansible Automation Platform 2 A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs. 2026-02-06 4.2 CVE-2026-0598 https://access.redhat.com/security/cve/CVE-2026-0598
RHBZ#2427094
 
rtddev--Extended Random Number Generator The Extended Random Number Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-02-04 4.4 CVE-2026-0681 https://www.wordfence.com/threat-intel/vulnerabilities/id/575c3329-8dbb-4d15-8e11-a86a01b96f50?source=cve
https://plugins.trac.wordpress.org/browser/extended-random-number-generator/trunk/random_number_generator.php#L187
https://plugins.trac.wordpress.org/browser/extended-random-number-generator/tags/1.1/random_number_generator.php#L187
 
orenhav--WP Content Permission The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ohmem-message' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-02-04 4.4 CVE-2026-0743 https://www.wordfence.com/threat-intel/vulnerabilities/id/e44403cd-1cee-43c4-aabc-3eaad433c020?source=cve
https://plugins.trac.wordpress.org/browser/wp-content-permission/trunk/admin/views/admin.php#L74
https://plugins.trac.wordpress.org/browser/wp-content-permission/tags/1.2/admin/views/admin.php#L74
 
gtlwpdev--All push notification for WP The All push notification for WP plugin for WordPress is vulnerable to time-based SQL Injection via the 'delete_id' parameter in all versions up to, and including, 1.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-02-04 4.9 CVE-2026-0816 https://www.wordfence.com/threat-intel/vulnerabilities/id/fc1f36b1-cf28-472c-8a7a-f091ecb48c2d?source=cve
https://plugins.trac.wordpress.org/browser/all-push-notification/tags/1.5.3/pushnotification-admin/class-pushnotification-admin.php#L95
https://plugins.trac.wordpress.org/browser/all-push-notification/trunk/pushnotification-admin/class-pushnotification-admin.php#L95
 
arkapravamajumder--TITLE ANIMATOR The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in `inc/settings-page.php`. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-02-07 4.3 CVE-2026-1082 https://www.wordfence.com/threat-intel/vulnerabilities/id/98736b9d-3e0a-40c0-900a-fbbaaac07958?source=cve
https://plugins.trac.wordpress.org/browser/title-animator/trunk/inc/settings-page.php#L5
https://plugins.trac.wordpress.org/browser/title-animator/tags/1.0/inc/settings-page.php#L5
 
bplugins--Timeline Block Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) The Timeline Block - Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgb_shortcode() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to disclose private timeline content via the id attribute supplied to the 'timeline_block' shortcode. 2026-02-06 4.3 CVE-2026-1228 https://www.wordfence.com/threat-intel/vulnerabilities/id/cecebfd0-c2af-4150-8793-299cdbeaa7b9?source=cve
https://plugins.trac.wordpress.org/changeset/3446078/timeline-block-block
 
shortpixel--ShortPixel Image Optimizer Optimize Images, Convert WebP & AVIF The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys. 2026-02-05 4.9 CVE-2026-1246 https://www.wordfence.com/threat-intel/vulnerabilities/id/03cb41d2-67c8-457f-8d85-7aede8e12d44?source=cve
https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L309
https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L1686
https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/BulkController.php#L200
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3449706%40shortpixel-image-optimiser&new=3449706%40shortpixel-image-optimiser&sfp_email=&sfph_mail=
 
comprassibs--SIBS woocommerce payment gateway The SIBS woocommerce payment gateway plugin for WordPress is vulnerable to time-based SQL Injection via the 'referencedId' parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-02-04 4.9 CVE-2026-1370 https://www.wordfence.com/threat-intel/vulnerabilities/id/eac8e81c-2f6f-4a4a-9678-f5d75f4954ae?source=cve
https://plugins.trac.wordpress.org/browser/sibs-woocommerce/tags/2.2.0/class-sibs-payment-gateway.php#L1855
 
n/a--iomad A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. It is best practice to apply a patch to resolve this issue. 2026-02-05 4.7 CVE-2026-1517 VDB-344487 | iomad Company Admin Block sql injection
VDB-344487 | CTI Indicators (IOB, IOC, TTP)
https://github.com/iomad/iomad/issues/2559
https://github.com/iomad/iomad/issues/2559#issuecomment-3841174677
https://github.com/iomad/iomad/
 
Yealink--MeetingBar A30 A weakness has been identified in Yealink MeetingBar A30 133.321.0.3. This issue affects some unknown processing of the component Diagnostic Handler. This manipulation causes command injection. It is feasible to perform the attack on the physical device. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-02 4.3 CVE-2026-1735 VDB-343634 | Yealink MeetingBar A30 Diagnostic command injection
VDB-343634 | CTI Indicators (IOB, IOC, TTP)
Submit #736622 | Yealink MeetingBar A30 133.321.0.3 Command Injection
https://drive.google.com/file/d/1Uf46ihr8UmeXsFfkcvAeOtF1TkvGjozy/view?usp=sharing
 
EFM--ipTIME A8004T A vulnerability was identified in EFM ipTIME A8004T 14.18.2. Affected by this vulnerability is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi of the component VPN Service. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-02 4.7 CVE-2026-1742 VDB-343641 | EFM ipTIME A8004T VPN Service timepro.cgi commit_vpncli_file_upload unrestricted upload
VDB-343641 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #741450 | EFM IPTIME A8004T 14.18.2 Authentication Bypass & Arbitrary File Upload
https://github.com/LX-LX88/cve/issues/29
 
SourceCodester--Medical Certificate Generator App A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. 2026-02-02 4.3 CVE-2026-1745 VDB-343676 | SourceCodester Medical Certificate Generator App cross-site request forgery
VDB-343676 | CTI Indicators (IOB, IOC)
Submit #742653 | SourceCodester Medical Certificate Generator App 1.0 Cross-Site Request Forgery
https://github.com/Asim-QAZi/Cross-Site-Request-Forgery-Arbitrary-Medical-Certificate-Deletion
https://github.com/Asim-QAZi/Cross-Site-Request-Forgery-Arbitrary-Medical-Certificate-Deletion#proof-of-concept-csrf-exploit
https://www.sourcecodester.com/
 
codesnippetspro--Code Snippets The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page. 2026-02-06 4.3 CVE-2026-1785 https://www.wordfence.com/threat-intel/vulnerabilities/id/4a5787f3-6a16-491a-aa01-6222f275cf0f?source=cve
https://plugins.trac.wordpress.org/browser/code-snippets/trunk/php/cloud/class-cloud-search-list-table.php#L105
https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.9.4/php/cloud/class-cloud-search-list-table.php#L105
https://plugins.trac.wordpress.org/browser/code-snippets/trunk/php/cloud/list-table-shared-ops.php#L57
https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.9.4/php/cloud/list-table-shared-ops.php#L57
https://github.com/codesnippetspro/code-snippets/pull/331/changes
 
lcg0124--BootDo A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. 2026-02-04 4.3 CVE-2026-1835 VDB-344028 | lcg0124 BootDo cross-site request forgery
VDB-344028 | CTI Indicators (IOB, IOC)
Submit #742484 | BootDo Web V1.0 CSRF
https://github.com/webzzaa/CVE-/issues/6
 
n/a--ZenTao A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model. Php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-04 4.7 CVE-2026-1884 VDB-344264 | ZenTao Webhook model.php fetchHook server-side request forgery
VDB-344264 | CTI Indicators (IOB, IOC, IOA)
Submit #742633 | Zentao PMS <=21.7.6-85642 SSRF
https://github.com/ez-lbz/ez-lbz.github.io/issues/9
https://github.com/ez-lbz/ez-lbz.github.io/issues/9#issue-3832844574
 
n/a--WeKan A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component. 2026-02-05 4.3 CVE-2026-1897 VDB-344269 | WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization
VDB-344269 | CTI Indicators (IOB, IOC, IOA)
Submit #742671 | Wekan <8.21 Missing authorization checks leading to information disclosure a
https://github.com/wekan/wekan/commit/55576ec17722db094835470b386162c9a662fb60
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
wpsoul--Greenshift animation and page builder blocks The Greenshift - animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshift_app_pass_validation() function in all versions up to, and including, 12.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve global plugin settings including stored AI API keys. 2026-02-05 4.3 CVE-2026-1927 https://www.wordfence.com/threat-intel/vulnerabilities/id/6e2128db-ca9f-4211-8bc5-01a2cc1cba64?source=cve
https://plugins.trac.wordpress.org/changeset/3441535/greenshift-animation-and-page-builder-blocks/trunk/init.php
 
n/a--WeKan A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. Patch name: 545566f5663545d16174e0f2399f231aa693ab6e. It is advisable to upgrade the affected component. 2026-02-05 4.3 CVE-2026-1964 VDB-344486 | WeKan REST Endpoint boards.js BoardTitleRESTBleed access control
VDB-344486 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742680 | Wekan <8.21 Improper access control in REST endpoint (CWE-284)
https://github.com/wekan/wekan/commit/545566f5663545d16174e0f2399f231aa693ab6e
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
DCN--DCME-320 A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the component Web Management Backend. Performing a manipulation of the argument ip_list results in command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-06 4.7 CVE-2026-2000 VDB-344548 | DCN DCME-320 Web Management Backend bridge_cfg.php apply_config command injection
VDB-344548 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743455 | 北京神州数码云科信息技术有限公司 Dcme320 latest Command Injection
https://github.com/physicszq/Routers/tree/main/Dcme
 
Cisco--Cisco Secure Web Appliance A vulnerability in the Dynamic Vectoring and Streaming (DVS) Engine implementation of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass the anti-malware scanner, allowing malicious archive files to be downloaded. This vulnerability is due to improper handling of certain archive files. An attacker could exploit this vulnerability by sending a crafted archive file, which should be blocked, through an affected device. A successful exploit could allow the attacker to bypass the anti-malware scanner and download malware onto an end user workstation. The downloaded malware will not automatically execute unless the end user extracts and launches the malicious file.&nbsp; 2026-02-04 4 CVE-2026-20056 cisco-sa-wsa-archive-bypass-Scx2e8zF
 
Sanluan--PublicCMS A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue. 2026-02-06 4.2 CVE-2026-2010 VDB-344592 | Sanluan PublicCMS Trade Payment TradePaymentService.java paid improper authorization
VDB-344592 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743487 | PublicCMS 5 Improper Access Controls
https://github.com/sanluan/PublicCMS/issues/108
https://github.com/sanluan/PublicCMS/issues/108#issue-3838143772
https://github.com/sanluan/PublicCMS/commit/7329437e1288540336b1c66c114ed3363adcba02
https://github.com/sanluan/PublicCMS/
 
Cisco--Cisco Prime Infrastructure A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. 2026-02-04 4.8 CVE-2026-20111 cisco-sa-pi-xss-bYeVKCD
 
Cisco--Cisco Evolved Programmable Network Manager (EPNM) A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the parameters in the HTTP request. An attacker could exploit this vulnerability by intercepting and modifying an HTTP request from a user. A successful exploit could allow the attacker to redirect the user to a malicious web page. 2026-02-04 4.3 CVE-2026-20123 cisco-sa-epnm-pi-redirect-6sX82dN
 
D-Link--DIR-823X A vulnerability was determined in D-Link DIR-823X 250416. Affected by this issue is the function sub_424D20 of the file /goform/set_ipv6. Executing a manipulation can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. 2026-02-06 4.7 CVE-2026-2061 VDB-344621 | D-Link DIR-823X set_ipv6 sub_424D20 os command injection
VDB-344621 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #744286 | D-Link DIR-823X 250416 OS Command Injection
https://github.com/master-abc/cve/issues/20
https://www.dlink.com/
 
D-Link--DIR-823X A security flaw has been discovered in D-Link DIR-823X 250416. This vulnerability affects unknown code of the file /goform/set_ac_server of the component Web Management Interface. The manipulation of the argument ac_server results in os command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. 2026-02-06 4.7 CVE-2026-2063 VDB-344623 | D-Link DIR-823X Web Management set_ac_server os command injection
VDB-344623 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #744720 | dlink DIR-823X 250416 OS Command Injection
https://github.com/master-abc/cve/issues/19
https://www.dlink.com/
 
D-Link--DIR-823X A vulnerability was determined in D-Link DIR-823X 250416. The affected element is an unknown function of the file /goform/set_password. This manipulation of the argument http_passwd causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. 2026-02-07 4.7 CVE-2026-2081 VDB-344648 | D-Link DIR-823X set_password os command injection
VDB-344648 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745553 | D-Link DIR-823X 250416 OS Command Injection
https://github.com/master-abc/cve/issues/22
https://github.com/master-abc/cve/issues/22#issue-3847400767
https://www.dlink.com/
 
D-Link--DIR-823X A vulnerability was identified in D-Link DIR-823X 250416. The impacted element is an unknown function of the file /goform/set_mac_clone. Such manipulation of the argument mac leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used. 2026-02-07 4.7 CVE-2026-2082 VDB-344649 | D-Link DIR-823X set_mac_clone os command injection
VDB-344649 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745854 | dlink DIR-823X 250416 OS Command Injection
https://github.com/master-abc/cve/issues/21
https://github.com/master-abc/cve/issues/21#issue-3847172823
https://www.dlink.com/
 
n/a--JeecgBoot A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this issue is some unknown functionality of the file /airag/knowledge/doc/edit of the component Retrieval-Augmented Generation Module. Executing a manipulation of the argument filePath can lead to path traversal. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-07 4.3 CVE-2026-2111 VDB-344687 | JeecgBoot Retrieval-Augmented Generation edit path traversal
VDB-344687 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746789 | jeecgboot 3.9.0 Absolute Path Traversal
https://www.yuque.com/la12138/vxbwk9/ezodz20a26g36y8m
 
PHPGurukul--Hospital Management System A security vulnerability has been detected in PHPGurukul Hospital Management System 4.0. The affected element is an unknown function of the file /hms/admin/manage-doctors.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. 2026-02-08 4.7 CVE-2026-2134 VDB-344769 | PHPGurukul Hospital Management System manage-doctors.php sql injection
VDB-344769 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747214 | PHPGurukul Hospital Management System 4.0 SQL Injection
https://github.com/Shaon-Xis/PHPGurukul-HMS-SQL-Injection
https://phpgurukul.com/
 
SourceCodester--Patients Waiting Area Queue Management System A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument patient_id results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. 2026-02-08 4.3 CVE-2026-2149 VDB-344851 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System appointments.php cross site scripting
VDB-344851 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747920 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Doubled Character XSS Manipulations
https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Patients-Waiting-Area-Queue-Management-System-appointments-XSS.md
 
SourceCodester--Patients Waiting Area Queue Management System A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /checkin.php. This manipulation of the argument patient_id causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used. 2026-02-08 4.3 CVE-2026-2150 VDB-344852 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System checkin.php cross site scripting
VDB-344852 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747921 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Doubled Character XSS Manipulations
https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Patients-Waiting-Area-Queue-Management-System-checkin-php-XSS.md
 
mwielgoszewski--doorman A vulnerability was determined in mwielgoszewski doorman up to 0.6. This issue affects the function is_safe_url of the file doorman/users/views.py. Executing a manipulation of the argument Next can lead to open redirect. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. 2026-02-08 4.3 CVE-2026-2153 VDB-344855 | mwielgoszewski doorman views.py is_safe_url redirect
VDB-344855 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #748072 | https://github.com/mwielgoszewski/doorman doorman Latest Version (commit 9a9b97c8) Open Redirect
https://gist.github.com/RacerZ-fighting/39f230feb0e450ae54f0a80c63c5d924
 
SourceCodester--Patients Waiting Area Queue Management System A vulnerability was identified in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Impacted is an unknown function of the file /registration.php of the component Patient Registration Module. The manipulation of the argument First Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. 2026-02-08 4.3 CVE-2026-2154 VDB-344856 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System Patient Registration registration.php cross site scripting
VDB-344856 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #748208 | SourceCodester Patients Waiting Area Queue Management System 1 Cross Site Scripting
https://medium.com/@rvpipalwa/stored-cross-site-scripting-xss-vulnerability-report-c97788dd6ea6
 
SourceCodester--Simple Responsive Tourism Website A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected is an unknown function of the file /tourism/classes/Master.php?f=register of the component Registration. Executing a manipulation of the argument firstname/lastname/username can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. 2026-02-08 4.3 CVE-2026-2159 VDB-344861 | SourceCodester Simple Responsive Tourism Website Registration Master.php cross site scripting
VDB-344861 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #750995 | sourcecodester.com Simple Responsive Tourism Website 1.0 Cross Site Scripting
https://github.com/CH0ico/CVE_choco_5/blob/main/report.md
https://www.sourcecodester.com/
 
SourceCodester--Simple Responsive Tourism Website A vulnerability has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Master.php?f=save_package. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2026-02-08 4.3 CVE-2026-2160 VDB-344862 | SourceCodester Simple Responsive Tourism Website Master.php cross site scripting
VDB-344862 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #751016 | sourcecodester.com Simple Responsive Tourism Website 1.0 Cross Site Scripting
https://github.com/CH0ico/CVE_choco_6/blob/main/report.md
https://www.sourcecodester.com/
 
itsourcecode--News Portal Project A vulnerability was determined in itsourcecode News Portal Project 1.0. This affects an unknown part of the file /admin/aboutus.php. This manipulation of the argument pagetitle causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. 2026-02-08 4.7 CVE-2026-2162 VDB-344864 | itsourcecode News Portal Project aboutus.php sql injection
VDB-344864 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #751083 | itsourcecode News Portal Project V1.0 SQL Injection
https://github.com/Wzl731/test/issues/2
https://itsourcecode.com/
 
D-Link--DIR-600 A vulnerability was identified in D-Link DIR-600 up to 2.15WWb02. This vulnerability affects unknown code of the file ssdp.cgi. Such manipulation of the argument HTTP_ST/REMOTE_ADDR/REMOTE_PORT/SERVER_ID leads to command injection. The attack may be launched remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. 2026-02-08 4.7 CVE-2026-2163 VDB-344865 | D-Link DIR-600 ssdp.cgi command injection
VDB-344865 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #751764 | D-Link D-Link DIR-600 v2.15WWb02 Remote Arbitrary Command Execution
https://github.com/LonTan0/CVE/blob/main/Remote%20Arbitrary%20Command%20Execution%20Vulnerability%20in%20ssdpcgi%20of%20D-Link%20DIR%E2%80%91600.md
https://github.com/LonTan0/CVE/blob/main/Remote%20Arbitrary%20Command%20Execution%20Vulnerability%20in%20ssdpcgi%20of%20D-Link%20DIR%E2%80%91600.md#poc
https://www.dlink.com/
 
PHPGurukul--Hospital Management System A vulnerability was determined in PHPGurukul Hospital Management System 4.0. This impacts an unknown function of the file /admin/manage-users.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. 2026-02-08 4.7 CVE-2026-2179 VDB-344882 | PHPGurukul Hospital Management System manage-users.php sql injection
VDB-344882 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749592 | PHPGurukul Hospital Management System 4.0 SQL Injection
https://github.com/Shaon-Xis/PHPGurukul-HMS-SQLi-PoC/tree/main
https://github.com/Shaon-Xis/PHPGurukul-HMS-SQLi-PoC/tree/main#4-proof-of-concept-reproduction-steps
https://phpgurukul.com/
 
n/a--WeKan A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to mitigate this issue. The name of the patch is 0f5a9c38778ca550cbab6c5093470e1e90cb837f. Upgrading the affected component is advised. 2026-02-08 4.3 CVE-2026-2205 VDB-344919 | WeKan Meteor Publication cards.js CardPubSubBleed information disclosure
VDB-344919 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #752161 | Wekan <8.21 Information disclosure via publish/subscribe authorization bug
https://github.com/wekan/wekan/commit/0f5a9c38778ca550cbab6c5093470e1e90cb837f
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
n/a--WeKan A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded. 2026-02-08 4.3 CVE-2026-2208 VDB-344922 | WeKan Rules rules.js RulesBleed authorization
VDB-344922 | CTI Indicators (IOB, IOC, IOA)
Submit #752164 | Wekan <8.21 Information disclosure / missing authorization on admin publicat
https://github.com/wekan/wekan/commit/a787bcddf33ca28afb13ff5ea9a4cb92dceac005
https://github.com/wekan/wekan/releases/tag/v8.21
https://github.com/wekan/wekan/
 
glpi-project--glpi GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5. 2026-02-04 4.1 CVE-2026-22247 https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x
https://github.com/glpi-project/glpi/releases/tag/11.0.5
 
F5--F5 BIG-IP Container Ingress Services A vulnerability exists in F5 BIG-IP Container Ingress Services that may allow excessive permissions to read cluster secrets.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. 2026-02-04 4.9 CVE-2026-22549 https://my.f5.com/manage/s/article/K000157960
 
rizinorg--rizin Rizin is a UNIX-like reverse engineering framework and command-line toolset. Prior to 0.8.2, a heap overflow can be exploited when a malicious mach0 file, having bogus entries for the dyld chained segments, is parsed by rizin. This vulnerability is fixed in 0.8.2. 2026-02-02 4.4 CVE-2026-22780 https://github.com/rizinorg/rizin/security/advisories/GHSA-f3v7-xhmj-9cjj
https://github.com/rizinorg/rizin/issues/5768
https://github.com/rizinorg/rizin/pull/5770
https://github.com/rizinorg/rizin/commit/41ea75d5b07d9b41b27ae80675cdda65f1b1c989
https://github.com/rizinorg/rizin/blob/6dd0dba9ff4dc706f549d0cdcd93856b49e59aa0/librz/bin/format/mach0/mach0_chained_fixups.c#L200
https://github.com/rizinorg/rizin/releases/tag/v0.8.2
 
glpi-project--glpi GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions . 2026-02-04 4.3 CVE-2026-23624 https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477
https://github.com/glpi-project/glpi/releases/tag/10.0.23
https://github.com/glpi-project/glpi/releases/tag/11.0.5
 
Enalean--tuleap Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (creating artifact links from the release). This vulnerability is fixed in Tuleap Community Edition 17.0.99.1768924735 and Tuleap Enterprise Edition 17.2-5, 17.1-6, and 17.0-9. 2026-02-02 4.6 CVE-2026-24007 https://github.com/Enalean/tuleap/security/advisories/GHSA-7g48-rwqj-ffxw
https://github.com/Enalean/tuleap/commit/5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5
https://tuleap.net/plugins/tracker/?aid=46389
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files with prohibited extensions by embedding them inside ZIP archives and extracting them using the application's built-in decompression functionality. This issue has been patched in version 4.2. 2026-02-03 4.3 CVE-2026-24673 https://github.com/gunet/openeclass/security/advisories/GHSA-3g4j-56gp-v6wv
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tricking victims into visiting them. This issue has been patched in version 4.2. 2026-02-03 4.7 CVE-2026-24674 https://github.com/gunet/openeclass/security/advisories/GHSA-gqvp-w22w-w99r
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a business logic vulnerability allows authenticated students to improperly mark themselves as present in attendance activities, including activities that have already expired, by directly accessing a crafted URL. This issue has been patched in version 4.2. 2026-02-03 4.3 CVE-2026-24774 https://github.com/gunet/openeclass/security/advisories/GHSA-rv2x-4rc8-93jh
 
opf--openproject OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a different meeting. The attacker did not get access to meetings, but they could add arbitrary agenda items, that could cause confusions. The vulnerability is fixed in 17.0.2. 2026-02-06 4.3 CVE-2026-24776 https://github.com/opf/openproject/security/advisories/GHSA-p9v8-w9ph-hqmf
https://github.com/opf/openproject/releases/tag/v17.0.2
 
Huawei--HarmonyOS Type confusion vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-02-06 4 CVE-2026-24914 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
https://consumer.huawei.com/en/support/bulletinwearables/2026/2/
 
Huawei--HarmonyOS Address read vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. 2026-02-06 4.8 CVE-2026-24921 https://consumer.huawei.com/en/support/bulletin/2026/2/
https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/
https://consumer.huawei.com/en/support/bulletinwearables/2026/2/
 
Blesta--Blesta Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665. 2026-02-03 4.7 CVE-2026-25616 https://www.blesta.com/2026/01/28/security-advisory/
 
hedgedoc--hedgedoc HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6. 2026-02-06 4.3 CVE-2026-25642 https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w
https://github.com/hedgedoc/hedgedoc/commit/74daa0e7a1cbfafd9aeb255eaf064dfe47cd401c
https://github.com/hedgedoc/hedgedoc/commit/b930fe04cee92cd4723044030bb59c36781c7137
https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6
 
siyuan-note--siyuan Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session. 2026-02-06 4.6 CVE-2026-25647 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv
https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868
 

Back to top

Low Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
P5--FNIP-8x16A P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking authenticated users into loading a specially crafted page. 2026-02-05 3.5 CVE-2020-37118 Zero Science Lab Disclosure (ZSL-2020-5564)
ExploitDB-48362
Packet Storm Entry
IBM X-Force Vulnerability Report
P5 Vendor Homepage
VulnCheck Advisory: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)
 
P5--FNIP-8x16A P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user's browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the 'lab4' parameter in config.html. 2026-02-05 3.5 CVE-2020-37148 Zero Science Lab Disclosure (ZSL-2020-5564)
ExploitDB-48362
Packet Storm Entry
IBM X-Force Vulnerability Report
P5 Vendor Homepage
VulnCheck Advisory: P5 FNIP-8x16A/FNIP-4xSH 1.0.20, 1.0.11 - Stored Cross-Site Scripting (XSS)
 
Tanium--Interact Tanium addressed an improper access controls vulnerability in Interact. 2026-02-05 3.1 CVE-2025-15289 TAN-2025-033
 
Tanium--Tanium Client Tanium addressed a denial of service vulnerability in Tanium Client. 2026-02-06 3.3 CVE-2025-15320 TAN-2025-023
 
Tanium--Tanium Appliance Tanium addressed an improper certificate validation vulnerability in Tanium Appliance. 2026-02-05 3.7 CVE-2025-15323 TAN-2025-031
 
n/a--Mapnik A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod<...>::operator of the file src/value.cpp. The manipulation leads to divide by zero. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-07 3.3 CVE-2025-15564 VDB-344502 | Mapnik value.cpp operator divide by zero
VDB-344502 | CTI Indicators (IOB, IOC, IOA)
Submit #743386 | mapnik Mapnik v4.2.0 and master branch Divide By Zero
https://github.com/mapnik/mapnik/issues/4545
https://github.com/oneafter/1219/blob/main/repro
https://github.com/mapnik/mapnik/
 
IBM--Jazz Reporting Service IBM Jazz Reporting Service could allow an authenticated user on the host network to cause a denial of service using specially crafted SQL query that consumes excess memory resources. 2026-02-04 3.5 CVE-2025-1823 https://www.ibm.com/support/pages/node/7258083
 
IBM--Jazz Reporting Service IBM Jazz Reporting Service could allow an authenticated user on the network to affect the system's performance using complicated queries due to insufficient resource pooling. 2026-02-04 3.5 CVE-2025-2134 https://www.ibm.com/support/pages/node/7258083
 
IBM--Jazz Reporting Service IBM Jazz Reporting Service could allow an authenticated user on the host network to obtain sensitive information about other projects that reside on the server. 2026-02-04 3.5 CVE-2025-27550 https://www.ibm.com/support/pages/node/7258083
 
IBM--Concert IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user. 2026-02-03 3.3 CVE-2025-33081 https://www.ibm.com/support/pages/node/7257565
 
HCL--AION HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. This issue affects AION: 2.0. 2026-02-03 3.7 CVE-2025-52623 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972
 
HCL--AION HCL AION is susceptible to Missing Content-Security-Policy.  An The absence of a CSP header may increase the risk of cross-site scripting and other content injection attacks by allowing unsafe scripts or resources to execute. This issue affects AION: 2.0. 2026-02-03 3.7 CVE-2025-52629 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972
 
HCL--AION HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks. This issue affects AION: 2.0. 2026-02-03 3.7 CVE-2025-52631 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972
 
HCL--AION HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. This issue affects AION: 2.0. 2026-02-03 3.1 CVE-2025-52633 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972
 
N/A--Moodle[.]org A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure. 2026-02-03 3.5 CVE-2025-67852 https://access.redhat.com/security/cve/CVE-2025-67852
RHBZ#2423844
 
webpack--webpack Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack's HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0. 2026-02-05 3.7 CVE-2025-68157 https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758
 
webpack--webpack Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack's HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1. 2026-02-05 3.7 CVE-2025-68458 https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x
 
DJI--Mavic Mini A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-02 3.1 CVE-2026-1743 VDB-343674 | DJI Mavic Mini/Air/Spark/Mini SE Enhanced Wi-Fi Pairing authentication replay
VDB-343674 | CTI Indicators (IOB, IOC, TTP)
Submit #741323 | DJI DJI Mavic Mini, Spark, Mini SE 01.00.0500 and Below Authentication Bypass by Capture-replay
https://github.com/ByteMe1001/DJI-CatNect
https://github.com/ByteMe1001/DJI-CatNect/blob/main/exploit.c
 
GitLab--GitLab A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions. 2026-02-02 3.1 CVE-2026-1751 GitLab Issue #519340
HackerOne Bug Bounty Report #2980839
 
Edimax--BR-6258n A flaw has been found in Edimax BR-6258n up to 1.18. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup. This manipulation of the argument submit-url causes open redirect. The attack can be initiated remotely. The exploit has been published and may be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer. 2026-02-05 3.5 CVE-2026-1970 VDB-344492 | Edimax BR-6258n formStaDrvSetup redirect
VDB-344492 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742734 | Edimax BR-6258n v1.18 Open Redirect
https://tzh00203.notion.site/EDIMAX-BR-6258n-v1-18-Open-Redirect-Vulnerability-in-Web-formStaDrvSetup-handler-2eeb5c52018a803bb958e4f80cdf2550?source=copy_link
 
n/a--oatpp A security vulnerability has been detected in oatpp up to 1.3.1. This impacts the function oatpp::data::type::ObjectWrapper::ObjectWrapper of the file src/oatpp/data/type/Type.hpp. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-06 3.3 CVE-2026-1990 VDB-344508 | oatpp Type.hpp ObjectWrapper null pointer dereference
VDB-344508 | CTI Indicators (IOB, IOC, IOA)
Submit #743387 | oatpp 1.3.1 and master-branch NULL Pointer Dereference
https://github.com/oatpp/oatpp/issues/1080
https://github.com/oatpp/oatpp/issues/1080#issue-3806715350
https://github.com/oatpp/oatpp/
 
n/a--libuvc A vulnerability was detected in libuvc up to 0.0.7. Affected is the function uvc_scan_streaming of the file src/device.c of the component UVC Descriptor Handler. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-06 3.3 CVE-2026-1991 VDB-344509 | libuvc UVC Descriptor device.c uvc_scan_streaming null pointer dereference
VDB-344509 | CTI Indicators (IOB, IOC, IOA)
Submit #743388 | libuvc v0.0.7 and master-branch NULL Pointer Dereference
https://github.com/libuvc/libuvc/issues/300
https://github.com/oneafter/0104/blob/main/repro
https://github.com/libuvc/libuvc/
 
n/a--micropython A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue. 2026-02-06 3.3 CVE-2026-1998 VDB-344546 | micropython runtime.c mp_import_all memory corruption
VDB-344546 | CTI Indicators (IOB, IOC, IOA)
Submit #743396 | micropython 0fd0843 Memory Corruption
https://github.com/micropython/micropython/issues/18639
https://github.com/micropython/micropython/pull/18671
https://github.com/micropython/micropython/issues/18639#issue-3780651410
https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6
https://github.com/micropython/micropython/
 
Portabilis--i-Educar A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-06 3.5 CVE-2026-2064 VDB-344631 | Portabilis i-Educar User Data meusdadod.php cross site scripting
VDB-344631 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #745108 | Portabilis i-Educar 2.10 Cross Site Scripting
https://github.com/nmmorette/vulnerability-research/tree/main/XSS-Idiario
 
ggml-org--llama.cpp A flaw has been found in ggml-org llama.cpp up to 55abc39. Impacted is the function llama_grammar_advance_stack of the file llama.cpp/src/llama-grammar.cpp of the component GBNF Grammar Handler. This manipulation causes stack-based buffer overflow. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 18993. To fix this issue, it is recommended to deploy a patch. 2026-02-06 3.3 CVE-2026-2069 VDB-344636 | ggml-org llama.cpp GBNF Grammar llama-grammar.cpp llama_grammar_advance_stack stack-based overflow
VDB-344636 | CTI Indicators (IOB, IOC, IOA)
Submit #745263 | llama.cpp commit 55abc39 Stack-based Buffer Overflow
https://github.com/ggml-org/llama.cpp/issues/18988
https://github.com/ggml-org/llama.cpp/issues/18988#event-4426704865
https://github.com/user-attachments/files/24761101/poc.zip
https://github.com/ggml-org/llama.cpp/pull/18993
https://github.com/ggml-org/llama.cpp/
 
F5--BIG-IP Edge Client A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access to sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated 2026-02-04 3.3 CVE-2026-20730 https://my.f5.com/manage/s/article/K000158931
 
F5--BIG-IP A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. 2026-02-04 3.1 CVE-2026-20732 https://my.f5.com/manage/s/article/K000156644
 
Tasin1025--SwiftBuy A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-07 3.7 CVE-2026-2110 VDB-344686 | Tasin1025 SwiftBuy login.php excessive authentication
VDB-344686 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #746251 | Md Tasin Rahman Swiftbuy 1.0 Improper Restriction of Excessive Authentication Attempts
https://www.websecurityinsights.my.id/2026/01/swiftbuy-v-10-loginphp-no-limit-to.html
 
cym1102--nginxWebUI A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. Such manipulation of the argument nginxDir leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-02-08 3.5 CVE-2026-2145 VDB-344847 | cym1102 nginxWebUI Web Management check cross site scripting
VDB-344847 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #747404 | cym1102 nginxWebUI 4.3.7 Cross Site Scripting
https://github.com/cym1102/nginxWebUI/issues/203
https://github.com/cym1102/nginxWebUI/issues/203#issue-3860109934
https://github.com/cym1102/nginxWebUI/
 
asterisk--asterisk Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. 2026-02-06 3.5 CVE-2026-23738 https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh
 
Kubernetes--ingress-nginx A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component. 2026-02-03 3.1 CVE-2026-24513 https://github.com/kubernetes/kubernetes/issues/136679
 
fastify--fastify Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify's Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3. 2026-02-03 3.7 CVE-2026-25224 https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c
https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37
https://hackerone.com/reports/3524779
 
opf--openproject OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking. This issue has been patched in versions 16.6.7 and 17.0.3. 2026-02-06 3.5 CVE-2026-25764 https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp
https://github.com/opf/openproject/releases/tag/v16.6.7
https://github.com/opf/openproject/releases/tag/v17.0.3
 
Fortinet--FortiOS Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option. 2026-02-05 3.2 CVE-2026-25815 https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords
https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption
 
Red Hat--Red Hat Build of Keycloak A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings. 2026-02-02 2.7 CVE-2025-13881 https://access.redhat.com/security/cve/CVE-2025-13881
RHBZ#2418330
 
Tanium--Tanium Appliance Tanium addressed an improper input validation vulnerability in Tanium Appliance. 2026-02-05 2.7 CVE-2025-15321 TAN-2025-024
 
IBM--PowerVM Hypervisor IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 may expose a limited amount of data to a peer partition in specific shared processor configurations during certain operations. 2026-02-02 2.8 CVE-2025-36194 https://www.ibm.com/support/pages/node/7257555
 
Red Hat--Red Hat Build of Keycloak A flaw was found in Keycloak's CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. 2026-02-02 2.7 CVE-2026-1518 https://access.redhat.com/security/cve/CVE-2026-1518
RHBZ#2433727
 
D-Link--DSL-6641K A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. 2026-02-02 2.4 CVE-2026-1744 VDB-343675 | D-Link DSL-6641K sp_pppoe_user.js doSubmitPPP cross site scripting
VDB-343675 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742439 | D-Link DSL6641K version N8.TR069.20131126 Cross Site Scripting
https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-sp_pppoe_user-js-Configuration-2eeb5c52018a80d083aaf19efbaa9130?source=copy_link
https://www.dlink.com/
 
Hillstone Networks--Operation and Maintenance Security Gateway Unrestricted Upload of File with Dangerous Type vulnerability in Hillstone Networks Operation and Maintenance Security Gateway on Linux allows Upload a Web Shell to a Web Server. This issue affects Operation and Maintenance Security Gateway: V5.5ST00001B113. 2026-02-04 2.7 CVE-2026-1791 https://www.hillstonenet.com.cn/security-notification/2025/12/08/wgscld/
 
Edimax--BR-6288ACL A vulnerability has been found in Edimax BR-6288ACL up to 1.12. Impacted is the function wiz_WISP24gmanual of the file wiz_WISP24gmanual.asp. Such manipulation of the argument manualssid leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer. 2026-02-06 2.4 CVE-2026-1971 VDB-344493 | Edimax BR-6288ACL wiz_WISP24gmanual.asp wiz_WISP24gmanual cross site scripting
VDB-344493 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #743318 | Edimax BR6288ACL v1.12 Cross Site Scripting
https://tzh00203.notion.site/EDIMAX-BR6288ACL-v1-12-XSS-via-wiz_WISP24gmanual-asp-Configuration-2eeb5c52018a802e8ed9f6d000f7a6aa?source=copy_link
 
code-projects--Online Student Management System A weakness has been identified in code-projects Online Student Management System 1.0. The impacted element is an unknown function of the file /admin/announcement/index.php?view=add of the component Announcement Management Module. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. 2026-02-08 2.4 CVE-2026-2156 VDB-344858 | code-projects Online Student Management System Announcement Management index.php cross site scripting
VDB-344858 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #748328 | code-projects Online Student Management System in PHP latest (no version specified by vendor) Cross-Site Scripting
https://github.com/baguette168/CVE/issues/1
https://code-projects.org/
 
asterisk--asterisk Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. 2026-02-06 2 CVE-2026-23739 https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42
 

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
wintercms--winter Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10. 2026-02-06 not yet calculated CVE-2026-22254 https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm
https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65
https://github.com/wintercms/winter/releases/tag/v1.2.10
 
asterisk--asterisk Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. 2026-02-06 not yet calculated CVE-2026-23740 https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c
 
asterisk--asterisk Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. 2026-02-06 not yet calculated CVE-2026-23741 https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3
 
Arox--School ERP Pro School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the server. 2026-02-03 not yet calculated CVE-2020-37084 ExploitDB-48392
Archived Vendor Homepage
Archived SourceForge Product Page
VulnCheck Advisory: School ERP Pro 1.0 Admin Profile Photo Upload Remote Code Execution Vulnerability
 
Rubikon Teknoloji--Easy Transfer Easy Transfer Wifi Transfer v1.7 for iOS contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts by manipulating the oldPath, newPath, and path parameters in Create Folder and Move/Edit functions. Attackers can exploit improper input validation via POST requests to execute arbitrary JavaScript in the context of the mobile web application. 2026-02-03 not yet calculated CVE-2020-37087 ExploitDB-48395
Vulnerability-Lab Advisory
Official App Store Product Page
VulnCheck Advisory: Easy Transfer 1.7 for iOS - Persistent Cross-Site Scripting
 
PHP-Fusion--PHP-Fusion PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by submitting crafted input to the 'panel_content' field in panels.php, resulting in execution of malicious scripts in the context of the affected site. 2026-02-05 not yet calculated CVE-2020-37152 Vendor Homepage
ExploitDB-48299
VulnCheck Advisory: PHP-Fusion 9.03.50 panels.php - Cross-Site Scripting (XSS)
 
parisneo--parisneo/lollms-webui A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reinstall_extension")` route. This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of `data.name` directly with `lollmsElfServer.lollms_paths.extensions_zoo_path` and its use as an argument for `ExtensionBuilder().build_extension()`. The server's handling of the `__init__.py` file in arbitrary locations, facilitated by `importlib.machinery.SourceFileLoader`, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to `0.0.0.0` or in `headless mode`. No user interaction is required for exploitation. 2026-02-02 not yet calculated CVE-2024-2356 https://huntr.com/bounties/cb9867b4-28e3-4406-9031-f66fc28553d4
https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25
 
lunary-ai--lunary-ai/lunary In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user's project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies. 2026-02-02 not yet calculated CVE-2024-4147 https://huntr.com/bounties/3f051943-71ea-414c-a528-cd8b5d82a7ad
https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f
 
lunary-ai--lunary-ai/lunary In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role user sends a specific request to the server, which responds with a password reset token in the 'recoveryToken' parameter. This token can then be used to reset the password of another user's account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts. 2026-02-02 not yet calculated CVE-2024-5386 https://huntr.com/bounties/602eb4a1-305d-46d6-b975-5a5d8b040ad1
https://github.com/lunary-ai/lunary/commit/fc7ab3d5621c18992da5dab3a2a9a8d227d42311
 
h2oai--h2oai/h2o-3 A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the `/3/Frames/framename/export` endpoint. The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files. 2026-02-02 not yet calculated CVE-2024-5986 https://huntr.com/bounties/64ff5319-6ac3-4447-87f7-b53495d4d5a3
 
Nokia--Infinera DNA Infinera DNA is vulnerable to a time-based SQL injection vulnerability due to insufficient input validation, which may result in leaking of sensitive information. 2026-02-05 not yet calculated CVE-2025-10258 Nokia Product Security Advisory
 
mlflow--mlflow/mlflow In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0. 2026-02-02 not yet calculated CVE-2025-10279 https://huntr.com/bounties/01d3b81e-13d1-43aa-b91a-443aec68bdc8
https://github.com/mlflow/mlflow/commit/1d7c8d4cf0a67d407499a8a4ffac387ea4f8194a
 
Wikimedia Foundation--OATHAuth Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php. This issue affects OATHAuth: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-03 not yet calculated CVE-2025-11173 https://phabricator.wikimedia.org/T401862
https://phabricator.wikimedia.org/T402094
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2. 2026-02-03 not yet calculated CVE-2025-11261 https://https://phabricator.wikimedia.org/T406322
https://phabricator.wikimedia.org/T402077
 
Centralny Orodek Informatyki--mObywatel In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the last application view displayed before the application was minimized This issue was fixed in version 4.71.0 2026-02-03 not yet calculated CVE-2025-11598 https://info.mobywatel.gov.pl/
https://cert.pl/posts/2026/02/CVE-2025-11598
 
silabs.com--Simplicity SDK A truncated 802.15.4 packet can lead to an assert, resulting in a denial of service. 2026-02-05 not yet calculated CVE-2025-12131 https://community.silabs.com/068Vm00000g8dP3
 
Brocade--SANnav A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption (PBE) key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the pbe key. Note: The vulnerability is only triggered during a migration and not in a new installation. The system audit logs are accessible only to a privileged user on the server. These audit logs are the local server VM's audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user. 2026-02-02 not yet calculated CVE-2025-12679 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36845
 
Brocade--SANnav Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password. 2026-02-02 not yet calculated CVE-2025-12680 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844
 
Brocade--SANnav Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs. When OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password. 2026-02-02 not yet calculated CVE-2025-12772 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36846
 
Brocade--SANnav A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password. 2026-02-03 not yet calculated CVE-2025-12773 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36847
 
Brocade--SANnav A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. An attacker with access to Brocade SANnav supportsave file, could open the file and then obtain sensitive information such as details of database tables and encrypted passwords. 2026-02-03 not yet calculated CVE-2025-12774 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36848
 
ASUS--ASUS Business Manager An improper access control vulnerability exists in ASUS Secure Delete Driver of ASUS Business Manager. This vulnerability can be triggered by a local user sending a specially crafted request, potentially leading to the creation of arbitrary files in a specified path. Refer to the "Security Update for ASUS Business Manager" section on the ASUS Security Advisory for more information. 2026-02-02 not yet calculated CVE-2025-13348 https://www.asus.com/security-advisory/
 
djangoproject--Django An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. 2026-02-03 not yet calculated CVE-2025-13473 Django security archive
Django releases announcements
Django security releases issued: 6.0.2, 5.2.11, and 4.2.28
 
ESET spol s.r.o.--ESET Management Agent Local privilege escalation vulnerability via insecure temporary batch file execution in ESET Management Agent 2026-02-06 not yet calculated CVE-2025-13818 https://support.eset.com/en/ca8913-eset-customer-advisory-local-privilege-escalation-via-insecure-temporary-batch-file-execution-in-eset-management-agent-for-windows-fixed
 
djangoproject--Django An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue. 2026-02-03 not yet calculated CVE-2025-14550 Django security archive
Django releases announcements
Django security releases issued: 6.0.2, 5.2.11, and 4.2.28
 
Unknown--User Profile Builder The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account 2026-02-02 not yet calculated CVE-2025-15030 https://wpscan.com/vulnerability/344cb1b1-342e-44b2-ae4a-3bb31be56b22/
 
Mitsubishi Electric Corporation--MELSEC iQ-R Series R08PCPU Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an unauthenticated attacker to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial of service (DoS) condition on the affected product by sending a specially crafted packet containing a specific command to the affected product. 2026-02-05 not yet calculated CVE-2025-15080 https://jvn.jp/vu/JVNVU95093080/
https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-020_en.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-02
 
Unknown--Library Viewer The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. 2026-02-02 not yet calculated CVE-2025-15396 https://wpscan.com/vulnerability/08790e11-019d-4680-a75f-ee0a937f8cc8/
 
Unknown--Post Slides The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks 2026-02-07 not yet calculated CVE-2025-15491 https://wpscan.com/vulnerability/eb0424cc-e60c-44a5-aa24-cd1fe042b27a/
 
TP-Link Systems Inc.--Archer MR200 v5.2 The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge. 2026-02-05 not yet calculated CVE-2025-15551 https://www.tp-link.com/en/support/download/archer-mr200/v5.20/#Firmware
https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware
https://www.tp-link.com/in/support/download/tl-wr850n/#Firmware
https://www.tp-link.com/en/support/download/tl-wr845n/#Firmware
https://www.tp-link.com/in/support/download/archer-mr200/v5.20/#Firmware
https://www.tp-link.com/in/support/download/archer-c20/v6/#Firmware
https://www.tp-link.com/in/support/download/tl-wr845n/#Firmware
https://www.tp-link.com/us/support/faq/4948/
 
notepad-plus-plus--notepad-plus-plus Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user. 2026-02-03 not yet calculated CVE-2025-15556 https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab
https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb
https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification
 
TP-Link Systems Inc.--Tapo H100 v1 An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications.  This may compromise the confidentiality and integrity of device-to-cloud communication, enabling manipulation of device data or operations. 2026-02-05 not yet calculated CVE-2025-15557 https://www.tp-link.com/us/support/download/tapo-h100/
https://www.tp-link.com/us/support/download/tapo-p100/
https://www.tp-link.com/en/support/download/tapo-h100/
https://www.tp-link.com/en/support/download/tapo-p100/
https://www.tp-link.com/us/support/faq/4949/
 
Go standard library--os It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. 2026-02-04 not yet calculated CVE-2025-22873 https://go.dev/cl/670036
https://go.dev/issue/73555
https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ
https://pkg.go.dev/vuln/GO-2026-4403
 
Hancom Inc.--Hancom Office 2018 Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Hancom Inc. Hancom Office 2018, Hancom Inc. Hancom Office 2020, Hancom Inc. Hancom Office 2022, Hancom Inc. Hancom Office 2024 allows File Content Injection. This issue affects Hancom Office 2018: before 10.0.0.12681; Hancom Office 2020: before 11.0.0.8916; Hancom Office 2022: before 12.0.0.4426; Hancom Office 2024: before 13.0.0.3050. 2026-02-04 not yet calculated CVE-2025-29867 https://www.boho.or.kr/kr/bbs/view.do?searchCnd=&bbsId=B0000302&searchWrd=&menuNo=205023&pageIndex=1&categoryCode=&nttId=71959
https://www.hancom.com/support/downloadCenter/download
 
Significant-Gravitas--AutoGPT AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.32, there is a DoS vulnerability in ReadRSSFeedBlock. In RSSBlock, feedparser.parser is called to obtain the XML file according to the URL input by the user, parse the XML, and finally obtain the parsed result. However, during the parsing process, there is no limit on the parsing time and the resources that can be allocated for parsing. When a malicious user lets RSSBlock parse a carefully constructed, deep XML, it will cause memory resources to be exhausted, eventually causing DoS. This issue has been patched in autogpt-platform-beta-v0.6.32. 2026-02-05 not yet calculated CVE-2025-32393 https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-5cqw-g779-9f9x
https://github.com/Significant-Gravitas/AutoGPT/commit/57a06f70883ce6be18738c6ae8bb41085c71e266
 
Luna Imaging--LUNA Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by inyecting a malicious payload through the 'Edit Batch Name' function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. 2026-02-03 not yet calculated CVE-2025-41065 https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-luna-luna-imaging
 
Apidog--Apidog Web Platform Stored Cross-Site Scripting (XSS) vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and executed in the context of any user accessing the compromised resource. 2026-02-04 not yet calculated CVE-2025-41085 https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-apidog-web-platform
 
n/a--Tinyfilemanager 2.6 Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain name. This may lead to unauthorized port scanning or access to internal-only services. 2026-02-03 not yet calculated CVE-2025-46651 https://github.com/prasathmani/tinyfilemanager/blob/master/tinyfilemanager.php#L608
https://github.com/RobertoLuzanilla/tinyfilemanager-security-advisories/blob/main/CVE-2025-46651.md
 
golang.org/x/net--golang.org/x/net/html The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. 2026-02-05 not yet calculated CVE-2025-47911 https://go.dev/cl/709876
https://github.com/golang/vulndb/issues/4440
https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c
https://pkg.go.dev/vuln/GO-2026-4440
 
n/a--Beijing YouDataSum Tech YouDataSum CPAS Audit Management System <=v4.9 is vulnerable to SQL Injection in /cpasList/findArchiveReportByDah due to insufficient input validation. This allows remote unauthenticated attackers to execute arbitrary SQL commands via crafted input to the parameter. Successful exploitation could lead to unauthorized data access 2026-02-03 not yet calculated CVE-2025-57529 https://github.com/songqb-xx/CPAS-bug
https://github.com/songqb-xx/CVE-2025-57529/blob/main/README.md
 
TP-Link Systems Inc.--Archer AX53 v1.0 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted set of network packets containing an excessive number of host entries This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. 2026-02-03 not yet calculated CVE-2025-58077 https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/us/support/faq/4943/
 
golang.org/x/net--golang.org/x/net/html The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. 2026-02-05 not yet calculated CVE-2025-58190 https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c
https://github.com/golang/vulndb/issues/4441
https://go.dev/cl/709875
https://pkg.go.dev/vuln/GO-2026-4441
 
Semiconductor[.]Samsung[.]com--Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/send_delts write operation, leading to kernel memory exhaustion. 2026-02-03 not yet calculated CVE-2025-58340 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58340/
 
Semiconductor[.]Samsung[.]com--Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/ap_cert_disable_ht_vht write operation, leading to kernel memory exhaustion. 2026-02-03 not yet calculated CVE-2025-58341 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58341/
 
Semiconductor[.]Samsung[.]com--Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/uapsd write operation, leading to kernel memory exhaustion. 2026-02-03 not yet calculated CVE-2025-58342 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58342/
 
Semiconductor[.]Samsung[.]com--Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/create_tspec write operation, leading to kernel memory exhaustion. 2026-02-03 not yet calculated CVE-2025-58343 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58343/
 
Semiconductor[.]Samsung[.]com--Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation in a /proc/driver/unifi0/conn_log_event_burst_to_us write operation, leading to kernel memory exhaustion. 2026-02-03 not yet calculated CVE-2025-58344 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58344/
 
Semiconductor[.]Samsung[.]com--Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/ap_certif_11ax_mode write operation, leading to kernel memory exhaustion. 2026-02-03 not yet calculated CVE-2025-58345 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58345/
 
Semiconductor[.]Samsung[.]com--Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/send_addts write operation, leading to kernel memory exhaustion. 2026-02-03 not yet calculated CVE-2025-58346 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58346/
 
Semiconductor[.]Samsung[.]com--Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/p2p_certif write operation, leading to kernel memory exhaustion. 2026-02-03 not yet calculated CVE-2025-58347 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58347/
 
Semiconductor[.]Samsung[.]com--Processor Exynos An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/confg_tspec write operation, leading to kernel memory exhaustion. 2026-02-03 not yet calculated CVE-2025-58348 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58348
 
Brocade--Fabric OS Brocade Fabric OS before 9.2.1 has a vulnerability that could allow a local authenticated attacker to reveal command line passwords using commands that may expose higher privilege sensitive information by a lower privileged user. 2026-02-03 not yet calculated CVE-2025-58379 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36850
 
Brocade--Fabric OS A vulnerability in Brocade Fabric OS before 9.2.1 could allow an authenticated attacker with admin privileges using the shell command "grep" to modify the path variables and move upwards in the directory structure or to traverse to different directories. 2026-02-03 not yet calculated CVE-2025-58380 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36854
 
Brocade--Fabric OS A vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an authenticated attacker with admin privileges using the shell commands "source, ping6, sleep, disown, wait to modify the path variables and move upwards in the directory structure or to traverse to different directories. 2026-02-03 not yet calculated CVE-2025-58381 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36853
 
Brocade--Fabric OS A vulnerability in the secure configuration of authentication and management services in Brocade Fabric OS before Fabric OS 9.2.1c2 could allow an authenticated, remote attacker with administrative credentials to execute arbitrary commands as root using "supportsave", "seccertmgmt", "configupload" command. 2026-02-03 not yet calculated CVE-2025-58382 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36849
 
Brocade--Fabric OS A vulnerability in Brocade Fabric OS versions before 9.2.1c2 could allow an administrator-level user to execute the bind command, to escalate privileges and bypass security controls allowing the execution of arbitrary commands. 2026-02-03 not yet calculated CVE-2025-58383 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36878
 
TP-Link Systems Inc.--Archer AX53 v1.0 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. 2026-02-03 not yet calculated CVE-2025-58455 https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/us/support/faq/4943/
 
Semiconductor[.]Samsung[.]com--Processor Exynos An issue was discovered in Samsung Mobile Processor, Wearable Processor and Modem Exynos 980, 990, 850, 1080, 9110, W920, W930, W1000 and Modem 5123. Incorrect handling of NAS Registration messages leads to a Denial of Service because of Improper Handling of Exceptional Conditions. 2026-02-03 not yet calculated CVE-2025-59439 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59439/
 
TP-Link Systems Inc.--Archer AX53 v1.0 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. 2026-02-03 not yet calculated CVE-2025-59482 https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/us/support/faq/4943/
 
TP-Link Systems Inc.--Archer AX53 v1.0 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code. The vulnerability arises from improper validation of a packet field whose offset is used to determine the write location in memory. By crafting a packet with a manipulated field offset, an attacker can redirect writes to arbitrary memory locations. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. 2026-02-03 not yet calculated CVE-2025-59487 https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/us/support/faq/4943/
 
NICE--NICE Chat HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session. The injected HTML is included in the body of the email sent by the system, which could enable phishing attacks, impersonation, or credential theft. 2026-02-03 not yet calculated CVE-2025-59902 https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-nice-chat
 
www[.]pchelpsoft[.]com--Avanquest Driver Updater v.9 Insecure Permissions vulnerability in avanquest Driver Updater v.9.1.57803.1174 allows a local attacker to escalate privileges via the Driver Updater Service windows component. 2026-02-03 not yet calculated CVE-2025-60865 https://www.pchelpsoft.com/products/driver-updater/
https://github.com/parad0x1334/CVE-Disclosures/tree/50e5d2bf33b2926db2cb14d47d392b38ac619a41/Driver%20Updater%20-%20PCHelpsoft
 
n/a--MediaCrush An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint. 2026-02-03 not yet calculated CVE-2025-61506 https://gist.github.com/pescada-dev/a046d36e8026bbaf1ee591c6dad0d7e6
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-02 not yet calculated CVE-2025-61634 https://phabricator.wikimedia.org/T387478
 
Wikimedia Foundation--ConfirmEdit Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php. This issue affects ConfirmEdit: *. 2026-02-02 not yet calculated CVE-2025-61635 https://phabricator.wikimedia.org/T355073
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-02 not yet calculated CVE-2025-61636 https://phabricator.wikimedia.org/T394396
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-02 not yet calculated CVE-2025-61637 https://phabricator.wikimedia.org/T394856
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1. 2026-02-02 not yet calculated CVE-2025-61638 https://phabricator.wikimedia.org/T401099
 
Wikimedia Foundation--MediaWiki Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-02 not yet calculated CVE-2025-61639 https://phabricator.wikimedia.org/T280413
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-02 not yet calculated CVE-2025-61640 https://phabricator.wikimedia.org/T402075
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-02 not yet calculated CVE-2025-61641 https://phabricator.wikimedia.org/T298690
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-02 not yet calculated CVE-2025-61642 https://phabricator.wikimedia.org/T402313
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-02 not yet calculated CVE-2025-61643 https://phabricator.wikimedia.org/T403757
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca. 2026-02-02 not yet calculated CVE-2025-61644 https://phabricator.wikimedia.org/T403411
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1. 2026-02-03 not yet calculated CVE-2025-61645 https://phabricator.wikimedia.org/T403761
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-03 not yet calculated CVE-2025-61646 https://phabricator.wikimedia.org/T398706
 
Wikimedia Foundation--CheckUser Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php. This issue affects CheckUser: from a3dc1bbcc33acbcca6831d6afaccbb1054c93a57, 0584eb2ad564648aa3ce9c555dd044dda02b55f4. 2026-02-03 not yet calculated CVE-2025-61647 https://phabricator.wikimedia.org/T399093
 
Wikimedia Foundation--CheckUser Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/ShowIPButton.Vue, modules/ext.CheckUser.TempAccounts/SpecialBlock.Js. This issue affects CheckUser: from * before 1.44.1. 2026-02-03 not yet calculated CVE-2025-61648 https://phabricator.wikimedia.org/T402077
 
Wikimedia Foundation--CheckUser Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from 7cedd58781d261f110651b6af4f41d2d11ae7309. 2026-02-03 not yet calculated CVE-2025-61649 https://phabricator.wikimedia.org/T397396
 
Wikimedia Foundation--CheckUser Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from * before 795bf333272206a0189050d975e94b70eb7dc507. 2026-02-03 not yet calculated CVE-2025-61650 https://phabricator.wikimedia.org/T403289
 
Wikimedia Foundation--CheckUser Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser/checkuser/checkUserHelper/buildUserElement.Js. This issue affects CheckUser: from * before 1.44.1. 2026-02-03 not yet calculated CVE-2025-61651 https://phabricator.wikimedia.org/T403408
 
Wikimedia Foundation--DiscussionTools Vulnerability in Wikimedia Foundation DiscussionTools. This issue affects DiscussionTools: from * before 1.43.4, 1.44.1. 2026-02-03 not yet calculated CVE-2025-61652 https://phabricator.wikimedia.org/T397580
 
Wikimedia Foundation--TextExtracts Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associated with program files includes/ApiQueryExtracts.Php. This issue affects TextExtracts: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-03 not yet calculated CVE-2025-61653 https://phabricator.wikimedia.org/T397577
 
Wikimedia Foundation--Thanks Vulnerability in Wikimedia Foundation Thanks. This vulnerability is associated with program files includes/ThanksQueryHelper.Php. This issue affects Thanks: from * before 1.43.4, 1.44.1. 2026-02-03 not yet calculated CVE-2025-61654 https://phabricator.wikimedia.org/T397497
https://nvd.nist.gov/vuln/detail/CVE-2025-62661
 
Wikimedia Foundation--VisualEditor Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files includes/ApiVisualEditorEdit.Php, modules/ve-mw/init/targets/ve.Init.Mw.DesktopArticleTarget.Js, modules/ve-mw/ui/dialogs/ve.Ui.MWSaveDialog.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-03 not yet calculated CVE-2025-61655 https://phabricator.wikimedia.org/T395858
 
Wikimedia Foundation--VisualEditor Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-03 not yet calculated CVE-2025-61656 https://phabricator.wikimedia.org/T397232
 
Wikimedia Foundation--Vector Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/stickyHeader.Js. This issue affects Vector: from * before 1.43.4, 1.44.1. 2026-02-03 not yet calculated CVE-2025-61657 https://phabricator.wikimedia.org/T398636
 
Wikimedia Foundation--CheckUser Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/GlobalContributionsPager.Php. This issue affects CheckUser: from * before 1.43.4, 1.44.1. 2026-02-03 not yet calculated CVE-2025-61658 https://phabricator.wikimedia.org/T404805
 
Go toolchain--cmd/cgo A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. 2026-02-05 not yet calculated CVE-2025-61732 https://go.dev/cl/734220
https://go.dev/issue/76697
https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
https://pkg.go.dev/vuln/GO-2026-4433
 
TP-Link Systems Inc.--Archer AX53 v1.0 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. 2026-02-03 not yet calculated CVE-2025-61944 https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/us/support/faq/4943/
 
TP-Link Systems Inc.--Archer AX53 v1.0 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. 2026-02-03 not yet calculated CVE-2025-61983 https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/us/support/faq/4943/
 
run-llama--run-llama/llama_index The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41. 2026-02-02 not yet calculated CVE-2025-6208 https://huntr.com/bounties/7d722bb6-6567-4608-8b23-f95048d7605a
https://github.com/run-llama/llama_index/commit/53614e2f7913c0e86b58add9470b3c900b6c60b2
 
TP-Link Systems Inc.--Archer AX53 v1.0 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. 2026-02-03 not yet calculated CVE-2025-62404 https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/us/support/faq/4943/
 
TP-Link Systems Inc.--Archer AX53 v1.0 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. 2026-02-03 not yet calculated CVE-2025-62405 https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/us/support/faq/4943/
 
TP-Link Systems Inc.--Archer AX53 v1.0 SSH Hostkey misconfiguration vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) attack. This could enable unauthorized access if captured credentials are reused. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. 2026-02-03 not yet calculated CVE-2025-62501 https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/us/support/faq/4943/
 
eProsima--Fast-DDS Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage - specifically by tampering with the length field in readPropertySeq - are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versi ons 3.4.1, 3.3.1, and 2.6.11 patch the issue. 2026-02-03 not yet calculated CVE-2025-62599 https://security-tracker.debian.org/tracker/CVE-2025-62599
https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f
https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a
https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b
 
eProsima--Fast-DDS Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage - specifically by tampering with the length field in readBinaryPropertySeq - are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. 2026-02-03 not yet calculated CVE-2025-62600 https://security-tracker.debian.org/tracker/CVE-2025-62600
https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f
https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a
https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b
 
eProsima--Fast-DDS Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage - specifically by tampering with the `str_size` value read by `readString` (called from `readBinaryProperty`) - are modified, a 32-bit integer overflow can occur, causing `std::vector::resize` to use an attacker-controlled size and quickly trigger heap buffer overflow and remote process term ination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. 2026-02-03 not yet calculated CVE-2025-62601 https://security-tracker.debian.org/tracker/CVE-2025-62601
https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f
https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a
https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b
 
eProsima--Fast-DDS Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with - specially `readOctetVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter - the attacker-contro lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. 2026-02-03 not yet calculated CVE-2025-62602 https://security-tracker.debian.org/tracker/CVE-2025-62602
https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f
https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a
https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b
 
eProsima--Fast-DDS Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue. 2026-02-03 not yet calculated CVE-2025-62603 https://security-tracker.debian.org/tracker/CVE-2025-62603
https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f
https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a
https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b
 
Significant-Gravitas--AutoGPT AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in RSSFeedBlock, the third-party library urllib.request.urlopen is used directly to access the URL, but the input URL is not filtered, which will cause SSRF vulnerability. This issue has been patched in autogpt-platform-beta-v0.6.34. 2026-02-04 not yet calculated CVE-2025-62615 https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r55v-q5pc-j57f
 
Significant-Gravitas--AutoGPT AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in SendDiscordFileBlock, the third-party library aiohttp.ClientSession().get is used directly to access the URL, but the input URL is not filtered, which will cause SSRF vulnerability. This issue has been patched in autogpt-platform-beta-v0.6.34. 2026-02-04 not yet calculated CVE-2025-62616 https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-ggc4-4fmm-9hmc
 
TP-Link Systems Inc.--Archer AX53 v1.0 Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tdpserver modules) allows adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a maliciously formed field. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. 2026-02-03 not yet calculated CVE-2025-62673 https://talosintelligence.com/vulnerability_reports/
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware
https://www.tp-link.com/us/support/faq/4943/
 
eProsima--Fast-DDS Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption ( RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. 2026-02-03 not yet calculated CVE-2025-62799 https://security-tracker.debian.org/tracker/CVE-2025-62799
https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659
https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46
https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514
 
Articentgroup--Zip Rar Extractor 1.3 Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. 2026-02-03 not yet calculated CVE-2025-63372 https://articentgroup.com/zip-rar-extractor-tool/
 
Shandong Kede Electronics--Water meter monitor v.1 SQL Injection vulnerability in Shandong Kede Electronics Co., Ltd IoT smart water meter monitoring platform v.1.0 allows a remote attacker to execute arbitrary code via the imei_list.aspx file. 2026-02-03 not yet calculated CVE-2025-63624 https://github.com/songqb-xx/Internet-of-Things-Smart-Water-Meter-Monitoring-Platform-Unauthorized-RCE
 
eProsima--Fast-DDS Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with - specifically by ta mpering with the the `vecsize` value read by `readOctetVector` - a 32-bit integer overflow can occur, causing `std::vector ::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3 .3.1, and 2.6.11 patch the issue. 2026-02-03 not yet calculated CVE-2025-64098 https://security-tracker.debian.org/tracker/CVE-2025-64098
https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f
https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a
https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b
 
gogs--gogs Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev. 2026-02-06 not yet calculated CVE-2025-64111 https://github.com/gogs/gogs/security/advisories/GHSA-gg64-xxr9-qhjp
 
gogs--gogs Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs' 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim's username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim's 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev. 2026-02-06 not yet calculated CVE-2025-64175 https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj
 
eProsima--Fast-DDS Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast -DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList .base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t he issue. 2026-02-03 not yet calculated CVE-2025-64438 https://security-tracker.debian.org/tracker/CVE-2025-64438
https://github.com/eProsima/Fast-DDS/commit/0b0cb308eaeeb2175694aa0a0a723106824ce9a7
https://github.com/eProsima/Fast-DDS/commit/71da01b4aea4d937558984f2cf0089f5ba3c871f
https://github.com/eProsima/Fast-DDS/commit/8ca016134dac20b6e30e42b7b73466ef7cdbc213
 
decidim--decidim Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0. 2026-02-03 not yet calculated CVE-2025-65017 https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp
https://github.com/decidim/decidim/pull/13571
https://github.com/decidim/decidim/releases/tag/v0.30.4
https://github.com/decidim/decidim/releases/tag/v0.31.0
 
Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ A relative path traversal vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. 2026-02-03 not yet calculated CVE-2025-65077 https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html
 
Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code. 2026-02-03 not yet calculated CVE-2025-65078 https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html
 
Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ A heap-based buffer overflow vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. 2026-02-03 not yet calculated CVE-2025-65079 https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html
 
Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ A type confusion vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. 2026-02-03 not yet calculated CVE-2025-65080 https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html
 
Lexmark--MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ An out-of-bounds read vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. 2026-02-03 not yet calculated CVE-2025-65081 https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php. This issue affects MediaWiki: >= 1.42.0. 2026-02-02 not yet calculated CVE-2025-6589 https://phabricator.wikimedia.org/T391343
 
Wikimedia Foundation--MediaWiki Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0. 2026-02-02 not yet calculated CVE-2025-6590 https://phabricator.wikimedia.org/T392746
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0. 2026-02-02 not yet calculated CVE-2025-6591 https://phabricator.wikimedia.org/T392276
 
Wikimedia Foundation--AbuseFilter Vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects AbuseFilter: from fe0b1cb9e9691faf4d8d9bd80646589f6ec37615 before 1.43.2, 1.44.0. 2026-02-02 not yet calculated CVE-2025-6592 https://phabricator.wikimedia.org/T391218
 
n/a--ERPNext A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the affected record is viewed by a user within the ERPNext web interface. This exposure may allow an attacker to compromise user sessions or perform unauthorized actions under the context of a victim's account. 2026-02-03 not yet calculated CVE-2025-65923 https://github.com/frappe/frappe_docker.git
 
n/a--ERPNext ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal' function. 2026-02-03 not yet calculated CVE-2025-65924 https://github.com/frappe/frappe_docker.git
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. 2026-02-02 not yet calculated CVE-2025-6593 https://phabricator.wikimedia.org/T396230
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. 2026-02-02 not yet calculated CVE-2025-6594 https://phabricator.wikimedia.org/T395063
 
Wikimedia Foundation--MultimediaViewer Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MultimediaViewer. This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. 2026-02-02 not yet calculated CVE-2025-6595 https://phabricator.wikimedia.org/T394863
 
Wikimedia Foundation--Vector Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/portlets.Js, resources/skins.Vector.Legacy.Js/portlets.Js. This issue affects Vector: from >= 1.40.0 before 1.42.7, 1.43.2, 1.44.0. 2026-02-02 not yet calculated CVE-2025-6596 https://phabricator.wikimedia.org/T396685
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. 2026-02-02 not yet calculated CVE-2025-6597 https://phabricator.wikimedia.org/T389009
 
CyberArk--CyberArk Endpoint Agent v25.10.0 CyberArk Endpoint Privilege Manager Agent through 25.10.0 allows a local user to achieve privilege escalation through policy elevation of an Administration task. 2026-02-03 not yet calculated CVE-2025-66374 https://www.cyberark.com/product-security/
https://www.cyberark.com/ca26-01
https://docs.cyberark.com/epm/latest/en/content/release%20notes/rn-whatsnew25-12.htm#Security
 
TOTOlink--A950RG Router TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a buffer overflow vulnerability in the setUrlFilterRules interface of /lib/cste_modules/firewall.so. The vulnerability occurs because the `url` parameter is not properly validated for length, allowing remote attackers to trigger a buffer overflow, potentially leading to arbitrary code execution or denial of service. 2026-02-03 not yet calculated CVE-2025-67186 https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setUrlFliterRules-url-buffer.md
 
TOTOlink--A950RG Router A stack-based buffer overflow vulnerability was identified in TOTOLINK A950RG V4.1.2cu.5204_B20210112. The flaw exists in the setIpQosRules interface of /lib/cste_modules/firewall.so where the comment parameter is not properly validated for length. 2026-02-03 not yet calculated CVE-2025-67187 https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setIpQosRules-comment-buffer.md
 
TOTOlink--A950RG Router A buffer overflow vulnerability exists in TOTOLINK A950RG V4.1.2cu.5204_B20210112. The issue resides in the setRadvdCfg interface of the /lib/cste_modules/ipv6.so module. The function fails to properly validate the length of the user-controlled radvdinterfacename parameter, allowing remote attackers to trigger a stack buffer overflow. 2026-02-03 not yet calculated CVE-2025-67188 https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-ipv6-setRadvdCfg-radvdinterfacename-buffer.md
 
TOTOlink--A950RG Router A buffer overflow vulnerability exists in the setParentalRules interface of TOTOLINK A950RG V4.1.2cu.5204_B20210112. The urlKeyword parameter is not properly validated, and the function concatenates multiple user-controlled fields into a fixed-size stack buffer without performing boundary checks. A remote attacker can exploit this flaw to cause denial of service or potentially achieve arbitrary code execution. 2026-02-03 not yet calculated CVE-2025-67189 https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setParentRules-urlKeyWord-buffer.md
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. 2026-02-03 not yet calculated CVE-2025-67475 https://phabricator.wikimedia.org/T406664
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1. 2026-02-03 not yet calculated CVE-2025-67476 https://phabricator.wikimedia.org/T405859
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1. 2026-02-03 not yet calculated CVE-2025-67477 https://phabricator.wikimedia.org/T406639
 
Wikimedia Foundation--CheckUser Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-03 not yet calculated CVE-2025-67478 https://phabricator.wikimedia.org/T385403
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Cite: from * before 1.39.14, 1.43.4, 1.44.1. 2026-02-03 not yet calculated CVE-2025-67479 https://phabricator.wikimedia.org/T407131
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. 2026-02-03 not yet calculated CVE-2025-67480 https://phabricator.wikimedia.org/T401053
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. 2026-02-03 not yet calculated CVE-2025-67481 https://phabricator.wikimedia.org/T251032
 
Wikimedia Foundation--Scribunto Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C. This issue affects Scribunto: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: from * before fea2304f8f6ab30314369a612f4f5b165e68e95a. 2026-02-03 not yet calculated CVE-2025-67482 https://phabricator.wikimedia.org/T408135
 
Wikimedia Foundation--MediaWiki Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1. 2026-02-03 not yet calculated CVE-2025-67483 https://phabricator.wikimedia.org/T409226
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. 2026-02-03 not yet calculated CVE-2025-67484 https://phabricator.wikimedia.org/T401995
 
Go standard library--crypto/tls During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. 2026-02-05 not yet calculated CVE-2025-68121 https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
https://go.dev/cl/737700
https://go.dev/issue/77217
https://pkg.go.dev/vuln/GO-2026-4337
 
Axigen--Mail Server Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and inserted into the DOM, causing the injected script to execute. 2026-02-05 not yet calculated CVE-2025-68643 https://www.axigen.com/mail-server/download/
https://www.axigen.com/knowledgebase/Axigen-WebMail-Stored-XSS-Vulnerability-CVE-2025-68643-_405.html
 
Axigen--Mail Server Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section. 2026-02-05 not yet calculated CVE-2025-68721 https://www.axigen.com/mail-server/download/
https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Improper-Access-Control-Vulnerability-CVE-2025-68721-_406.html
 
Axigen--Mail Server Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations. 2026-02-05 not yet calculated CVE-2025-68722 https://www.axigen.com/mail-server/download/
https://www.axigen.com/knowledgebase/Axigen-WebAdmin-CSRF-Vulnerability-CVE-2025-68722-_407.html
 
Axigen--Mail Server Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Listeners SSL settings. Attackers can inject malicious JavaScript payloads that execute in administrators' browsers when they access affected pages or features, enabling privilege escalation attacks where low-privileged admins can force high-privileged admins to perform unauthorized actions. 2026-02-05 not yet calculated CVE-2025-68723 https://www.axigen.com/mail-server/download/
https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Stored-XSS-Vulnerabilities-CVE-2025-68723-_408.html
 
devcode-it--openstamanager OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server. 2026-02-06 not yet calculated CVE-2025-69212 https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36
 
devcode-it--openstamanager OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists. 2026-02-04 not yet calculated CVE-2025-69213 https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg
 
devcode-it--openstamanager OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter. 2026-02-06 not yet calculated CVE-2025-69214 https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m
 
devcode-it--openstamanager OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publication, no known patch exists. 2026-02-04 not yet calculated CVE-2025-69215 https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qx9p-w3vj-q24q
 
devcode-it--openstamanager OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability exists in templates/scadenzario/init.php, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization. The vulnerability enables complete database read access through error-based SQL injection techniques. 2026-02-06 not yet calculated CVE-2025-69216 https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6
 
Wikimedia Foundation--MediaWiki Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php. This issue affects MediaWiki: from >= 1.42.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. 2026-02-02 not yet calculated CVE-2025-6927 https://phabricator.wikimedia.org/T397595
 
ORICO--NAS CD3510 The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files. 2026-02-03 not yet calculated CVE-2025-69429 https://www.notion.so/ORICO-NAS-Incorrect-Symlink-Follow-2c36cf4e528a80b7bf0be4dcac758419?source=copy_link
 
Yottamaster NAS-- Symlink Follow An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files. 2026-02-03 not yet calculated CVE-2025-69430 https://www.notion.so/Yottamaster-Incorrect-Symlink-Follow-2c36cf4e528a8001b37cdad4be7431f8?source=copy_link
 
ZSPACE--Q2C NAS The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, and then access the USB drive's directory mounted on the NAS using the Samba protocol. This allows them to obtain all files within the NAS system and tamper with those files. 2026-02-03 not yet calculated CVE-2025-69431 https://www.notion.so/ZSPACE-Incorrect-Symlink-Follow-2c26cf4e528a8087ba14d9b1d31a5bb2?source=copy_link
 
Coto[.]com--Tarot, Astro & Healing v11.4 An arbitrary file overwrite vulnerability in the file import process of Tarot, Astro & Healing v11.4.0 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. 2026-02-04 not yet calculated CVE-2025-69618 https://secsys.fudan.edu.cn/
http://coto.com
https://coto.world/
https://github.com/Secsys-FDU/AF_CVEs/issues/9
 
Zipperapp[.]cafe24--Text Editor v1.6.2 A path traversal in My Text Editor v1.6.2 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. 2026-02-05 not yet calculated CVE-2025-69619 http://my.com
https://secsys.fudan.edu.cn/
http://zipperapp.cafe24.com/
https://github.com/Secsys-FDU/AF_CVEs/issues/10
 
n/a--Moo Chan Song v4.5.7 A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. 2026-02-04 not yet calculated CVE-2025-69620 https://secsys.fudan.edu.cn/
http://office.com
http://www.ntoolslab.com/
https://github.com/Secsys-FDU/AF_CVEs/issues/11
 
n/a--Comic Book Reader v1.0.95 An arbitrary file overwrite vulnerability in the file import process of Comic Book Reader v1.0.95 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. 2026-02-04 not yet calculated CVE-2025-69621 https://secsys.fudan.edu.cn/
http://comic.com
https://android-tools.ru/
https://github.com/Secsys-FDU/AF_CVEs/issues/12
 
n/a--NetBox NetBox is an open-source infrastructure resource modeling and IP address management platform. A reflected cross-site scripting (XSS) vulnerability exists in versions 2.11.0 through 3.7.x in the ProtectedError handling logic, where object names are included in HTML error messages without proper escaping. This allows user-controlled content to be rendered in the web interface when a delete operation fails due to protected relationships, potentially enabling execution of arbitrary client-side code in the context of a privileged user. 2026-02-03 not yet calculated CVE-2025-69848 https://github.com/netbox-community/netbox
 
n/a--Quick Heal Security 23.0.0 A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can be abused by a local attacker to place files in high-privilege locations, potentially leading to privilege escalation. 2026-02-03 not yet calculated CVE-2025-69875 https://github.com/mertdas/QuickHealTotalSecurityPOC
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59439/
 
n/a--Monstra CMS v3.0.4 Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution. 2026-02-05 not yet calculated CVE-2025-69906 https://github.com/monstra-cms/monstra/tree/master/plugins/box/filesmanager
https://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE
 
n/a--FUXA v1.2.7 FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation. 2026-02-03 not yet calculated CVE-2025-69970 https://github.com/frangoteam/FUXA/blob/master/server/settings.default.js
 
n/a--FUXA v1.2.7 FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access. 2026-02-03 not yet calculated CVE-2025-69971 https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js
 
n/a--FUXA v1.2.7 FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code. 2026-02-03 not yet calculated CVE-2025-69981 https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js#L193
 
n/a--FUXA v1.2.7 FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise. 2026-02-03 not yet calculated CVE-2025-69983 https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js
 
n/a--ChestnutCMS v.1.5.8 An issue in ChestnutCMS v.1.5.8 and before allows a remote attacker to execute arbitrary code via the template creation function 2026-02-05 not yet calculated CVE-2025-70073 https://github.com/liweiyi/ChestnutCMS/issues/8
 
n/a--JEEWMS 1.0  JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack. 2026-02-03 not yet calculated CVE-2025-70311 https://gitee.com/erzhongxmu/JEEWMS
 
PPC (Belden)--2K05X router firmware v1.1.9_206 A stored cross-site scripting (XSS) vulnerability exists in the web management interface of the PPC (Belden) ONT 2K05X router running firmware v1.1.9_206L. The Common Gateway Interface (CGI) component improperly handles user-supplied input, allowing a remote, unauthenticated attacker to inject arbitrary JavaScript that is persistently stored and executed when the affected interface is accessed. 2026-02-04 not yet calculated CVE-2025-70545 http://ppc.com
https://github.com/jeyabalaji711/CVE-2025-70545
 

n/a--pdfminer.six

 

 pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An attacker with the ability to place a malicious pickle file in a location accessible to the application can trigger arbitrary code execution or privilege escalation when the file is loaded by a trusted process. This is caused by an incomplete patch to CVE-2025-64512. 2026-02-03 not yet calculated CVE-2025-70559 https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc
https://github.com/advisories/GHSA-f83h-ghpp-7wcc
 
n/a--Boltz 2.0 Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded. 2026-02-03 not yet calculated CVE-2025-70560 https://github.com/jwohlwend/boltz/issues/600
https://github.com/jwohlwend/boltz/blob/cb04aeccdd480fd4db707f0bbafde538397fa2ac/src/boltz/data/mol.py#L80
 
n/a--chetans9 chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. This allows remote unauthenticated attackers to access protected pages.customer database. 2026-02-03 not yet calculated CVE-2025-70758 https://github.com/chetans9/core-php-admin-panel
https://github.com/chetans9/core-php-admin-panel/blob/master/includes/auth_validate.php
https://github.com/XavLimSG/Vulnerability-Research/tree/main/CVE-2025-70758
 
n/a--Microweber 2.0.19 Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20. 2026-02-05 not yet calculated CVE-2025-70791 https://github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f
https://gist.github.com/TimRecktenwald/9615b9915a4cacda9f57bb57f13ab6d4
 
n/a--n/a Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20. 2026-02-05 not yet calculated CVE-2025-70792 https://github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f
https://gist.github.com/TimRecktenwald/f4b0d1edbb87e75c17c639ca0bacba57
 
n/a--podinfo Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS). 2026-02-03 not yet calculated CVE-2025-70849 https://gist.github.com/kazisabu/27f3e272f474005001a9ecd2c258dbea
 
n/a--Subrion CMS v4.2.1 Multiple reflected cross-site scripting (XSS) vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters. 2026-02-02 not yet calculated CVE-2025-70958 https://github.com/emirhanyucell/Subrion-CMS-4.2.1/blob/main/subrion-cms-exploit.txt
 
n/a--Tendenci CMS v15.3.7 A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. 2026-02-02 not yet calculated CVE-2025-70959 https://github.com/emirhanyucelll/tendenci/blob/main/Readme.md
 
n/a--Tendenci CMS v15.3.7 A stored cross-site scripting (XSS) vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. 2026-02-02 not yet calculated CVE-2025-70960 https://github.com/emirhanyucelll/tendenci/blob/main/Readme.md
 
n/a--Gophish Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user's long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context. 2026-02-06 not yet calculated CVE-2025-70963 https://github.com/gophish/gophish/issues/9366
 
n/a--eladmin v2.7 A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level. 2026-02-04 not yet calculated CVE-2025-70997 https://github.com/elunez/eladmin
https://github.com/fofo137/CVE/issues/1
 
n/a--n/a Water-Melon Melon commit 9df9292 and below is vulnerable to Denial of Service. The HTTP component doesn't have any maximum length. As a result, an excessive request header could cause a denial of service by consuming RAM memory. 2026-02-04 not yet calculated CVE-2025-71031 https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/denial-of-service-in-melon-c-library
https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/cve-2025-71031-denial-of-service-in-melon-c-library
 
danny-avila--danny-avila/librechat A vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function in `/api/convos/fork` to fork numerous contents rapidly. If the forked content includes a Mermaid graph with a large number of nodes, it can lead to a JavaScript heap out of memory error upon service restart, causing a denial of service. This issue affects the latest version of the product. 2026-02-02 not yet calculated CVE-2025-7105 https://huntr.com/bounties/e44f0740-48bd-443b-8826-528e6afe9e34
https://github.com/danny-avila/librechat/commit/97a99985fa339db0a21ad63604e0bb8db4442ffc
 
n/a--Creativeitem Academy LMS 7.0 Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bundles/search/query endpoint. These vulnerabilities are distinct from the patch for CVE-2023-4119, which only fixed XSS in query and sort_by parameters to the /academy/home/courses endpoint. 2026-02-03 not yet calculated CVE-2025-71179 https://codecanyon.net/item/academy-course-based-learning-management-system/22703468
https://creativeitem.com/products/academy-learning-management-system/
https://github.com/cod3rLucas/security-advisories/blob/main/CVE-2025-71179.md
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: ac97: fix a double free in snd_ac97_controller_register() If ac97_add_adapter() fails, put_device() is the correct way to drop the device reference. kfree() is not required. Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do the cleanup. Found by code review. 2026-02-04 not yet calculated CVE-2025-71192 https://git.kernel.org/stable/c/c80f9b3349a99a9d5b295f5bbc23f544c5995ad7
https://git.kernel.org/stable/c/21f8bc5179bed91c3f946adb5e55d717b891960c
https://git.kernel.org/stable/c/fcc04c92cbb5497ce67c58dd2f0001bb87f40396
https://git.kernel.org/stable/c/cb73d37ac18bc1716690ff5255a0ef1952827e9e
https://git.kernel.org/stable/c/830988b6cf197e6dcffdfe2008c5738e6c6c3c0f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data. There is a small window where the suspend callback may run after PM runtime enabling and before runtime forbid. This causes a sporadic crash during boot: ``` Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1 [...] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT Workqueue: pm pm_runtime_work pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2] lr : pm_generic_runtime_suspend+0x2c/0x44 [...] ``` Attach the QPHY instance as driver data before enabling runtime PM to prevent NULL pointer dereference in runtime PM callbacks. Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a short window where an unnecessary runtime suspend can occur. Use the devres-managed version to ensure PM runtime is symmetrically disabled during driver removal for proper cleanup. 2026-02-04 not yet calculated CVE-2025-71193 https://git.kernel.org/stable/c/beba460a299150b5d8dcbe3474a8f4bdf0205180
https://git.kernel.org/stable/c/d50a9b7fd07296a1ab81c49ceba14cae3d31df86
https://git.kernel.org/stable/c/4ac15caa27ff842b068a54f1c6a8ff8b31f658e7
https://git.kernel.org/stable/c/1ca52c0983c34fca506921791202ed5bdafd5306
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock in wait_current_trans() due to ignored transaction type When wait_current_trans() is called during start_transaction(), it currently waits for a blocked transaction without considering whether the given transaction type actually needs to wait for that particular transaction state. The btrfs_blocked_trans_types[] array already defines which transaction types should wait for which transaction states, but this check was missing in wait_current_trans(). This can lead to a deadlock scenario involving two transactions and pending ordered extents: 1. Transaction A is in TRANS_STATE_COMMIT_DOING state 2. A worker processing an ordered extent calls start_transaction() with TRANS_JOIN 3. join_transaction() returns -EBUSY because Transaction A is in TRANS_STATE_COMMIT_DOING 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes 5. A new Transaction B is created (TRANS_STATE_RUNNING) 6. The ordered extent from step 2 is added to Transaction B's pending ordered extents 7. Transaction B immediately starts commit by another task and enters TRANS_STATE_COMMIT_START 8. The worker finally reaches wait_current_trans(), sees Transaction B in TRANS_STATE_COMMIT_START (a blocked state), and waits unconditionally 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START according to btrfs_blocked_trans_types[] 10. Transaction B is waiting for pending ordered extents to complete 11. Deadlock: Transaction B waits for ordered extent, ordered extent waits for Transaction B This can be illustrated by the following call stacks: CPU0 CPU1 btrfs_finish_ordered_io() start_transaction(TRANS_JOIN) join_transaction() # -EBUSY (Transaction A is # TRANS_STATE_COMMIT_DOING) # Transaction A completes # Transaction B created # ordered extent added to # Transaction B's pending list btrfs_commit_transaction() # Transaction B enters # TRANS_STATE_COMMIT_START # waiting for pending ordered # extents wait_current_trans() # waits for Transaction B # (should not wait!) Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered extents: __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 btrfs_commit_transaction+0xbf7/0xda0 [btrfs] btrfs_sync_file+0x342/0x4d0 [btrfs] __x64_sys_fdatasync+0x4b/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Task kworker in wait_current_trans waiting for transaction commit: Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs] __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 wait_current_trans+0xb0/0x110 [btrfs] start_transaction+0x346/0x5b0 [btrfs] btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs] btrfs_work_helper+0xe8/0x350 [btrfs] process_one_work+0x1d3/0x3c0 worker_thread+0x4d/0x3e0 kthread+0x12d/0x150 ret_from_fork+0x1f/0x30 Fix this by passing the transaction type to wait_current_trans() and checking btrfs_blocked_trans_types[cur_trans->state] against the given type before deciding to wait. This ensures that transaction types which are allowed to join during certain blocked states will not unnecessarily wait and cause deadlocks. 2026-02-04 not yet calculated CVE-2025-71194 https://git.kernel.org/stable/c/e563f59395981fcd69d130761290929806e728d6
https://git.kernel.org/stable/c/dc84036c173cff6a432d9ab926298850b1d2a659
https://git.kernel.org/stable/c/d7b04b40ac8e6d814e35202a0e1568809b818295
https://git.kernel.org/stable/c/99da896614d17e8a84aeb2b2d464ac046cc8633d
https://git.kernel.org/stable/c/8b0bb145d3bc264360f525c9717653be3522e528
https://git.kernel.org/stable/c/9ac63333d600732a56b35ee1fa46836da671eb50
https://git.kernel.org/stable/c/5037b342825df7094a4906d1e2a9674baab50cb2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: xilinx: xdma: Fix regmap max_register The max_register field is assigned the size of the register memory region instead of the offset of the last register. The result is that reading from the regmap via debugfs can cause a segmentation fault: tail /sys/kernel/debug/regmap/xdma.1.auto/registers Unable to handle kernel paging request at virtual address ffff800082f70000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault [...] Call trace: regmap_mmio_read32le+0x10/0x30 _regmap_bus_reg_read+0x74/0xc0 _regmap_read+0x68/0x198 regmap_read+0x54/0x88 regmap_read_debugfs+0x140/0x380 regmap_map_read_file+0x30/0x48 full_proxy_read+0x68/0xc8 vfs_read+0xcc/0x310 ksys_read+0x7c/0x120 __arm64_sys_read+0x24/0x40 invoke_syscall.constprop.0+0x64/0x108 do_el0_svc+0xb0/0xd8 el0_svc+0x38/0x130 el0t_64_sync_handler+0x120/0x138 el0t_64_sync+0x194/0x198 Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- note: tail[1217] exited with irqs disabled note: tail[1217] exited with preempt_count 1 Segmentation fault 2026-02-04 not yet calculated CVE-2025-71195 https://git.kernel.org/stable/c/df8a131a41ff6202d47f59452735787f2b71dd2d
https://git.kernel.org/stable/c/606ea969e78295407f4bf06aa0e272fe59897184
https://git.kernel.org/stable/c/5e7ad329d259cf5bed7530d6d2525bcf7cb487a1
https://git.kernel.org/stable/c/c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: phy: stm32-usphyc: Fix off by one in probe() The "index" variable is used as an index into the usbphyc->phys[] array which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys then it is one element out of bounds. The "index" comes from the device tree so it's data that we trust and it's unlikely to be wrong, however it's obviously still worth fixing the bug. Change the > to >=. 2026-02-04 not yet calculated CVE-2025-71196 https://git.kernel.org/stable/c/a9eec890879731c280697fdf1c50699e905b2fa7
https://git.kernel.org/stable/c/fb9d513cdf1614bf0f0e785816afb1faae3f81af
https://git.kernel.org/stable/c/c06f13876cbad702582cd67fc77356e5524d02cd
https://git.kernel.org/stable/c/76b870fdaad82171a24b8aacffe5e4d9e0d2ee2c
https://git.kernel.org/stable/c/b91c9f6bfb04e430adeeac7e7ebc9d80f9d72bad
https://git.kernel.org/stable/c/7c27eaf183563b86d815ff6e9cca0210b4cfa051
https://git.kernel.org/stable/c/cabd25b57216ddc132efbcc31f972baa03aad15a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: w1: therm: Fix off-by-one buffer overflow in alarms_store The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. 2026-02-04 not yet calculated CVE-2025-71197 https://git.kernel.org/stable/c/49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95
https://git.kernel.org/stable/c/060b08d72a38b158a7f850d4b83c17c2969e0f6b
https://git.kernel.org/stable/c/b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf
https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442e
https://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0
https://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169
https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection The st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL event_spec field, indicating support for IIO events. However, event detection is not supported for all sensors, and if userspace tries to configure accelerometer wakeup events on a sensor device that does not support them (e.g. LSM6DS0), st_lsm6dsx_write_event() dereferences a NULL pointer when trying to write to the wakeup register. Define an additional struct iio_chan_spec array whose members have a NULL event_spec field, and use this array instead of st_lsm6dsx_acc_channels for sensors without event detection capability. 2026-02-04 not yet calculated CVE-2025-71198 https://git.kernel.org/stable/c/7673167fac9323110973a3300637adba7d45de3a
https://git.kernel.org/stable/c/4d60ffcdedfe2cdb68a1cde19bb292bc67451629
https://git.kernel.org/stable/c/81ed6e42d6e555dd978c9dd5e3f7c20cb121221b
https://git.kernel.org/stable/c/c34e2e2d67b3bb8d5a6d09b0d6dac845cdd13fb3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq). If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_device_unregister but quite a bit later. While the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | at91_adc_workq_handler at91_adc_remove | iio_device_unregister(indio_dev) | //free indio_dev a bit later | | iio_push_to_buffers(indio_dev) | //use indio_dev Fix it by ensuring that the work is canceled before proceeding with the cleanup in at91_adc_remove. 2026-02-04 not yet calculated CVE-2025-71199 https://git.kernel.org/stable/c/4c83dd62595ee7b7c9298a4d19a256b6647e7240
https://git.kernel.org/stable/c/fdc8c835c637a3473878d1e7438c77ab8928af63
https://git.kernel.org/stable/c/919d176b05776c7ede79c36744c823a07d631617
https://git.kernel.org/stable/c/9795fe80976f8c31cafda7d44edfc0f532d1f7c4
https://git.kernel.org/stable/c/d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfe
https://git.kernel.org/stable/c/d890234a91570542c228a20f132ce74f9fedd904
https://git.kernel.org/stable/c/dbdb442218cd9d613adeab31a88ac973f22c4873
 
Brocade--Fabric OS A vulnerability in Brocade Fabric OS before 9.2.1c3 could allow elevating the privileges of the local authenticated user to "root" using the export option of seccertmgmt and seccryptocfg commands. 2026-02-03 not yet calculated CVE-2025-9711 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36852
 
Nokia--Nokia ONT The unified WEBUI application of the ONT/Beacon device contains an input handling flaw that allows authenticated users to trigger unintended system-level command execution. Due to insufficient validation of user-supplied data, a low-privileged authenticated attacker may be able to execute arbitrary commands on the underlying ONT/Beacon operating system, potentially impacting the confidentiality, integrity, and availability of the device. 2026-02-02 not yet calculated CVE-2025-9974 Nokia Security Advisory
 
Google--Android In vpu_mmap of vpu_ioctl, there is a possible arbitrary address mmap due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2026-02-05 not yet calculated CVE-2026-0106 https://source.android.com/security/bulletin/pixel/2026-02-01
 
Brocade--Fabric OS A vulnerability in Brocade Fabric OS could allow an authenticated, local attacker with privileges to access the Bash shell to access insecurely stored file contents including the history command. 2026-02-03 not yet calculated CVE-2026-0383 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36851
 
TYDAC AG--MAP+ A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker. This issue was verified in MAP+: 3.4.0. 2026-02-06 not yet calculated CVE-2026-0521 https://www.tydac.ch/en/mapplus/
https://www.redguard.ch/blog/2026/02/05/advisory-tydac-mapplus/
 
huggingface--huggingface/text-generation-inference A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET request, reading the entire response body into memory and cloning it before decoding. This behavior can lead to resource exhaustion, including network bandwidth saturation, memory inflation, and CPU overutilization. The vulnerability is triggered even if the request is later rejected for exceeding token limits. The default deployment configuration, which lacks memory usage limits and authentication, exacerbates the impact, potentially crashing the host machine. The issue is resolved in version 3.3.7. 2026-02-02 not yet calculated CVE-2026-0599 https://huntr.com/bounties/1d3f2085-666c-4441-b265-22f6f7d8d9cd
https://github.com/huggingface/text-generation-inference/commit/24ee40d143d8d046039f12f76940a85886cbe152
 
TP-Link Systems Inc.--AXE75 When configured as L2TP/IPSec VPN server, Archer AXE75 V1 may accept connections using L2TP without IPSec protection, even when IPSec is enabled.  This allows VPN sessions without encryption, exposing data in transit and compromising confidentiality. 2026-02-03 not yet calculated CVE-2026-0620 https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware
https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware
https://www.tp-link.com/us/support/faq/4942/
 
TP-Link Systems Inc.--Archer BE230 v1.2 An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-02 not yet calculated CVE-2026-0630 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4935/
 
TP-Link Systems Inc.--Archer BE230 v1.2 An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows an adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-02 not yet calculated CVE-2026-0631 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4935/
 
Unknown--Five Star Restaurant Reservations The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks. 2026-02-02 not yet calculated CVE-2026-0658 https://wpscan.com/vulnerability/6e39090e-a4b2-4c16-806f-e2b1c456fb00/
 
Moxa--UC-1200A Series A physical attack vulnerability exists in certain Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3, where the discrete TPM is connected to the CPU via an SPI bus. Exploitation requires invasive physical access, including opening the device and attaching external equipment to the SPI bus to capture TPM communications. If successful, the captured data may allow offline decryption of eMMC contents. This attack cannot be performed through brief or opportunistic physical access and requires extended physical access, possession of the device, appropriate equipment, and sufficient time for signal capture and analysis. Remote exploitation is not possible. 2026-02-05 not yet calculated CVE-2026-0714 https://www.moxa.com/en/support/product-support/security-advisory/mpsa-255121-cve-2026-0714-cve-2026-0715-multiple-vulnerabilities-in-industrial-computers
 
Moxa--UC-1200A Series Moxa Arm-based industrial computers running Moxa Industrial Linux Secure use a device-unique bootloader password provided on the device. An attacker with physical access to the device could use this information to access the bootloader menu via a serial interface.  Access to the bootloader menu does not allow full system takeover or privilege escalation. The bootloader enforces digital signature verification and only permits flashing of Moxa-signed images. As a result, an attacker cannot install malicious firmware or execute arbitrary code. The primary impact is limited to a potential temporary denial-of-service condition if a valid image is reflashed. Remote exploitation is not possible. 2026-02-05 not yet calculated CVE-2026-0715 https://www.moxa.com/en/support/product-support/security-advisory/mpsa-255121-cve-2026-0714-cve-2026-0715-multiple-vulnerabilities-in-industrial-computers
 
Ercom--Cryptobox On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator. 2026-02-04 not yet calculated CVE-2026-0873 https://info.cryptobox.com/doc/v4.40/4.40.en/
 
Dr.Buho--BuhoCleaner BuhoCleaner contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions. This issue affects BuhoCleaner: 1.15.2. 2026-02-02 not yet calculated CVE-2026-0924 https://fluidattacks.com/advisories/solstafir
https://www.drbuho.com/buhocleaner
https://www.drbuho.com/buhocleaner/download
 
Drupal--Group invite Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing. This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4. 2026-02-04 not yet calculated CVE-2026-0944 https://www.drupal.org/sa-contrib-2026-001
 
Drupal--Role Delegation Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation. This issue affects Role Delegation: from 1.3.0 before 1.5.0. 2026-02-04 not yet calculated CVE-2026-0945 https://www.drupal.org/sa-contrib-2026-002
 
Drupal--AT Internet SmartTag Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS). This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1. 2026-02-04 not yet calculated CVE-2026-0946 https://www.drupal.org/sa-contrib-2026-003
 
Drupal--AT Internet Piano Analytics Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS). This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1. 2026-02-04 not yet calculated CVE-2026-0947 https://www.drupal.org/sa-contrib-2026-004
 
Drupal--Microsoft Entra ID SSO Login Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation. This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4. 2026-02-04 not yet calculated CVE-2026-0948 https://www.drupal.org/sa-contrib-2026-005
 
parisneo--parisneo/lollms A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (`lollmsElfServer.busy`, `lollmsElfServer.cancel_gen`) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service. 2026-02-02 not yet calculated CVE-2026-1117 https://huntr.com/bounties/d2846a7f-0140-4105-b1bb-5ef64ec8b829
https://github.com/parisneo/lollms/commit/36a5b513dfefe9c2913bf9b618457b4fea603e3b
 
ABC PRO SP. Z O.O.--EAP Legislator EAP Legislator is vulnerable to Path Traversal in file extraction functionality. Attacker can prepare zipx archive (default file type used by the Legislator application) and choose arbitrary path outside the intended directory (e.x. system startup) where files will be extracted by the victim upon opening the file. This issue was fixed in version 2.25a. 2026-02-02 not yet calculated CVE-2026-1186 https://abcpro.pl/eap-legislator
https://cert.pl/posts/2026/02/CVE-2026-1186
 
djangoproject--Django An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. 2026-02-03 not yet calculated CVE-2026-1207 Django security archive
Django releases announcements
Django security releases issued: 6.0.2, 5.2.11, and 4.2.28
 
BeyondTrust--Privilege management for Windows A medium-severity vulnerability has been identified in BeyondTrust Privilege Management for Windows versions <=25.7. Under certain conditions, a local authenticated user with elevated privileges may be able to bypass the product's anti-tamper protections, which could allow access to protected application components and the ability to modify product configuration. 2026-02-02 not yet calculated CVE-2026-1232 https://www.beyondtrust.com/trust-center/security-advisories/bt26-01
https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0023100
 
djangoproject--Django An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. 2026-02-03 not yet calculated CVE-2026-1285 Django security archive
Django releases announcements
Django security releases issued: 6.0.2, 5.2.11, and 4.2.28
 
djangoproject--Django An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. 2026-02-03 not yet calculated CVE-2026-1287 Django security archive
Django releases announcements
Django security releases issued: 6.0.2, 5.2.11, and 4.2.28
 
o6 Automation GmbH--Open62541 In builds with PubSub and JSON enabled, a crafted JSON message can cause the decoder to write beyond a heap-allocated array before authentication, reliably crashing the process and corrupting memory. 2026-02-05 not yet calculated CVE-2026-1301 https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-03
 
djangoproject--Django An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. 2026-02-03 not yet calculated CVE-2026-1312 Django security archive
Django releases announcements
Django security releases issued: 6.0.2, 5.2.11, and 4.2.28
 
neo4j--Enterprise Edition Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit:  https://github.com/JoakimBulow/CVE-2026-1337 2026-02-06 not yet calculated CVE-2026-1337 https://github.com/JoakimBulow/CVE-2026-1337
 
Avation--Avation Light Engine Pro Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control. 2026-02-03 not yet calculated CVE-2026-1341 https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-02
 
T-Systems--Buroweb SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information. 2026-02-03 not yet calculated CVE-2026-1432 https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-sqli-buroweb-platform
 
PRIMION DIGITEK--Digitek ADT1100 Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server's file system, thet is, 'http://<host>/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd'. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise. 2026-02-05 not yet calculated CVE-2026-1523 https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-digitek-grupo-azkoyen
 
Drupal--Drupal Canvas Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing. This issue affects Drupal Canvas: from 0.0.0 before 1.0.4. 2026-02-04 not yet calculated CVE-2026-1553 https://www.drupal.org/sa-contrib-2026-006
 
Drupal--Central Authentication System (CAS) Server XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation. This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2. 2026-02-04 not yet calculated CVE-2026-1554 https://www.drupal.org/sa-contrib-2026-007
 
neo4j--Enterprise Edition Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j. 2026-02-04 not yet calculated CVE-2026-1622 https://neo4j.com/security/CVE-2026-1622
 
N/A--N/A Summary An Insecure Direct Object Reference has been found to exist in `createHeaderBasedEmailResolver()` function within the Cloudflare Agents SDK. The issue occurs because the `Message-ID` and `References` headers are parsed to derive the target agentName and agentId without proper validation or origin checks, allowing an external attacker with control of these headers to route inbound mail to arbitrary Durable Object instances and namespaces . Root cause The `createHeaderBasedEmailResolver()` function lacks cryptographic verification or origin validation for the headers used in the routing logic, effectively allowing external input to dictate internal object routing. Impact Insecure Direct Object Reference (IDOR) in email routing lets an attacker steer inbound mail to arbitrary Agent instances via spoofed Message-ID. Mitigation: * PR: https://github.com/cloudflare/agents/blob/main/docs/email.md ] provides the necessary architectural context for coding agents to mitigate the issue by refactoring the resolver to enforce strict identity boundaries. * Agents-sdk users should upgrade to agents@0.3.7 2026-02-03 not yet calculated CVE-2026-1664 https://github.com/cloudflare/agents
 
Python Packaging Authority--pip When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations. 2026-02-02 not yet calculated CVE-2026-1703 https://github.com/pypa/pip/pull/13777
https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/
 
Google Cloud--Gemini Enterprise (formerly Agentspace) The Agentspace service was affected by a vulnerability that exposed sensitive information due to the use of predictable Google Cloud Storage bucket names. These names were utilized for error logs and temporary staging during data imports from GCS and Cloud SQL. This predictability allowed an attacker to engage in "bucket squatting" by establishing these buckets before a victim's initial use. All versions after December 12th, 2025 have been updated to protect from this vulnerability. No user action is required for this. 2026-02-06 not yet calculated CVE-2026-1727 https://docs.cloud.google.com/gemini/enterprise/docs/release-notes#February_06_2026
 
BeyondTrust--Remote Support(RS) & Privileged Remote Access(PRA) BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. 2026-02-06 not yet calculated CVE-2026-1731 https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293
https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
 
CrafterCMS--CrafterCMS Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution). 2026-02-02 not yet calculated CVE-2026-1770 https://docs.craftercms.org/current/security/advisory.html#cv-2026020201
 
Xquic Project--Xquic Server : Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux (QUIC protocol implementation, packet processing module modules) allows : Buffer Manipulation. This issue affects Xquic Server: through 1.8.3. 2026-02-03 not yet calculated CVE-2026-1788 https://github.com/alibaba/xquic
 
Rapid7--InsightVM/Nexpose A security vulnerability has been identified in Rapid7 Nexpose. Remediation is in progress. 2026-02-03 not yet calculated CVE-2026-1814 https://www.atredis.com/disclosure
 
Google--Chrome Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) 2026-02-03 not yet calculated CVE-2026-1861 https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/478942410
 
Google--Chrome Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) 2026-02-03 not yet calculated CVE-2026-1862 https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/479726070
 
Nukegraphic CMS--Nukegraphic CMS Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the database and rendering it across multiple CMS pages. An authenticated attacker with low privileges can inject malicious JavaScript payloads through the profile edit request, which are then executed site-wide whenever the affected user's name is displayed. This allows the attacker to execute arbitrary JavaScript in the context of other users' sessions, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. 2026-02-05 not yet calculated CVE-2026-1953 https://github.com/carlosbudiman/CVE-2026-1953-Disclosure
 
YugabyteDB Inc--YugabyteDB Anywhere YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services. 2026-02-05 not yet calculated CVE-2026-1966 https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/
 
MediaTek, Inc.--MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738310; Issue ID: MSV-5933. 2026-02-02 not yet calculated CVE-2026-20401 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00693083; Issue ID: MSV-5928. 2026-02-02 not yet calculated CVE-2026-20402 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8771, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8893 In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689254 (Note: For N15 and NR16) / MOLY01689259 (Note: For NR17 and NR17R); Issue ID: MSV-4843. 2026-02-02 not yet calculated CVE-2026-20403 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689248; Issue ID: MSV-4837. 2026-02-02 not yet calculated CVE-2026-20404 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01688495; Issue ID: MSV-4818. 2026-02-02 not yet calculated CVE-2026-20405 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01726634; Issue ID: MSV-5728. 2026-02-02 not yet calculated CVE-2026-20406 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT7902, MT7920, MT7921, MT7922, MT7925, MT7927 In wlan STA driver, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00464377; Issue ID: MSV-4905. 2026-02-02 not yet calculated CVE-2026-20407 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT6890, MT7615, MT7915, MT7916, MT7981, MT7986 In wlan, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461651; Issue ID: MSV-4758. 2026-02-02 not yet calculated CVE-2026-20408 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT6897, MT6989 In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363246; Issue ID: MSV-5779. 2026-02-02 not yet calculated CVE-2026-20409 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT6897, MT6989, MT8370, MT8390, MT8395 In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362552; Issue ID: MSV-5760. 2026-02-02 not yet calculated CVE-2026-20410 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT6878, MT6879, MT6881, MT6886, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT6993, MT8168, MT8188, MT8195, MT8365, MT8370, MT8390, MT8395, MT8666, MT8667, MT8673, MT8676, MT8793 In cameraisp, there is a possible escalation of privilege due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5737. 2026-02-02 not yet calculated CVE-2026-20411 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT6878, MT6879, MT6881, MT6886, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT6993, MT8168, MT8188, MT8195, MT8365, MT8390, MT8395, MT8666, MT8667, MT8673, MT8676, MT8696, MT8793 In cameraisp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5733. 2026-02-02 not yet calculated CVE-2026-20412 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT6899, MT6991, MT8678, MT8793 In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362725; Issue ID: MSV-5694. 2026-02-02 not yet calculated CVE-2026-20413 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT6897, MT6989, MT8196, MT8678, MT8766, MT8768, MT8786, MT8796 In imgsys, there is a possible escalation of privilege due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362999; Issue ID: MSV-5625. 2026-02-02 not yet calculated CVE-2026-20414 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT6897, MT6989 In imgsys, there is a possible memory corruption due to improper locking. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363254; Issue ID: MSV-5617. 2026-02-02 not yet calculated CVE-2026-20415 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT6991, MT6993, MT8678 In pcie, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10314946 / ALPS10340155; Issue ID: MSV-5154. 2026-02-02 not yet calculated CVE-2026-20417 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT7931, MT7933 In Thread, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465153; Issue ID: MSV-4927. 2026-02-02 not yet calculated CVE-2026-20418 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT6890, MT6989TB, MT7902, MT7915, MT7916, MT7920, MT7921, MT7922, MT7925, MT7927, MT7981, MT7986, MT8196, MT8668, MT8676, MT8678, MT8775, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893, MT8910 In wlan AP/STA firmware, there is a possible system becoming irresponsive due to an uncaught exception. This could lead to remote (proximal/adjacent) denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461663 / WCNCR00463309; Issue ID: MSV-4852. 2026-02-02 not yet calculated CVE-2026-20419 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8676, MT8791 In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738313; Issue ID: MSV-5935. 2026-02-02 not yet calculated CVE-2026-20420 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8791 In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738293; Issue ID: MSV-5922. 2026-02-02 not yet calculated CVE-2026-20421 https://corp.mediatek.com/product-security-bulletin/February-2026
 
MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8775, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00827332; Issue ID: MSV-5919. 2026-02-02 not yet calculated CVE-2026-20422 https://corp.mediatek.com/product-security-bulletin/February-2026
 
ELECOM CO.,LTD.--WRC-X1500GS-B Cross-site request forgery vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed. 2026-02-03 not yet calculated CVE-2026-20704 https://www.elecom.co.jp/news/security/20260203-01/
https://jvn.jp/en/jp/JVN94012927/
 
Cybozu, Inc.--Cybozu Garoon Cross-site scripting vulnerability exists in E-mail function of Cybozu Garoon 5.0.0 to 6.0.3, which may allow an attacker to reset arbitrary users' passwords. 2026-02-02 not yet calculated CVE-2026-20711 https://kb.cybozu.support/article/39081/
https://jvn.jp/en/jp/JVN35265756/
 
Samsung Mobile--Samsung Mobile Devices Improper access control in Emergency Sharing prior to SMR Feb-2026 Release 1 allows local attackers to interrupt its functioning. 2026-02-04 not yet calculated CVE-2026-20977 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02
 
Samsung Mobile--Samsung Mobile Devices Improper authorization in KnoxGuardManager prior to SMR Feb-2026 Release 1 allows local attackers to bypass the persistence configuration of the application. 2026-02-04 not yet calculated CVE-2026-20978 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02
 
Samsung Mobile--Samsung Mobile Devices Improper privilege management in Settings prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Settings privilege. 2026-02-04 not yet calculated CVE-2026-20979 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02
 
Samsung Mobile--Samsung Mobile Devices Improper input validation in PACM prior to SMR Feb-2026 Release 1 allows physical attacker to execute arbitrary commands. 2026-02-04 not yet calculated CVE-2026-20980 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02
 
Samsung Mobile--Samsung Mobile Devices Improper input validation in FacAtFunction prior to SMR Feb-2026 Release 1 allows privileged physical attacker to execute arbitrary command with system privilege. 2026-02-04 not yet calculated CVE-2026-20981 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02
 
Samsung Mobile--Samsung Mobile Devices Path traversal in ShortcutService prior to SMR Feb-2026 Release 1 allows privileged local attacker to create file with system privilege. 2026-02-04 not yet calculated CVE-2026-20982 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02
 
Samsung Mobile--Samsung Mobile Devices Improper export of android application components in Samsung Dialer prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Samsung Dialer privilege. 2026-02-04 not yet calculated CVE-2026-20983 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02
 
Samsung Mobile--Galaxy Wearable Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information. 2026-02-04 not yet calculated CVE-2026-20984 https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02
 
Samsung Mobile--Samsung Members Improper input validation in Samsung Members prior to version 5.6.00.11 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability. 2026-02-04 not yet calculated CVE-2026-20985 https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02
 
Samsung Mobile--Chinese Samsung Members Path traversal in Samsung Members prior to Chinese version 15.5.05.4 allows local attackers to overwrite data within Samsung Members. 2026-02-04 not yet calculated CVE-2026-20986 https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02
 
Samsung Mobile--GalaxyDiagnostics Improper input validation in GalaxyDiagnostics prior to version 3.5.050 allows local privileged attackers to execute privileged commands. 2026-02-04 not yet calculated CVE-2026-20987 https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02
 
Six Apart Ltd.--Movable Type (Software Edition) Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. 2026-02-04 not yet calculated CVE-2026-21393 https://movabletype.org/news/2026/02/mt-906-released.html
https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html
https://jvn.jp/en/jp/JVN45405689/
 
Stackideas.com--EasyDiscuss extension for Joomla Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure 2026-02-06 not yet calculated CVE-2026-21626 https://stackideas.com/easydiscuss
 
rustfs--rustfs RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78. 2026-02-03 not yet calculated CVE-2026-21862 https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq
 
n8n-io--n8n n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n's community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3. 2026-02-04 not yet calculated CVE-2026-21893 https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m
https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838
 
TP-Link Systems Inc.--Archer BE230 v1.2 A lack of proper input validation in the HTTP processing path in TP-Link Archer BE230 v1.2 (web modules) may allow a crafted request to cause the device's web service to become unresponsive, resulting in a denial of service condition. A network adjacent attacker with high privileges could cause the device's web interface to temporarily stop responding until it recovers or is rebooted. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-03 not yet calculated CVE-2026-22220 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4941/
 
TP-Link Systems Inc.--Archer BE230 v1.2 An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-02 not yet calculated CVE-2026-22221 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4935/
 
TP-Link Systems Inc.--Archer BE230 v1.2 An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-02 not yet calculated CVE-2026-22222 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4935/
 
TP-Link System Inc.--Archer BE230 v1.2 An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-02 not yet calculated CVE-2026-22223 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4935/
 
TP-Link Systems Inc.--Archer BE230 v1.2 A command injection vulnerability may be exploited after the admin's authentication in the cloud communication interface on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-02 not yet calculated CVE-2026-22224 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4935/
 
TP-Link Systems Inc.--Archer BE230 v1.2 A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-02 not yet calculated CVE-2026-22225 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4935/
 
TP-Link Systems Inc.--Archer BE230 v1.2 A command injection vulnerability may be exploited after the admin's authentication in the VPN server configuration module on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-02 not yet calculated CVE-2026-22226 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4935/
 
TP-Link Systems Inc.--Archer BE230 v1.2 A command injection vulnerability may be exploited after the admin's authentication via the configuration backup restoration function of the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-02 not yet calculated CVE-2026-22227 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4935/
 
TP-Link Systems Inc.--Archer BE230 v1.2 An authenticated user with high privileges may trigger a denial‑of‑service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Restoring such a file can cause the device to become unresponsive, requiring a reboot to restore normal operation. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-03 not yet calculated CVE-2026-22228 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4941/
 
TP-Link Systems Inc.--Archer BE230 v1.2 A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. 2026-02-02 not yet calculated CVE-2026-22229 https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware
https://www.tp-link.com/us/support/faq/4935/
 
ELECOM CO.,LTD.--WRC-X1500GS-B OS command injection vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. A crafted request from a logged-in user may lead to an arbitrary OS command execution. 2026-02-03 not yet calculated CVE-2026-22550 https://www.elecom.co.jp/news/security/20260203-01/
https://jvn.jp/en/jp/JVN94012927/
 
Six Apart Ltd.--Movable Type (Software Edition) Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. 2026-02-04 not yet calculated CVE-2026-22875 https://movabletype.org/news/2026/02/mt-906-released.html
https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html
https://jvn.jp/en/jp/JVN45405689/
 
Cybozu, Inc.--Cybozu Garoon Cross-site scripting vulnerability exists in Message function of Cybozu Garoon 5.15.0 to 6.0.3, which may allow an attacker to reset arbitrary users' passwords. 2026-02-02 not yet calculated CVE-2026-22881 https://kb.cybozu.support/article/39084/
https://jvn.jp/en/jp/JVN35265756/
 
Cybozu, Inc.--Cybozu Garoon Improper input verification issue exists in Cybozu Garoon 5.0.0 to 6.0.3, which may lead to unauthorized alteration of portal settings, potentially blocking access to the product. 2026-02-02 not yet calculated CVE-2026-22888 https://kb.cybozu.support/article/39083/
https://jvn.jp/en/jp/JVN35265756/
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: fix typo in frequency notification The NAN notification is for 5745 MHz which corresponds to channel 149 and not 5475 which is not actually a valid channel. This could result in a NULL pointer dereference in cfg80211_next_nan_dw_notif. 2026-02-04 not yet calculated CVE-2026-23040 https://git.kernel.org/stable/c/1251bbdb8f5b2ea86ca9b4268a2e6aa34372ab33
https://git.kernel.org/stable/c/333418872bfecf4843f1ded7a4151685dfcf07d5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called, which invokes ptp_clock_unregister(). Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events"), ptp_clock_unregister() now calls ptp_disable_all_events(), which in turn invokes the driver's .enable() callback (bnxt_ptp_enable()) to disable PTP events before completing the unregistration. bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin() and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This function tries to allocate from bp->hwrm_dma_pool, causing a NULL pointer dereference: bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Call Trace: __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72) bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517) ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66) ptp_clock_unregister (drivers/ptp/ptp_clock.c:518) bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134) bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889) Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3") Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before freeing HWRM resources. 2026-02-04 not yet calculated CVE-2026-23041 https://git.kernel.org/stable/c/0174d5466caefc22f03a36c43b2a3cce7e332627
https://git.kernel.org/stable/c/3358995b1a7f9dcb52a56ec8251570d71024dad0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: idpf: fix aux device unplugging when rdma is not supported by vport If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not allocate vdev_info for this vport. This leads to kernel NULL pointer dereference in idpf_idc_vport_dev_down(), which references vdev_info for every vport regardless. Check, if vdev_info was ever allocated before unplugging aux device. 2026-02-04 not yet calculated CVE-2026-23042 https://git.kernel.org/stable/c/0ad6d6e50e9d8bf596cfe77a882ddc20b29f525a
https://git.kernel.org/stable/c/4648fb2f2e7210c53b85220ee07d42d1e4bae3f9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL pointer dereference in do_abort_log_replay() Coverity reported a NULL pointer dereference issue (CID 1666756) in do_abort_log_replay(). When btrfs_alloc_path() fails in replay_one_buffer(), wc->subvol_path is NULL, but btrfs_abort_log_replay() calls do_abort_log_replay() which unconditionally dereferences wc->subvol_path when attempting to print debug information. Fix this by adding a NULL check before dereferencing wc->subvol_path in do_abort_log_replay(). 2026-02-04 not yet calculated CVE-2026-23043 https://git.kernel.org/stable/c/6d1b61b8e1e44888c643d89225ab819b10649b2e
https://git.kernel.org/stable/c/530e3d4af566ca44807d79359b90794dea24c4f3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: PM: hibernate: Fix crash when freeing invalid crypto compressor When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL. The cleanup code in save_compressed_image() and load_compressed_image() unconditionally calls crypto_free_acomp() without checking for ERR_PTR, which causes crypto_acomp_tfm() to dereference an invalid pointer and crash the kernel. This can be triggered when the compression algorithm is unavailable (e.g., CONFIG_CRYPTO_LZO not enabled). Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp() and acomp_request_free(), similar to the existing kthread_stop() check. [ rjw: Added 2 empty code lines ] 2026-02-04 not yet calculated CVE-2026-23044 https://git.kernel.org/stable/c/b7a883b0135dbc6817e90a829421c9fc8cd94bad
https://git.kernel.org/stable/c/7966cf0ebe32c981bfa3db252cb5fc3bb1bf2e77
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/ena: fix missing lock when update devlink params Fix assert lock warning while calling devl_param_driverinit_value_set() in ena. WARNING: net/devlink/core.c:261 at devl_assert_locked+0x62/0x90, CPU#0: kworker/0:0/9 CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.19.0-rc2+ #1 PREEMPT(lazy) Hardware name: Amazon EC2 m8i-flex.4xlarge/, BIOS 1.0 10/16/2017 Workqueue: events work_for_cpu_fn RIP: 0010:devl_assert_locked+0x62/0x90 Call Trace: <TASK> devl_param_driverinit_value_set+0x15/0x1c0 ena_devlink_alloc+0x18c/0x220 [ena] ? __pfx_ena_devlink_alloc+0x10/0x10 [ena] ? trace_hardirqs_on+0x18/0x140 ? lockdep_hardirqs_on+0x8c/0x130 ? __raw_spin_unlock_irqrestore+0x5d/0x80 ? __raw_spin_unlock_irqrestore+0x46/0x80 ? devm_ioremap_wc+0x9a/0xd0 ena_probe+0x4d2/0x1b20 [ena] ? __lock_acquire+0x56a/0xbd0 ? __pfx_ena_probe+0x10/0x10 [ena] ? local_clock+0x15/0x30 ? __lock_release.isra.0+0x1c9/0x340 ? mark_held_locks+0x40/0x70 ? lockdep_hardirqs_on_prepare.part.0+0x92/0x170 ? trace_hardirqs_on+0x18/0x140 ? lockdep_hardirqs_on+0x8c/0x130 ? __raw_spin_unlock_irqrestore+0x5d/0x80 ? __raw_spin_unlock_irqrestore+0x46/0x80 ? __pfx_ena_probe+0x10/0x10 [ena] ...... </TASK> 2026-02-04 not yet calculated CVE-2026-23045 https://git.kernel.org/stable/c/f2c4bcfa193eef1b7457a56be9c47a8de015f225
https://git.kernel.org/stable/c/8da901ffe497a53fa4ecc3ceed0e6d771586f88e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: virtio_net: fix device mismatch in devm_kzalloc/devm_kfree Initial rss_hdr allocation uses virtio_device->device, but virtnet_set_queues() frees using net_device->device. This device mismatch causing below devres warning [ 3788.514041] ------------[ cut here ]------------ [ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463 [ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa] [ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT [ 3788.514067] Tainted: [W]=WARN [ 3788.514069] Hardware name: Marvell CN106XX board (DT) [ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 3788.514074] pc : devm_kfree+0x84/0x98 [ 3788.514076] lr : devm_kfree+0x54/0x98 [ 3788.514079] sp : ffff800084e2f220 [ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f [ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080 [ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018 [ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000 [ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff [ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff [ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c [ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f [ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080 [ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000 [ 3788.514123] Call trace: [ 3788.514125] devm_kfree+0x84/0x98 (P) [ 3788.514129] virtnet_set_queues+0x134/0x2e8 [virtio_net] [ 3788.514135] virtnet_probe+0x9c0/0xe00 [virtio_net] [ 3788.514139] virtio_dev_probe+0x1e0/0x338 [ 3788.514144] really_probe+0xc8/0x3a0 [ 3788.514149] __driver_probe_device+0x84/0x170 [ 3788.514152] driver_probe_device+0x44/0x120 [ 3788.514155] __device_attach_driver+0xc4/0x168 [ 3788.514158] bus_for_each_drv+0x8c/0xf0 [ 3788.514161] __device_attach+0xa4/0x1c0 [ 3788.514164] device_initial_probe+0x1c/0x30 [ 3788.514168] bus_probe_device+0xb4/0xc0 [ 3788.514170] device_add+0x614/0x828 [ 3788.514173] register_virtio_device+0x214/0x258 [ 3788.514175] virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa] [ 3788.514179] vdpa_dev_probe+0xa8/0xd8 [ 3788.514183] really_probe+0xc8/0x3a0 [ 3788.514186] __driver_probe_device+0x84/0x170 [ 3788.514189] driver_probe_device+0x44/0x120 [ 3788.514192] __device_attach_driver+0xc4/0x168 [ 3788.514195] bus_for_each_drv+0x8c/0xf0 [ 3788.514197] __device_attach+0xa4/0x1c0 [ 3788.514200] device_initial_probe+0x1c/0x30 [ 3788.514203] bus_probe_device+0xb4/0xc0 [ 3788.514206] device_add+0x614/0x828 [ 3788.514209] _vdpa_register_device+0x58/0x88 [ 3788.514211] octep_vdpa_dev_add+0x104/0x228 [octep_vdpa] [ 3788.514215] vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0 [ 3788.514218] genl_family_rcv_msg_doit+0xe4/0x158 [ 3788.514222] genl_rcv_msg+0x218/0x298 [ 3788.514225] netlink_rcv_skb+0x64/0x138 [ 3788.514229] genl_rcv+0x40/0x60 [ 3788.514233] netlink_unicast+0x32c/0x3b0 [ 3788.514237] netlink_sendmsg+0x170/0x3b8 [ 3788.514241] __sys_sendto+0x12c/0x1c0 [ 3788.514246] __arm64_sys_sendto+0x30/0x48 [ 3788.514249] invoke_syscall.constprop.0+0x58/0xf8 [ 3788.514255] do_el0_svc+0x48/0xd0 [ 3788.514259] el0_svc+0x48/0x210 [ 3788.514264] el0t_64_sync_handler+0xa0/0xe8 [ 3788.514268] el0t_64_sync+0x198/0x1a0 [ 3788.514271] ---[ end trace 0000000000000000 ]--- Fix by using virtio_device->device consistently for allocation and deallocation 2026-02-04 not yet calculated CVE-2026-23046 https://git.kernel.org/stable/c/a5e2d902f64c76169c771f584559c82b588090e3
https://git.kernel.org/stable/c/acb4bc6e1ba34ae1a34a9334a1ce8474c909466e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: libceph: make calc_target() set t->paused, not just clear it Currently calc_target() clears t->paused if the request shouldn't be paused anymore, but doesn't ever set t->paused even though it's able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine for regular requests but doesn't work for linger requests -- since __submit_request() doesn't operate on linger requests, there is nowhere for lreq->t.paused to be set. One consequence of this is that watches don't get reestablished on paused -> unpaused transitions in cases where requests have been paused long enough for the (paused) unwatch request to time out and for the subsequent (re)watch request to enter the paused state. On top of the watch not getting reestablished, rbd_reregister_watch() gets stuck with rbd_dev->watch_mutex held: rbd_register_watch __rbd_register_watch ceph_osdc_watch linger_reg_commit_wait It's waiting for lreq->reg_commit_wait to be completed, but for that to happen the respective request needs to end up on need_resend_linger list and be kicked when requests are unpaused. There is no chance for that if the request in question is never marked paused in the first place. The fact that rbd_dev->watch_mutex remains taken out forever then prevents the image from getting unmapped -- "rbd unmap" would inevitably hang in D state on an attempt to grab the mutex. 2026-02-04 not yet calculated CVE-2026-23047 https://git.kernel.org/stable/c/2b3329b3c29d9e188e40d902d5230c2d5989b940
https://git.kernel.org/stable/c/5d0dc83cb9a69c1d0bea58f1c430199b05f6b021
https://git.kernel.org/stable/c/4d3399c52e0e61720ae898f5a0b5b75d4460ae24
https://git.kernel.org/stable/c/4ebc711b738d139cabe2fc9e7e7749847676a342
https://git.kernel.org/stable/c/6f468f6ff233c6a81e0e761d9124e982903fe9a5
https://git.kernel.org/stable/c/5647d42c47b535573b63e073e91164d6a5bb058c
https://git.kernel.org/stable/c/c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: udp: call skb_orphan() before skb_attempt_defer_free() Standard UDP receive path does not use skb->destructor. But skmsg layer does use it, since it calls skb_set_owner_sk_safe() from udp_read_skb(). This then triggers this warning in skb_attempt_defer_free(): DEBUG_NET_WARN_ON_ONCE(skb->destructor); We must call skb_orphan() to fix this issue. 2026-02-04 not yet calculated CVE-2026-23048 https://git.kernel.org/stable/c/0c63d5683eae6a7b4d81382bcbecb2a19feff90d
https://git.kernel.org/stable/c/e5c8eda39a9fc1547d1398d707aa06c1d080abdd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel The connector type for the DataImage SCF0700C48GGU18 panel is missing and devm_drm_panel_bridge_add() requires connector type to be set. This leads to a warning and a backtrace in the kernel log and panel does not work: " WARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8 " The warning is triggered by a check for valid connector type in devm_drm_panel_bridge_add(). If there is no valid connector type set for a panel, the warning is printed and panel is not added. Fill in the missing connector type to fix the warning and make the panel operational once again. 2026-02-04 not yet calculated CVE-2026-23049 https://git.kernel.org/stable/c/f4c330b4499e7334ec6fce535574e09d55843d71
https://git.kernel.org/stable/c/bb309377eece5317207d71fd833f99cca4727fbd
https://git.kernel.org/stable/c/83e0d8d22e7ee3151af1951595104887eebed6ab
https://git.kernel.org/stable/c/bc0b17bdba3838e9e17e7e9adc968384ac99938b
https://git.kernel.org/stable/c/04218cd68d1502000823c8288f37b4f171dcdcae
https://git.kernel.org/stable/c/f7940d3ec1dc6bf719eddc69d4b8e52cc2201896
https://git.kernel.org/stable/c/6ab3d4353bf75005eaa375677c9fed31148154d6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix a deadlock when returning a delegation during open() Ben Coddington reports seeing a hang in the following stack trace: 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415 1 [ffffd0b50e177548] schedule at ffffffff9ca05717 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4] 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4] 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4] 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4] 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4] 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4] 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4] 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4] 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4] 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4] 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4] 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4] 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935 The issue is that the delegreturn is being asked to wait for a layout return that cannot complete because a state recovery was initiated. The state recovery cannot complete until the open() finishes processing the delegations it was given. The solution is to propagate the existing flags that indicate a non-blocking call to the function pnfs_roc(), so that it knows not to wait in this situation. 2026-02-04 not yet calculated CVE-2026-23050 https://git.kernel.org/stable/c/a316fd9d3065b753b03d802530004aea481512cc
https://git.kernel.org/stable/c/d6c75aa9d607044d1e5c8498eff0259eed356c32
https://git.kernel.org/stable/c/857bf9056291a16785ae3be1d291026b2437fc48
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix drm panic null pointer when driver not support atomic When driver not support atomic, fb using plane->fb rather than plane->state->fb. (cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef) 2026-02-04 not yet calculated CVE-2026-23051 https://git.kernel.org/stable/c/a1aedf4053af7dad3772b94b057a7d1f5473055f
https://git.kernel.org/stable/c/9cb6278b44c38899961b36d303d7b18b38be2a6e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ftrace: Do not over-allocate ftrace memory The pg_remaining calculation in ftrace_process_locs() assumes that ENTRIES_PER_PAGE multiplied by 2^order equals the actual capacity of the allocated page group. However, ENTRIES_PER_PAGE is PAGE_SIZE / ENTRY_SIZE (integer division). When PAGE_SIZE is not a multiple of ENTRY_SIZE (e.g. 4096 / 24 = 170 with remainder 16), high-order allocations (like 256 pages) have significantly more capacity than 256 * 170. This leads to pg_remaining being underestimated, which in turn makes skip (derived from skipped - pg_remaining) larger than expected, causing the WARN(skip != remaining) to trigger. Extra allocated pages for ftrace: 2 with 654 skipped WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7295 ftrace_process_locs+0x5bf/0x5e0 A similar problem in ftrace_allocate_records() can result in allocating too many pages. This can trigger the second warning in ftrace_process_locs(). Extra allocated pages for ftrace WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7276 ftrace_process_locs+0x548/0x580 Use the actual capacity of a page group to determine the number of pages to allocate. Have ftrace_allocate_pages() return the number of allocated pages to avoid having to calculate it. Use the actual page group capacity when validating the number of unused pages due to skipped entries. Drop the definition of ENTRIES_PER_PAGE since it is no longer used. 2026-02-04 not yet calculated CVE-2026-23052 https://git.kernel.org/stable/c/9aef476717994e96dadfb359641c4b82b521aa36
https://git.kernel.org/stable/c/be55257fab181b93af38f8c4b1b3cb453a78d742
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a deadlock involving nfs_release_folio() Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery waiting on kthreadd, which is attempting to reclaim memory by calling nfs_release_folio(). The latter cannot make progress due to state recovery being needed. It seems that the only safe thing to do here is to kick off a writeback of the folio, without waiting for completion, or else kicking off an asynchronous commit. 2026-02-04 not yet calculated CVE-2026-23053 https://git.kernel.org/stable/c/49d352bc263fe4a834233338bfaad31b3109addf
https://git.kernel.org/stable/c/19b4d9ab5e77843eac0429c019470c02f8710b55
https://git.kernel.org/stable/c/cce0be6eb4971456b703aaeafd571650d314bcca
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: hv_netvsc: reject RSS hash key programming without RX indirection table RSS configuration requires a valid RX indirection table. When the device reports a single receive queue, rndis_filter_device_add() does not allocate an indirection table, accepting RSS hash key updates in this state leads to a hang. Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return -EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device capabilities and prevents incorrect behavior. 2026-02-04 not yet calculated CVE-2026-23054 https://git.kernel.org/stable/c/8288136f508e78eb3563e7073975999cf225a2f9
https://git.kernel.org/stable/c/82c9039c8ebb715753a40434df714f865a3aec9c
https://git.kernel.org/stable/c/4cd55c609e85ae2313248ef1a33619a3eef44a16
https://git.kernel.org/stable/c/11dd9a9ef4dc4507a15a69b8511a0013c6c28fa3
https://git.kernel.org/stable/c/d23564955811da493f34412d7de60fa268c8cb50
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: i2c: riic: Move suspend handling to NOIRQ phase Commit 53326135d0e0 ("i2c: riic: Add suspend/resume support") added suspend support for the Renesas I2C driver and following this change on RZ/G3E the following WARNING is seen on entering suspend ... [ 134.275704] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) [ 134.285536] ------------[ cut here ]------------ [ 134.290298] i2c i2c-2: Transfer while suspended [ 134.295174] WARNING: drivers/i2c/i2c-core.h:56 at __i2c_smbus_xfer+0x1e4/0x214, CPU#0: systemd-sleep/388 [ 134.365507] Tainted: [W]=WARN [ 134.368485] Hardware name: Renesas SMARC EVK version 2 based on r9a09g047e57 (DT) [ 134.375961] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 134.382935] pc : __i2c_smbus_xfer+0x1e4/0x214 [ 134.387329] lr : __i2c_smbus_xfer+0x1e4/0x214 [ 134.391717] sp : ffff800083f23860 [ 134.395040] x29: ffff800083f23860 x28: 0000000000000000 x27: ffff800082ed5d60 [ 134.402226] x26: 0000001f4395fd74 x25: 0000000000000007 x24: 0000000000000001 [ 134.409408] x23: 0000000000000000 x22: 000000000000006f x21: ffff800083f23936 [ 134.416589] x20: ffff0000c090e140 x19: ffff0000c090e0d0 x18: 0000000000000006 [ 134.423771] x17: 6f63657320313030 x16: 2e30206465737061 x15: ffff800083f23280 [ 134.430953] x14: 0000000000000000 x13: ffff800082b16ce8 x12: 0000000000000f09 [ 134.438134] x11: 0000000000000503 x10: ffff800082b6ece8 x9 : ffff800082b16ce8 [ 134.445315] x8 : 00000000ffffefff x7 : ffff800082b6ece8 x6 : 80000000fffff000 [ 134.452495] x5 : 0000000000000504 x4 : 0000000000000000 x3 : 0000000000000000 [ 134.459672] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c9ee9e80 [ 134.466851] Call trace: [ 134.469311] __i2c_smbus_xfer+0x1e4/0x214 (P) [ 134.473715] i2c_smbus_xfer+0xbc/0x120 [ 134.477507] i2c_smbus_read_byte_data+0x4c/0x84 [ 134.482077] isl1208_i2c_read_time+0x44/0x178 [rtc_isl1208] [ 134.487703] isl1208_rtc_read_time+0x14/0x20 [rtc_isl1208] [ 134.493226] __rtc_read_time+0x44/0x88 [ 134.497012] rtc_read_time+0x3c/0x68 [ 134.500622] rtc_suspend+0x9c/0x170 The warning is triggered because I2C transfers can still be attempted while the controller is already suspended, due to inappropriate ordering of the system sleep callbacks. If the controller is autosuspended, there is no way to wake it up once runtime PM disabled (in suspend_late()). During system resume, the I2C controller will be available only after runtime PM is re-enabled (in resume_early()). However, this may be too late for some devices. Wake up the controller in the suspend() callback while runtime PM is still enabled. The I2C controller will remain available until the suspend_noirq() callback (pm_runtime_force_suspend()) is called. During resume, the I2C controller can be restored by the resume_noirq() callback (pm_runtime_force_resume()). Finally, the resume() callback re-enables autosuspend. As a result, the I2C controller can remain available until the system enters suspend_noirq() and from resume_noirq(). 2026-02-04 not yet calculated CVE-2026-23055 https://git.kernel.org/stable/c/469f8fe4c87e43520f279e45b927c35d6fe99194
https://git.kernel.org/stable/c/0b4c0fbbe00b7de76bdaea7fa771017d7a979b0d
https://git.kernel.org/stable/c/e383f0961422f983451ac4dd6aed1a3d3311f2be
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: uacce: implement mremap in uacce_vm_ops to return -EPERM The current uacce_vm_ops does not support the mremap operation of vm_operations_struct. Implement .mremap to return -EPERM to remind users. The reason we need to explicitly disable mremap is that when the driver does not implement .mremap, it uses the default mremap method. This could lead to a risk scenario: An application might first mmap address p1, then mremap to p2, followed by munmap(p1), and finally munmap(p2). Since the default mremap copies the original vma's vm_private_data (i.e., q) to the new vma, both munmap operations would trigger vma_close, causing q->qfr to be freed twice(qfr will be set to null here, so repeated release is ok). 2026-02-04 not yet calculated CVE-2026-23056 https://git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3
https://git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6
https://git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f
https://git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07
https://git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686ee
https://git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1
https://git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Coalesce only linear skb vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them. Since the introduction of MSG_ZEROCOPY support, assumption that a small skb will always be linear is incorrect. In the zerocopy case, data is lost and the linear skb is appended with uninitialized kernel memory. Of all 3 supported virtio-based transports, only loopback-transport is affected. G2H virtio-transport rx queue operates on explicitly linear skbs; see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G vhost-transport may allocate non-linear skbs, but only for sizes that are not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in virtio_vsock_alloc_skb(). Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 guarantees last_skb is linear. 2026-02-04 not yet calculated CVE-2026-23057 https://git.kernel.org/stable/c/568e9cd8ed7ca9bf748c7687ba6501f29d30e59f
https://git.kernel.org/stable/c/63ef9b300bd09e24c57050c5dbe68feedce42e72
https://git.kernel.org/stable/c/0386bd321d0f95d041a7b3d7b07643411b044a96
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in ems_usb_close(). Fix the memory leak by anchoring the URB in the ems_usb_read_bulk_callback() to the dev->rx_submitted anchor. 2026-02-04 not yet calculated CVE-2026-23058 https://git.kernel.org/stable/c/e2c71030dc464d437110bcfb367c493fd402bddb
https://git.kernel.org/stable/c/f48eabd15194b216030b32445f44230df95f5fe0
https://git.kernel.org/stable/c/61e6d3674c3d1da1475dc207b3e75c55d678d18e
https://git.kernel.org/stable/c/e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8
https://git.kernel.org/stable/c/46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a
https://git.kernel.org/stable/c/68c62b3e53901846b5f68c5a8bade72a5d9c0b87
https://git.kernel.org/stable/c/0ce73a0eb5a27070957b67fd74059b6da89cc516
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Sanitize payload size to prevent member overflow In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size reported by firmware is used to calculate the copy length into item->iocb. However, the iocb member is defined as a fixed-size 64-byte array within struct purex_item. If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will overflow the iocb member boundary. While extra memory might be allocated, this cross-member write is unsafe and triggers warnings under CONFIG_FORTIFY_SOURCE. Fix this by capping total_bytes to the size of the iocb member (64 bytes) before allocation and copying. This ensures all copies remain within the bounds of the destination structure member. 2026-02-04 not yet calculated CVE-2026-23059 https://git.kernel.org/stable/c/408bfa8d70f79ac696cec1bdbdfb3bf43a02e6d0
https://git.kernel.org/stable/c/1922468a4a80424e5a69f7ba50adcee37f4722e9
https://git.kernel.org/stable/c/aa14451fa5d5f2de919384c637e2a8c604e1a1fe
https://git.kernel.org/stable/c/19bc5f2a6962dfaa0e32d0e0bc2271993d85d414
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs. 2026-02-04 not yet calculated CVE-2026-23060 https://git.kernel.org/stable/c/df22c9a65e9a9daa368a72fed596af9d7d5876bb
https://git.kernel.org/stable/c/fee86edf5803f1d1f19e3b4f2dacac241bddfa48
https://git.kernel.org/stable/c/767e8349f7e929b7dd95c08f0b4cb353459b365e
https://git.kernel.org/stable/c/b0a9609283a5c852addb513dafa655c61eebc1ef
https://git.kernel.org/stable/c/161bdc90fce25bd9890adc67fa1c8563a7acbf40
https://git.kernel.org/stable/c/9532ff0d0e90ff78a214299f594ab9bac81defe4
https://git.kernel.org/stable/c/2397e9264676be7794f8f7f1e9763d90bd3c7335
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In kvaser_usb_remove_interfaces() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor. 2026-02-04 not yet calculated CVE-2026-23061 https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c
https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7
https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132
https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4
https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01
https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482
https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro The GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs attributes: 1. Off-by-one error: The loop condition used '<=' instead of '<', causing access beyond array bounds. Since array indices are 0-based and go from 0 to instances_count-1, the loop should use '<'. 2. Missing NULL check: The code dereferenced attr_name_kobj->name without checking if attr_name_kobj was NULL, causing a null pointer dereference in min_length_show() and other attribute show functions. The panic occurred when fwupd tried to read BIOS configuration attributes: Oops: general protection fault [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:min_length_show+0xcf/0x1d0 [hp_bioscfg] Add a NULL check for attr_name_kobj before dereferencing and corrects the loop boundary to match the pattern used elsewhere in the driver. 2026-02-04 not yet calculated CVE-2026-23062 https://git.kernel.org/stable/c/eb5ff1025c92117d5d1cc728bcfa294abe484da1
https://git.kernel.org/stable/c/eba49c1dee9c5e514ca18e52c545bba524e8a045
https://git.kernel.org/stable/c/193922a23d7294085a47d7719fdb7d66ad0a236f
https://git.kernel.org/stable/c/25150715e0b049b99df664daf05dab12f41c3e13
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue release with state management Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to the final resource release ensures safety. Queue states are defined as follows: - UACCE_Q_ZOMBIE: Initial state - UACCE_Q_INIT: After opening `uacce` - UACCE_Q_STARTED: After `start` is issued via `ioctl` When executing `poweroff -f` in virt while accelerator are still working, `uacce_fops_release` and `uacce_remove` may execute concurrently. This can cause `uacce_put_queue` within `uacce_fops_release` to access a NULL `ops` pointer. Therefore, add state checks to prevent accessing freed pointers. 2026-02-04 not yet calculated CVE-2026-23063 https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab
https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016
https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483
https://git.kernel.org/stable/c/43f233eb6e7b9d88536881a9bc43726d0e34800d
https://git.kernel.org/stable/c/47634d70073890c9c37e39ab4ff93d4b585b028a
https://git.kernel.org/stable/c/92e4f11e29b98ef424ff72d6371acac03e5d973c
https://git.kernel.org/stable/c/26c08dabe5475d99a13f353d8dd70e518de45663
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) Call Trace: <TASK> ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 tcf_ife_encode net/sched/act_ife.c:841 [inline] tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 tc_act include/net/tc_wrapper.h:130 [inline] tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 tcf_exts_exec include/net/pkt_cls.h:349 [inline] mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1764 [inline] tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 multiq_classify net/sched/sch_multiq.c:39 [inline] multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 __dev_xmit_skb net/core/dev.c:4262 [inline] __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798 2026-02-04 not yet calculated CVE-2026-23064 https://git.kernel.org/stable/c/4ef2c77851676b7ed106f0c47755bee9eeec9a40
https://git.kernel.org/stable/c/dd9442aedbeae87c44cc64c0ee41abd296dc008b
https://git.kernel.org/stable/c/1440d749fe49c8665da6f744323b1671d25a56a0
https://git.kernel.org/stable/c/03710cebfc0bcfe247a9e04381e79ea33896e278
https://git.kernel.org/stable/c/374915dfc932adf57712df3be010667fd1190e3c
https://git.kernel.org/stable/c/6c75fed55080014545f262b7055081cec4768b20
https://git.kernel.org/stable/c/27880b0b0d35ad1c98863d09788254e36f874968
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd: Fix memory leak in wbrf_record() The tmp buffer is allocated using kcalloc() but is not freed if acpi_evaluate_dsm() fails. This causes a memory leak in the error path. Fix this by explicitly freeing the tmp buffer in the error handling path of acpi_evaluate_dsm(). 2026-02-04 not yet calculated CVE-2026-23065 https://git.kernel.org/stable/c/1152dffe01af86e42ce2b208b92ef7f8c275d130
https://git.kernel.org/stable/c/1a0072bd1f1e559eda3e91a24dbc51c9eb025c54
https://git.kernel.org/stable/c/2bf1877b7094c684e1d652cac6912cfbc507ad3e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call - whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also passed and so the call was not dequeued or because the I/O thread requeued it. The unconditional requeue may then corrupt the recvmsg queue, leading to things like UAFs or refcount underruns. Fix this by only requeuing the call if it isn't already on the queue - and moving it to the front if it is already queued. If we don't queue it, we have to put the ref we obtained by dequeuing it. Also, MSG_PEEK doesn't dequeue the call so shouldn't call rxrpc_notify_socket() for the call if we didn't use up all the data on the queue, so fix that also. 2026-02-04 not yet calculated CVE-2026-23066 https://git.kernel.org/stable/c/930114425065f7ace6e0c0630fab4af75e059ea8
https://git.kernel.org/stable/c/2c28769a51deb6022d7fbd499987e237a01dd63a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions. 2026-02-04 not yet calculated CVE-2026-23067 https://git.kernel.org/stable/c/41ec6988547819756fb65e94fc24f3e0dddf84ac
https://git.kernel.org/stable/c/374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails. This results in a double-free of the spi_controller structure. Fix this by switching to devm_spi_alloc_host() and removing the manual spi_controller_put() call. 2026-02-04 not yet calculated CVE-2026-23068 https://git.kernel.org/stable/c/bddd3d10d039729b81cfb0804520c8832a701a0e
https://git.kernel.org/stable/c/417cdfd9b9f986e95bfcb1d68eb443e6e0a15f8c
https://git.kernel.org/stable/c/346775f2b4cf839177e8e86b94aa180a06dc15b0
https://git.kernel.org/stable/c/f6d6b3f172df118db582fe5ec43ae223a55d99cf
https://git.kernel.org/stable/c/383d4f5cffcc8df930d95b06518a9d25a6d74aac
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix potential underflow in virtio_transport_get_credit() The credit calculation in virtio_transport_get_credit() uses unsigned arithmetic: ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes are in flight, the subtraction can underflow and produce a large positive value, potentially allowing more data to be queued than the peer can handle. Reuse virtio_transport_has_space() which already handles this case and add a comment to make it clear why we are doing that. [Stefano: use virtio_transport_has_space() instead of duplicating the code] [Stefano: tweak the commit message] 2026-02-04 not yet calculated CVE-2026-23069 https://git.kernel.org/stable/c/d96de882d6b99955604669d962ae14e94b66a551
https://git.kernel.org/stable/c/02f9af192b98d15883c70dd41ac76d1b0217c899
https://git.kernel.org/stable/c/d05bc313788f0684b27f0f5b60c52a844669b542
https://git.kernel.org/stable/c/ec0f1b3da8061be3173d1c39faaf9504f91942c3
https://git.kernel.org/stable/c/3ef3d52a1a9860d094395c7a3e593f3aa26ff012
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Octeontx2-af: Add proper checks for fwdata firmware populates MAC address, link modes (supported, advertised) and EEPROM data in shared firmware structure which kernel access via MAC block(CGX/RPM). Accessing fwdata, on boards booted with out MAC block leading to kernel panics. Internal error: Oops: 0000000096000005 [#1] SMP [ 10.460721] Modules linked in: [ 10.463779] CPU: 0 UID: 0 PID: 174 Comm: kworker/0:3 Not tainted 6.19.0-rc5-00154-g76ec646abdf7-dirty #3 PREEMPT [ 10.474045] Hardware name: Marvell OcteonTX CN98XX board (DT) [ 10.479793] Workqueue: events work_for_cpu_fn [ 10.484159] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 10.491124] pc : rvu_sdp_init+0x18/0x114 [ 10.495051] lr : rvu_probe+0xe58/0x1d18 2026-02-04 not yet calculated CVE-2026-23070 https://git.kernel.org/stable/c/e343973fab43c266a40e4e0dabdc4216db6d5eff
https://git.kernel.org/stable/c/4a3dba48188208e4f66822800e042686784d29d1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: regmap: Fix race condition in hwspinlock irqsave routine Previously, the address of the shared member '&map->spinlock_flags' was passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race condition where multiple contexts contending for the lock could overwrite the shared flags variable, potentially corrupting the state for the current lock owner. Fix this by using a local stack variable 'flags' to store the IRQ state temporarily. 2026-02-04 not yet calculated CVE-2026-23071 https://git.kernel.org/stable/c/e1a7072bc4f958c9e852dc7e57e39f12b0bb44b5
https://git.kernel.org/stable/c/766e243ae8c8b27087a4cc605752c0d5ee2daeab
https://git.kernel.org/stable/c/f1e2fe26a51eca95b41420af76d22c2e613efd5e
https://git.kernel.org/stable/c/24f31be6ad70537fd7706269d99c92cade465a09
https://git.kernel.org/stable/c/4aab0ca0a0f7760e33edcb4e47576064d05128f5
https://git.kernel.org/stable/c/c2d2cf710dc3ee1a69e00b4ed8de607a92a07889
https://git.kernel.org/stable/c/4b58aac989c1e3fafb1c68a733811859df388250
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: l2tp: Fix memleak in l2tp_udp_encap_recv(). syzbot reported memleak of struct l2tp_session, l2tp_tunnel, sock, etc. [0] The cited commit moved down the validation of the protocol version in l2tp_udp_encap_recv(). The new place requires an extra error handling to avoid the memleak. Let's call l2tp_session_put() there. [0]: BUG: memory leak unreferenced object 0xffff88810a290200 (size 512): comm "syz.0.17", pid 6086, jiffies 4294944299 hex dump (first 32 bytes): 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }............... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc babb6a4f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] __do_kmalloc_node mm/slub.c:5656 [inline] __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778 pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755 __sys_connect_file+0x7a/0xb0 net/socket.c:2089 __sys_connect+0xde/0x110 net/socket.c:2108 __do_sys_connect net/socket.c:2114 [inline] __se_sys_connect net/socket.c:2111 [inline] __x64_sys_connect+0x1c/0x30 net/socket.c:2111 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f 2026-02-04 not yet calculated CVE-2026-23072 https://git.kernel.org/stable/c/5cd158a88eef34e7b100cd9b963873d3b4e41b35
https://git.kernel.org/stable/c/d4ce79e6dce2a4a49eebceea7b4caf5dc0f0ef3d
https://git.kernel.org/stable/c/4d10edfd1475b69dbd4c47f34b61a3772ece83ca
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruption due to not set vif driver data size The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The size of vif driver data is set by each WiFi driver as needed. The RSI911x driver does not set vif driver data size, no trailing space for vif driver data is therefore allocated past struct ieee80211_vif . The RSI911x driver does however use the vif driver data to store its vif driver data structure "struct vif_priv". An access to vif->drv_priv leads to access out of struct ieee80211_vif bounds and corruption of some memory. In case of the failure observed locally, rsi_mac80211_add_interface() would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member struct list_head new_flows . The flow = list_first_entry(head, struct fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus address, which when accessed causes a crash. The trigger is very simple, boot the machine with init=/bin/sh , mount devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1", "ip link set wlan0 down" and the crash occurs. Fix this by setting the correct size of vif driver data, which is the size of "struct vif_priv", so that memory is allocated and the driver can store its driver data in it, instead of corrupting memory around it. 2026-02-04 not yet calculated CVE-2026-23073 https://git.kernel.org/stable/c/49ef094fdbc3526e5db2aebb404b84f79c5603dc
https://git.kernel.org/stable/c/0d7c9e793e351cbbe9e06a9ca47d77b6ad288fb0
https://git.kernel.org/stable/c/7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4
https://git.kernel.org/stable/c/7761d7801f40e61069b4df3db88b36d80d089f8a
https://git.kernel.org/stable/c/99129d80a5d4989ef8566f434f3589f60f28042b
https://git.kernel.org/stable/c/31efbcff90884ea5f65bf3d1de01267db51ee3d1
https://git.kernel.org/stable/c/4f431d88ea8093afc7ba55edf4652978c5a68f33
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF. 2026-02-04 not yet calculated CVE-2026-23074 https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6
https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fb
https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202c
https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380
https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841
https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba
https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In esd_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In esd_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in esd_usb_close(). Fix the memory leak by anchoring the URB in the esd_usb_read_bulk_callback() to the dev->rx_submitted anchor. 2026-02-04 not yet calculated CVE-2026-23075 https://git.kernel.org/stable/c/93b34d4ba7266030801a509c088ac77c0d7a12e9
https://git.kernel.org/stable/c/dc934d96673992af8568664c1b58e13eb164010d
https://git.kernel.org/stable/c/92d26ce07ac3b7a850dc68c8d73d487b39c39b33
https://git.kernel.org/stable/c/adec5e1f9c99fe079ec4c92cca3f1109a3e257c3
https://git.kernel.org/stable/c/9d1807b442fc3286b204f8e59981b10e743533ce
https://git.kernel.org/stable/c/a9503ae43256e80db5cba9d449b238607164c51d
https://git.kernel.org/stable/c/5a4391bdc6c8357242f62f22069c865b792406b3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB access in audio mixer handling In the audio mixer handling code of ctxfi driver, the conf field is used as a kind of loop index, and it's referred in the index callbacks (amixer_index() and sum_index()). As spotted recently by fuzzers, the current code causes OOB access at those functions. | UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48 | index 8 is out of range for type 'unsigned char [8]' After the analysis, the cause was found to be the lack of the proper (re-)initialization of conj field. This patch addresses those OOB accesses by adding the proper initializations of the loop indices. 2026-02-04 not yet calculated CVE-2026-23076 https://git.kernel.org/stable/c/6524205326e0c1a21263b5c14e48e14ef7e449ae
https://git.kernel.org/stable/c/afca7ff5d5d4d63a1acb95461f55ca9a729feedf
https://git.kernel.org/stable/c/8c1d09806e1441bc6a54b9a4f2818918046d5174
https://git.kernel.org/stable/c/a8c42d11b0526a89192bd2f79facb4c60c8a1f38
https://git.kernel.org/stable/c/d77ba72558cd66704f0fb7e0969f697e87c0f71c
https://git.kernel.org/stable/c/873e2360d247eeee642878fcc3398babff7e387c
https://git.kernel.org/stable/c/61006c540cbdedea83b05577dc7fb7fa18fe1276
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge Patch series "mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge", v2. Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios. However, it is handling merges incorrectly when it comes to mremap() of a faulted VMA adjacent to an unfaulted VMA. The issues arise in three cases: 1. Previous VMA unfaulted: copied -----| v |-----------|.............| | unfaulted |(faulted VMA)| |-----------|.............| prev 2. Next VMA unfaulted: copied -----| v |.............|-----------| |(faulted VMA)| unfaulted | |.............|-----------| next 3. Both adjacent VMAs unfaulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| unfaulted | |-----------|.............|-----------| prev next This series fixes each of these cases, and introduces self tests to assert that the issues are corrected. I also test a further case which was already handled, to assert that my changes continues to correctly handle it: 4. prev unfaulted, next faulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| faulted | |-----------|.............|-----------| prev next This bug was discovered via a syzbot report, linked to in the first patch in the series, I confirmed that this series fixes the bug. I also discovered that we are failing to check that the faulted VMA was not forked when merging a copied VMA in cases 1-3 above, an issue this series also addresses. I also added self tests to assert that this is resolved (and confirmed that the tests failed prior to this). I also cleaned up vma_expand() as part of this work, renamed vma_had_uncowed_parents() to vma_is_fork_child() as the previous name was unduly confusing, and simplified the comments around this function. This patch (of 4): Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios. The key piece of logic introduced was the ability to merge a faulted VMA immediately next to an unfaulted VMA, which relies upon dup_anon_vma() to correctly handle anon_vma state. In the case of the merge of an existing VMA (that is changing properties of a VMA and then merging if those properties are shared by adjacent VMAs), dup_anon_vma() is invoked correctly. However in the case of the merge of a new VMA, a corner case peculiar to mremap() was missed. The issue is that vma_expand() only performs dup_anon_vma() if the target (the VMA that will ultimately become the merged VMA): is not the next VMA, i.e. the one that appears after the range in which the new VMA is to be established. A key insight here is that in all other cases other than mremap(), a new VMA merge either expands an existing VMA, meaning that the target VMA will be that VMA, or would have anon_vma be NULL. Specifically: * __mmap_region() - no anon_vma in place, initial mapping. * do_brk_flags() - expanding an existing VMA. * vma_merge_extend() - expanding an existing VMA. * relocate_vma_down() - no anon_vma in place, initial mapping. In addition, we are in the unique situation of needing to duplicate anon_vma state from a VMA that is neither the previous or next VMA being merged with. dup_anon_vma() deals exclusively with the target=unfaulted, src=faulted case. This leaves four possibilities, in each case where the copied VMA is faulted: 1. Previous VMA unfaulted: copied -----| ---truncated--- 2026-02-04 not yet calculated CVE-2026-23077 https://git.kernel.org/stable/c/a4d9dbfc1bab16e25fefd34b5e537a46bed8fc96
https://git.kernel.org/stable/c/61f67c230a5e7c741c352349ea80147fbe65bfae
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer overflow in config retrieval The scarlett2_usb_get_config() function has a logic error in the endianness conversion code that can cause buffer overflows when count > 1. The code checks `if (size == 2)` where `size` is the total buffer size in bytes, then loops `count` times treating each element as u16 (2 bytes). This causes the loop to access `count * 2` bytes when the buffer only has `size` bytes allocated. Fix by checking the element size (config_item->size) instead of the total buffer size. This ensures the endianness conversion matches the actual element type. 2026-02-04 not yet calculated CVE-2026-23078 https://git.kernel.org/stable/c/d5e80d1f97ae55bcea1426f551e4419245b41b9c
https://git.kernel.org/stable/c/51049f6e3f05d70660e2458ad3bb302a3721b751
https://git.kernel.org/stable/c/91a756d22f0482eac5bedb113c8922f90b254449
https://git.kernel.org/stable/c/27049f50be9f5ae3a62d272128ce0b381cb26a24
https://git.kernel.org/stable/c/31a3eba5c265a763260976674a22851e83128f6d
https://git.kernel.org/stable/c/6f5c69f72e50d51be3a8c028ae7eda42c82902cb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify() On error handling paths, lineinfo_changed_notify() doesn't free the allocated resources which results leaks. Fix it. 2026-02-04 not yet calculated CVE-2026-23079 https://git.kernel.org/stable/c/16414341b0dd58b650b5df45c79115bc5977bb76
https://git.kernel.org/stable/c/70b3c280533167749a8f740acaa8ef720f78f984
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor. 2026-02-04 not yet calculated CVE-2026-23080 https://git.kernel.org/stable/c/8b34c611a4feb81921bc4728c091e4e3ba0270c0
https://git.kernel.org/stable/c/b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60
https://git.kernel.org/stable/c/59153b6388e05609144ad56a9b354e9100a91983
https://git.kernel.org/stable/c/179f6f0cf5ae489743273b7c1644324c0c477ea9
https://git.kernel.org/stable/c/94c9f6f7b953f6382fef4bdc48c046b861b8868f
https://git.kernel.org/stable/c/d374d715e338dfc3804aaa006fa6e470ffebb264
https://git.kernel.org/stable/c/710a7529fb13c5a470258ff5508ed3c498d54729
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: phy: intel-xway: fix OF node refcount leakage Automated review spotted am OF node reference count leakage when checking if the 'leds' child node exists. Call of_put_node() to correctly maintain the refcount. 2026-02-04 not yet calculated CVE-2026-23081 https://git.kernel.org/stable/c/1f24dfd556401b75f78e8d9cbd94dd9f31411c3a
https://git.kernel.org/stable/c/79912b256e14054e6ba177d7e7e631485ce23dbe
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"), the URB was re-anchored before usb_submit_urb() in gs_usb_receive_bulk_callback() to prevent a leak of this URB during cleanup. However, this patch did not take into account that usb_submit_urb() could fail. The URB remains anchored and usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops infinitely since the anchor list never becomes empty. To fix the bug, unanchor the URB when an usb_submit_urb() error occurs, also print an info message. 2026-02-04 not yet calculated CVE-2026-23082 https://git.kernel.org/stable/c/aa8a8866c533a150be4763bcb27993603bd5426c
https://git.kernel.org/stable/c/ce4352057fc5a986c76ece90801b9755e7c6e56c
https://git.kernel.org/stable/c/c610b550ccc0438d456dfe1df9f4f36254ccaae3
https://git.kernel.org/stable/c/c3edc14da81a8d8398682f6e4ab819f09f37c0b7
https://git.kernel.org/stable/c/79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fou: Don't allow 0 for FOU_ATTR_IPPROTO. fou_udp_recv() has the same problem mentioned in the previous patch. If FOU_ATTR_IPPROTO is set to 0, skb is not freed by fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). Let's forbid 0 for FOU_ATTR_IPPROTO. 2026-02-04 not yet calculated CVE-2026-23083 https://git.kernel.org/stable/c/c7498f9bc390479ccfad7c7f2332237ff4945b03
https://git.kernel.org/stable/c/611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea
https://git.kernel.org/stable/c/6e983789b7588ee59cbf303583546c043bad8e19
https://git.kernel.org/stable/c/1cc98b8887cabb1808d2f4a37cd10a7be7574771
https://git.kernel.org/stable/c/b7db31a52c3862a1a32202a273a4c32e7f5f4823
https://git.kernel.org/stable/c/9b75dff8446ec871030d8daf5a69e74f5fe8b956
https://git.kernel.org/stable/c/7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is set to false, the driver may request the PMAC_ID from the firmware of the network card, and this function will store that PMAC_ID at the provided address pmac_id. This is the contract of this function. However, there is a location within the driver where both pmac_id_valid == false and pmac_id == NULL are being passed. This could result in dereferencing a NULL pointer. To resolve this issue, it is necessary to pass the address of a stub variable to the function. 2026-02-04 not yet calculated CVE-2026-23084 https://git.kernel.org/stable/c/4cba480c9b9a3861a515262225cb53a1f5978344
https://git.kernel.org/stable/c/92c6dc181a18e6e0ddb872ed35cb48a9274829e4
https://git.kernel.org/stable/c/6c3e00888dbec887125a08b51a705b9b163fcdd1
https://git.kernel.org/stable/c/e206fb415db36bad52bb90c08d46ce71ffbe8a80
https://git.kernel.org/stable/c/47ffb4dcffe336f4a7bd0f3284be7aadc6484698
https://git.kernel.org/stable/c/31410a01a86bcb98c798d01061abf1f789c4f75a
https://git.kernel.org/stable/c/8215794403d264739cc676668087512950b2ff31
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Avoid truncating memory addresses On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem allocations to be backed by addresses physical memory above the 32-bit address limit, as found while experimenting with larger VMSPLIT configurations. This caused the qemu virt model to crash in the GICv3 driver, which allocates the 'itt' object using GFP_KERNEL. Since all memory below the 4GB physical address limit is in ZONE_DMA in this configuration, kmalloc() defaults to higher addresses for ZONE_NORMAL, and the ITS driver stores the physical address in a 32-bit 'unsigned long' variable. Change the itt_addr variable to the correct phys_addr_t type instead, along with all other variables in this driver that hold a physical address. The gicv5 driver correctly uses u64 variables, while all other irqchip drivers don't call virt_to_phys or similar interfaces. It's expected that other device drivers have similar issues, but fixing this one is sufficient for booting a virtio based guest. 2026-02-04 not yet calculated CVE-2026-23085 https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88
https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27
https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238
https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb
https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f
https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98
https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: cap TX credit to local buffer size The virtio transports derives its TX credit directly from peer_buf_alloc, which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. On the host side this means that the amount of data we are willing to queue for a connection is scaled by a guest-chosen buffer size, rather than the host's own vsock configuration. A malicious guest can advertise a large buffer and read slowly, causing the host to allocate a correspondingly large amount of sk_buff memory. The same thing would happen in the guest with a malicious host, since virtio transports share the same code base. Introduce a small helper, virtio_transport_tx_buf_size(), that returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume peer_buf_alloc. This ensures the effective TX window is bounded by both the peer's advertised buffer and our own buf_alloc (already clamped to buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer cannot force the other to queue more data than allowed by its own vsock settings. On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with 32 guest vsock connections advertising 2 GiB each and reading slowly drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only recovered after killing the QEMU process. That said, if QEMU memory is limited with cgroups, the maximum memory used will be limited. With this patch applied: Before: MemFree: ~61.6 GiB Slab: ~142 MiB SUnreclaim: ~117 MiB After 32 high-credit connections: MemFree: ~61.5 GiB Slab: ~178 MiB SUnreclaim: ~152 MiB Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest remains responsive. Compatibility with non-virtio transports: - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per socket based on the local vsk->buffer_* values; the remote side cannot enlarge those queues beyond what the local endpoint configured. - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and an MTU bound; there is no peer-controlled credit field comparable to peer_buf_alloc, and the remote endpoint cannot drive in-flight kernel memory above those ring sizes. - The loopback path reuses virtio_transport_common.c, so it naturally follows the same semantics as the virtio transport. This change is limited to virtio_transport_common.c and thus affects virtio-vsock, vhost-vsock, and loopback, bringing them in line with the "remote window intersected with local policy" behaviour that VMCI and Hyper-V already effectively have. [Stefano: small adjustments after changing the previous patch] [Stefano: tweak the commit message] 2026-02-04 not yet calculated CVE-2026-23086 https://git.kernel.org/stable/c/fef7110ae5617555c792a2bb4d27878d84583adf
https://git.kernel.org/stable/c/d9d5f222558b42f6277eafaaa6080966faf37676
https://git.kernel.org/stable/c/c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce
https://git.kernel.org/stable/c/84ef86aa7120449828d1e0ce438c499014839711
https://git.kernel.org/stable/c/8ee784fdf006cbe8739cfa093f54d326cbf54037
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() Memory allocated for struct vscsiblk_info in scsiback_probe() is not freed in scsiback_remove() leading to potential memory leaks on remove, as well as in the scsiback_probe() error paths. Fix that by freeing it in scsiback_remove(). 2026-02-04 not yet calculated CVE-2026-23087 https://git.kernel.org/stable/c/a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9
https://git.kernel.org/stable/c/427b0fb30ddec3bad05dcd73b00718f98c7026d2
https://git.kernel.org/stable/c/4a975c72429b050c234405668b742cdecc11548e
https://git.kernel.org/stable/c/f86264ec0e2b102fcd49bf3e4f32fee669d482fc
https://git.kernel.org/stable/c/32e52b56056daf0f0881fd9254706acf25b4be97
https://git.kernel.org/stable/c/24c441f0e24da175d7912095663f526ac480dc4f
https://git.kernel.org/stable/c/901a5f309daba412e2a30364d7ec1492fa11c32c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tracing: Fix crash on synthetic stacktrace field usage When creating a synthetic event based on an existing synthetic event that had a stacktrace field and the new synthetic event used that field a kernel crash occurred: ~# cd /sys/kernel/tracing ~# echo 's:stack unsigned long stack[];' > dynamic_events ~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger ~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' >> events/sched/sched_switch/trigger The above creates a synthetic event that takes a stacktrace when a task schedules out in a non-running state and passes that stacktrace to the sched_switch event when that task schedules back in. It triggers the "stack" synthetic event that has a stacktrace as its field (called "stack"). ~# echo 's:syscall_stack s64 id; unsigned long stack[];' >> dynamic_events ~# echo 'hist:keys=common_pid:s2=stack' >> events/synthetic/stack/trigger ~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' >> events/raw_syscalls/sys_exit/trigger The above makes another synthetic event called "syscall_stack" that attaches the first synthetic event (stack) to the sys_exit trace event and records the stacktrace from the stack event with the id of the system call that is exiting. When enabling this event (or using it in a historgram): ~# echo 1 > events/synthetic/syscall_stack/enable Produces a kernel crash! BUG: unable to handle page fault for address: 0000000000400010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:trace_event_raw_event_synth+0x90/0x380 Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f RSP: 0018:ffffd2670388f958 EFLAGS: 00010202 RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0 RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50 R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010 R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90 FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0 Call Trace: <TASK> ? __tracing_map_insert+0x208/0x3a0 action_trace+0x67/0x70 event_hist_trigger+0x633/0x6d0 event_triggers_call+0x82/0x130 trace_event_buffer_commit+0x19d/0x250 trace_event_raw_event_sys_exit+0x62/0xb0 syscall_exit_work+0x9d/0x140 do_syscall_64+0x20a/0x2f0 ? trace_event_raw_event_sched_switch+0x12b/0x170 ? save_fpregs_to_fpstate+0x3e/0x90 ? _raw_spin_unlock+0xe/0x30 ? finish_task_switch.isra.0+0x97/0x2c0 ? __rseq_handle_notify_resume+0xad/0x4c0 ? __schedule+0x4b8/0xd00 ? restore_fpregs_from_fpstate+0x3c/0x90 ? switch_fpu_return+0x5b/0xe0 ? do_syscall_64+0x1ef/0x2f0 ? do_fault+0x2e9/0x540 ? __handle_mm_fault+0x7d1/0xf70 ? count_memcg_events+0x167/0x1d0 ? handle_mm_fault+0x1d7/0x2e0 ? do_user_addr_fault+0x2c3/0x7f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reason is that the stacktrace field is not labeled as such, and is treated as a normal field and not as a dynamic event that it is. In trace_event_raw_event_synth() the event is field is still treated as a dynamic array, but the retrieval of the data is considered a normal field, and the reference is just the meta data: // Meta data is retrieved instead of a dynamic array ---truncated--- 2026-02-04 not yet calculated CVE-2026-23088 https://git.kernel.org/stable/c/98ecbfb2598c9c7ca755a29f402da9d36c057077
https://git.kernel.org/stable/c/327af07dff6ab5650b21491eb4f69694999ff3d1
https://git.kernel.org/stable/c/3b90d099efa2b67239bd3b3dc3521ec584261748
https://git.kernel.org/stable/c/90f9f5d64cae4e72defd96a2a22760173cb3c9ec
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element. 2026-02-04 not yet calculated CVE-2026-23089 https://git.kernel.org/stable/c/51b1aa6fe7dc87356ba58df06afb9677c9b841ea
https://git.kernel.org/stable/c/56fb6efd5d04caf6f14994d51ec85393b9a896c6
https://git.kernel.org/stable/c/7009daeefa945973a530b2f605fe445fc03747af
https://git.kernel.org/stable/c/7bff0156d13f0ad9436e5178b979b063d59f572a
https://git.kernel.org/stable/c/e6f103a22b08daf5df2f4aa158081840e5910963
https://git.kernel.org/stable/c/dc1a5dd80af1ee1f29d8375b12dd7625f6294dad
https://git.kernel.org/stable/c/930e69757b74c3ae083b0c3c7419bfe7f0edc7b2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: slimbus: core: fix device reference leak on report present Slimbus devices can be allocated dynamically upon reception of report-present messages. Make sure to drop the reference taken when looking up already registered devices. Note that this requires taking an extra reference in case the device has not yet been registered and has to be allocated. 2026-02-04 not yet calculated CVE-2026-23090 https://git.kernel.org/stable/c/b1217e40705b2f6d311c197b12866752656217ff
https://git.kernel.org/stable/c/948615429c9f2ac9d25d4e1f1a4472926b217a9a
https://git.kernel.org/stable/c/02b78bbfbafe49832e508079148cb87cdfa55825
https://git.kernel.org/stable/c/2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6
https://git.kernel.org/stable/c/54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9
https://git.kernel.org/stable/c/6602bb4d1338e92b5838e50322b87697bdbd2ee0
https://git.kernel.org/stable/c/9391380eb91ea5ac792aae9273535c8da5b9aa01
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: intel_th: fix device leak on output open() Make sure to drop the reference taken when looking up the th device during output device open() on errors and on close(). Note that a recent commit fixed the leak in a couple of open() error paths but not all of them, and the reference is still leaking on successful open(). 2026-02-04 not yet calculated CVE-2026-23091 https://git.kernel.org/stable/c/af4b9467296b9a16ebc008147238070236982b6d
https://git.kernel.org/stable/c/64015cbf06e8bb75b81ae95b997e847b55280f7f
https://git.kernel.org/stable/c/b71e64ef7ff9443835d1333e3e80ab1e49e5209f
https://git.kernel.org/stable/c/bf7785434b5d05d940d936b78925080950bd54dd
https://git.kernel.org/stable/c/0fca16c5591534cc1fec8b6181277ee3a3d0f26c
https://git.kernel.org/stable/c/f9b059bda4276f2bb72cb98ec7875a747f042ea2
https://git.kernel.org/stable/c/95fc36a234da24bbc5f476f8104a5a15f99ed3e3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses 'count' as the index for null termination instead of the actual bytes copied. If count exceeds the buffer size, this leads to out-of-bounds write. Add a check for the count and use the return value as the index. The bug was validated using a demo module that mirrors the original code and was tested under QEMU. Pattern of the bug: - A fixed 64-byte stack buffer is filled using count. - If count > 64, the code still does buf[count] = '\0', causing an - out-of-bounds write on the stack. Steps for reproduce: - Opens the device node. - Writes 128 bytes of A to it. - This overflows the 64-byte stack buffer and KASAN reports the OOB. Found via static analysis. This is similar to the commit da9374819eb3 ("iio: backend: fix out-of-bound write") 2026-02-04 not yet calculated CVE-2026-23092 https://git.kernel.org/stable/c/db16e7c52032c79156930a337ee17232931794ba
https://git.kernel.org/stable/c/978d28136c53df38f8f0b747191930e2f95e9084
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dma_unmap_sg() nents The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned. 2026-02-04 not yet calculated CVE-2026-23093 https://git.kernel.org/stable/c/f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec
https://git.kernel.org/stable/c/6ececffd3e9fe93a87738625dc0671165d27bf96
https://git.kernel.org/stable/c/4d1e9a4a450aae47277763562122cc80ed703ab2
https://git.kernel.org/stable/c/70ba85e439221a5d6dda34a3004db6640f0525e6
https://git.kernel.org/stable/c/d1943bc9dc9508f5933788a76f8a35d10e43a646
https://git.kernel.org/stable/c/98e3e2b561bc88f4dd218d1c05890672874692f6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: uacce: fix isolate sysfs check condition uacce supports the device isolation feature. If the driver implements the isolate_err_threshold_read and isolate_err_threshold_write callback functions, uacce will create sysfs files now. Users can read and configure the isolation policy through sysfs. Currently, sysfs files are created as long as either isolate_err_threshold_read or isolate_err_threshold_write callback functions are present. However, accessing a non-existent callback function may cause the system to crash. Therefore, intercept the creation of sysfs if neither read nor write exists; create sysfs if either is supported, but intercept unsupported operations at the call site. 2026-02-04 not yet calculated CVE-2026-23094 https://git.kernel.org/stable/c/9ab05cdcac354b1b1139918f49c6418b9005d042
https://git.kernel.org/stable/c/fdbbb47d15ae17bf39fafec7e2028c1f8efba15e
https://git.kernel.org/stable/c/82821a681d5dcce31475a65190fc39ea8f372cc0
https://git.kernel.org/stable/c/98eec349259b1fd876f350b1c600403bcef8f85d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let's drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer: * no error * resubmit HOPOPT [0] BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline] tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f 2026-02-04 not yet calculated CVE-2026-23095 https://git.kernel.org/stable/c/886f186328b718400dbf79e1bc8cbcbd710ab766
https://git.kernel.org/stable/c/380a82d36e37db49fd41ecc378c22fd29392e96a
https://git.kernel.org/stable/c/536f5bbc322eb1e175bdd1ced22b236a951c4d8f
https://git.kernel.org/stable/c/f87b9b7a618c82e7465e872eb10e14c803871892
https://git.kernel.org/stable/c/ce569b389a5c78d64788a5ea94560e17fa574b35
https://git.kernel.org/stable/c/5437a279804ced8088cabb945dba88a26d828f8c
https://git.kernel.org/stable/c/9a56796ad258786d3624eef5aefba394fc9bdded
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: uacce: fix cdev handling in the cleanup path When cdev_device_add fails, it internally releases the cdev memory, and if cdev_device_del is then executed, it will cause a hang error. To fix it, we check the return value of cdev_device_add() and clear uacce->cdev to avoid calling cdev_device_del in the uacce_remove. 2026-02-04 not yet calculated CVE-2026-23096 https://git.kernel.org/stable/c/c94c7188d325bc5137d447d67a2f18f7d4f2f4a3
https://git.kernel.org/stable/c/1bc3e51367c420e6db31f41efa874c7a8e12194a
https://git.kernel.org/stable/c/819d647406200d0e83e56fd2df8f451b11290559
https://git.kernel.org/stable/c/d9031575a2f8aabc53af3025dd79af313a2e046b
https://git.kernel.org/stable/c/98d67a1bd6caddd0a8b8c82a0b925742cf500936
https://git.kernel.org/stable/c/bd2393ed7712513e7e2dbcb6e21464a67ff9e702
https://git.kernel.org/stable/c/a3bece3678f6c88db1f44c602b2a63e84b4040ac
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering for hugetlb file folios Syzbot has found a deadlock (analyzed by Lance Yang): 1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). 2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire folio_lock. migrate_pages() -> migrate_hugetlbs() -> unmap_and_move_huge_page() <- Takes folio_lock! -> remove_migration_ptes() -> __rmap_walk_file() -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)! hugetlbfs_fallocate() -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)! -> hugetlbfs_zero_partial_page() -> filemap_lock_hugetlb_folio() -> filemap_lock_folio() -> __filemap_get_folio <- Waits for folio_lock! The migration path is the one taking locks in the wrong order according to the documentation at the top of mm/rmap.c. So expand the scope of the existing i_mmap_lock to cover the calls to remove_migration_ptes() too. This is (mostly) how it used to be after commit c0d0381ade79. That was removed by 336bf30eb765 for both file & anon hugetlb pages when it should only have been removed for anon hugetlb pages. 2026-02-04 not yet calculated CVE-2026-23097 https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394
https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9
https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330
https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34
https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1
https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305
https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb. 2026-02-04 not yet calculated CVE-2026-23098 https://git.kernel.org/stable/c/25aab6bfc31017a7e52035b99aef5c2b6bde8ffb
https://git.kernel.org/stable/c/6e0110ea90313b7c0558a0b77038274a6821caf8
https://git.kernel.org/stable/c/7c48fdf2d1349bb54815b56fb012b9d577707708
https://git.kernel.org/stable/c/bd8955337e3764f912f49b360e176d8aaecf7016
https://git.kernel.org/stable/c/94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c
https://git.kernel.org/stable/c/9f5fa78d9980fe75a69835521627ab7943cb3d67
https://git.kernel.org/stable/c/ba1096c315283ee3292765f6aea4cca15816c4f7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD to Ethernet devices BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. syzbot reported: BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 __hw_addr_create net/core/dev_addr_lists.c:63 [inline] __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 __dev_mc_add net/core/dev_addr_lists.c:868 [inline] dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x820 net/socket.c:2592 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 __sys_sendmsg+0x164/0x220 net/socket.c:2678 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 entry_SYSENTER_compat_after_hwframe+0x84/0x8e </TASK> The buggy address belongs to the variable: lacpdu_mcast_addr+0x0/0x40 2026-02-04 not yet calculated CVE-2026-23099 https://git.kernel.org/stable/c/72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4
https://git.kernel.org/stable/c/5063b2cd9b27d35ab788d707d7858ded0acc8f1d
https://git.kernel.org/stable/c/80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d
https://git.kernel.org/stable/c/ef68afb1bee8d35a18896c27d7358079353d8d8a
https://git.kernel.org/stable/c/43dee6f7ef1d228821de1b61c292af3744c8d7da
https://git.kernel.org/stable/c/c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4. Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit(). The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series. Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86. This patch (of 4): We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing. We didn't convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table. Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface. Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared(). 2026-02-04 not yet calculated CVE-2026-23100 https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf
https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: leds: led-class: Only Add LED to leds_list when it is fully ready Before this change the LED was added to leds_list before led_init_core() gets called adding it the list before led_classdev.set_brightness_work gets initialized. This leaves a window where led_trigger_register() of a LED's default trigger will call led_trigger_set() which calls led_set_brightness() which in turn will end up queueing the *uninitialized* led_classdev.set_brightness_work. This race gets hit by the lenovo-thinkpad-t14s EC driver which registers 2 LEDs with a default trigger provided by snd_ctl_led.ko in quick succession. The first led_classdev_register() causes an async modprobe of snd_ctl_led to run and that async modprobe manages to exactly hit the window where the second LED is on the leds_list without led_init_core() being called for it, resulting in: ------------[ cut here ]------------ WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 ... Call trace: __flush_work+0x344/0x390 (P) flush_work+0x2c/0x50 led_trigger_set+0x1c8/0x340 led_trigger_register+0x17c/0x1c0 led_trigger_register_simple+0x84/0xe8 snd_ctl_led_init+0x40/0xf88 [snd_ctl_led] do_one_initcall+0x5c/0x318 do_init_module+0x9c/0x2b8 load_module+0x7e0/0x998 Close the race window by moving the adding of the LED to leds_list to after the led_init_core() call. 2026-02-04 not yet calculated CVE-2026-23101 https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a
https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77
https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386
https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e
https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3
https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234
https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Fix restoration of SVE context When SME is supported, Restoring SVE signal context can go wrong in a few ways, including placing the task into an invalid state where the kernel may read from out-of-bounds memory (and may potentially take a fatal fault) and/or may kill the task with a SIGKILL. (1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into an invalid state where SVCR.SM is set (and sve_state is non-NULL) but TIF_SME is clear, consequently resuting in out-of-bounds memory reads and/or killing the task with SIGKILL. This can only occur in unusual (but legitimate) cases where the SVE signal context has either been modified by userspace or was saved in the context of another task (e.g. as with CRIU), as otherwise the presence of an SVE signal context with SVE_SIG_FLAG_SM implies that TIF_SME is already set. While in this state, task_fpsimd_load() will NOT configure SMCR_ELx (leaving some arbitrary value configured in hardware) before restoring SVCR and attempting to restore the streaming mode SVE registers from memory via sve_load_state(). As the value of SMCR_ELx.LEN may be larger than the task's streaming SVE vector length, this may read memory outside of the task's allocated sve_state, reading unrelated data and/or triggering a fault. While this can result in secrets being loaded into streaming SVE registers, these values are never exposed. As TIF_SME is clear, fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0 accesses to streaming mode SVE registers, so these cannot be accessed directly at EL0. As fpsimd_save_user_state() verifies the live vector length before saving (S)SVE state to memory, no secret values can be saved back to memory (and hence cannot be observed via ptrace, signals, etc). When the live vector length doesn't match the expected vector length for the task, fpsimd_save_user_state() will send a fatal SIGKILL signal to the task. Hence the task may be killed after executing userspace for some period of time. (2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the task's SVCR.SM. If SVCR.SM was set prior to restoring the context, then the task will be left in streaming mode unexpectedly, and some register state will be combined inconsistently, though the task will be left in legitimate state from the kernel's PoV. This can only occur in unusual (but legitimate) cases where ptrace has been used to set SVCR.SM after entry to the sigreturn syscall, as syscall entry clears SVCR.SM. In these cases, the the provided SVE register data will be loaded into the task's sve_state using the non-streaming SVE vector length and the FPSIMD registers will be merged into this using the streaming SVE vector length. Fix (1) by setting TIF_SME when setting SVCR.SM. This also requires ensuring that the task's sme_state has been allocated, but as this could contain live ZA state, it should not be zeroed. Fix (2) by clearing SVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear. For consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME, and fp_type earlier, immediately after the allocation of sve_state/sme_state, before the restore of the actual register state. This makes it easier to ensure that these are always modified consistently, even if a fault is taken while reading the register data from the signal context. I do not expect any software to depend on the exact state restored when a fault is taken while reading the context. 2026-02-04 not yet calculated CVE-2026-23102 https://git.kernel.org/stable/c/9bc3adba8c35119be80ab20217027720446742f2
https://git.kernel.org/stable/c/ce820dd4e6e2d711242dc4331713b9bb4fe06d09
https://git.kernel.org/stable/c/7b5a52cf252a0d2e89787b645290ad288878f332
https://git.kernel.org/stable/c/d2907cbe9ea0a54cbe078076f9d089240ee1e2d9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change must occur under RTNL. But it is not so for the case of IPv6. So 1) Introduce per-port addrs_lock. 2) It was needed to fix places where it was forgotten to take lock (ipvlan_open/ipvlan_close) This appears to be a very minor problem though. Since it's highly unlikely that ipvlan_add_addr() will be called on 2 CPU simultaneously. But nevertheless, this could cause: 1) False-negative of ipvlan_addr_busy(): one interface iterated through all port->ipvlans + ipvlan->addrs under some ipvlan spinlock, and another added IP under its own lock. Though this is only possible for IPv6, since looks like only ipvlan_addr6_event() can be called without rtnl_lock. 2) Race since ipvlan_ht_addr_add(port) is called under different ipvlan->addrs_lock locks This should not affect performance, since add/remove IP is a rare situation and spinlock is not taken on fast paths. 2026-02-04 not yet calculated CVE-2026-23103 https://git.kernel.org/stable/c/3c149b662cbb202a450e81f938e702ba333864ad
https://git.kernel.org/stable/c/70feb16e3fbfb10b15de1396557c38e99f1ab8df
https://git.kernel.org/stable/c/88f83e6c9cdb46b8c8ddd0ba01393362963cf589
https://git.kernel.org/stable/c/04ba6de6eff61238e5397c14ac26a6578c7735a5
https://git.kernel.org/stable/c/1f300c10d92c547c3a7d978e1212ff52f18256ed
https://git.kernel.org/stable/c/6a81e2db096913d7e43aada1c350c1282e76db39
https://git.kernel.org/stable/c/d3ba32162488283c0a4c5bedd8817aec91748802
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call trace Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced internal temperature sensor reading via HWMON. ice_hwmon_init() was added to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a result if devlink reload is used to reinit the device and then the driver is removed, a call trace can occur. BUG: unable to handle page fault for address: ffffffffc0fd4b5d Call Trace: string+0x48/0xe0 vsnprintf+0x1f9/0x650 sprintf+0x62/0x80 name_show+0x1f/0x30 dev_attr_show+0x19/0x60 The call trace repeats approximately every 10 minutes when system monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs attributes that reference freed module memory. The sequence is: 1. Driver load, ice_hwmon_init() gets called from ice_init_feature() 2. Devlink reload down, flow does not call ice_remove() 3. Devlink reload up, ice_hwmon_init() gets called from ice_init_feature() resulting in a second instance 4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the first hwmon instance orphaned with dangling pointer Fix this by moving ice_hwmon_exit() from ice_remove() to ice_deinit_features() to ensure proper cleanup symmetry with ice_hwmon_init(). 2026-02-04 not yet calculated CVE-2026-23104 https://git.kernel.org/stable/c/87c1dacca197cc64e06fedeb269e3dd6699bae60
https://git.kernel.org/stable/c/d3f867e7a04678640ebcbfb81893c59f4af48586
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag This is more of a preventive patch to make the code more consistent and to prevent possible exploits that employ child qlen manipulations on qfq. use cl_is_active instead of relying on the child qdisc's qlen to determine class activation. 2026-02-04 not yet calculated CVE-2026-23105 https://git.kernel.org/stable/c/fac2c67bb2bb732eae4283e45fc338af7e08c254
https://git.kernel.org/stable/c/b8c24cf5268fb3bfb8d16324c3dbb985f698c835
https://git.kernel.org/stable/c/f27047abf7cac1b6f90c3ad60de21ef9f717c26d
https://git.kernel.org/stable/c/93b8635974fb050c43d07e35e5edfe6e685ca28a
https://git.kernel.org/stable/c/abd9fc26ea577561a5ef6241a1b058755ffdad0c
https://git.kernel.org/stable/c/77f1afd0bb4d5da95236f6114e6d0dfcde187ff6
https://git.kernel.org/stable/c/d837fbee92453fbb829f950c8e7cf76207d73f33
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: timekeeping: Adjust the leap state for the correct auxiliary timekeeper When __do_ajdtimex() was introduced to handle adjtimex for any timekeeper, this reference to tk_core was not updated. When called on an auxiliary timekeeper, the core timekeeper would be updated incorrectly. This gets caught by the lock debugging diagnostics because the timekeepers sequence lock gets written to without holding its associated spinlock: WARNING: include/linux/seqlock.h:226 at __do_adjtimex+0x394/0x3b0, CPU#2: test/125 aux_clock_adj (kernel/time/timekeeping.c:2979) __do_sys_clock_adjtime (kernel/time/posix-timers.c:1161 kernel/time/posix-timers.c:1173) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) Update the correct auxiliary timekeeper. 2026-02-04 not yet calculated CVE-2026-23106 https://git.kernel.org/stable/c/8f7c9dbeaa0be5810e44d323735967d3dba9239d
https://git.kernel.org/stable/c/e806f7dde8ba28bc72a7a0898589cac79f6362ac
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME. Consequently, restoring a ZA context can place a task into an invalid state where TIF_SME is set but the task's sve_state is NULL. In legitimate but uncommon cases where the ZA signal context was NOT created by the kernel in the context of the same task (e.g. if the task is saved/restored with something like CRIU), we have no guarantee that sve_state had been allocated previously. In these cases, userspace can enter streaming mode without trapping while sve_state is NULL, causing a later NULL pointer dereference when the kernel attempts to store the register state: | # ./sigreturn-za | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000046 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x06: level 2 translation fault | Data abort info: | ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 | CM = 0, WnR = 1, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00 | [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000 | Internal error: Oops: 0000000096000046 [#1] SMP | Modules linked in: | CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT | Hardware name: linux,dummy-virt (DT) | pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : sve_save_state+0x4/0xf0 | lr : fpsimd_save_user_state+0xb0/0x1c0 | sp : ffff80008070bcc0 | x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658 | x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000 | x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40 | x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000 | x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c | x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020 | x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0 | x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48 | x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000 | x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440 | Call trace: | sve_save_state+0x4/0xf0 (P) | fpsimd_thread_switch+0x48/0x198 | __switch_to+0x20/0x1c0 | __schedule+0x36c/0xce0 | schedule+0x34/0x11c | exit_to_user_mode_loop+0x124/0x188 | el0_interrupt+0xc8/0xd8 | __el0_irq_handler_common+0x18/0x24 | el0t_64_irq_handler+0x10/0x1c | el0t_64_irq+0x198/0x19c | Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800) | ---[ end trace 0000000000000000 ]--- Fix this by having restore_za_context() ensure that the task's sve_state is allocated, matching what we do when taking an SME trap. Any live SVE/SSVE state (which is restored earlier from a separate signal context) must be preserved, and hence this is not zeroed. 2026-02-04 not yet calculated CVE-2026-23107 https://git.kernel.org/stable/c/c5a5b150992ebab779c1ce54f54676786e47e94c
https://git.kernel.org/stable/c/19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214
https://git.kernel.org/stable/c/0af233d66eff90fb8f3e0fc09f2316bba0b72bb9
https://git.kernel.org/stable/c/70f7f54566afc23f2c71bf1411af81f5d8009e0f
https://git.kernel.org/stable/c/ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback usb_8dev_read_bulk_callback(), the URBs are processed and resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor. 2026-02-04 not yet calculated CVE-2026-23108 https://git.kernel.org/stable/c/feb8243eaea7efd5279b19667d7189fd8654c87a
https://git.kernel.org/stable/c/ef6e608e5ee71eca0cd3475c737e684cef24f240
https://git.kernel.org/stable/c/60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9
https://git.kernel.org/stable/c/59ff56992bba28051ad67cd8cc7b0edfe7280796
https://git.kernel.org/stable/c/ea4a98e924164586066b39f29bfcc7cc9da108cd
https://git.kernel.org/stable/c/07e9373739c6388af9d99797cdb2e79dbbcbe92b
https://git.kernel.org/stable/c/f7a980b3b8f80fe367f679da376cf76e800f9480
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes() Above the while() loop in wait_sb_inodes(), we document that we must wait for all pages under writeback for data integrity. Consequently, if a mapping, like fuse, traditionally does not have data integrity semantics, there is no need to wait at all; we can simply skip these inodes. This restores fuse back to prior behavior where syncs are no-ops. This fixes a user regression where if a system is running a faulty fuse server that does not reply to issued write requests, this causes wait_sb_inodes() to wait forever. 2026-02-04 not yet calculated CVE-2026-23109 https://git.kernel.org/stable/c/3f4ed5e2b8f111553562507ad6202432c7c57731
https://git.kernel.org/stable/c/f9a49aa302a05e91ca01f69031cb79a0ea33031f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: core: Wake up the error handler when final completions race against each other The fragile ordering between marking commands completed or failed so that the error handler only wakes when the last running command completes or times out has race conditions. These race conditions can cause the SCSI layer to fail to wake the error handler, leaving I/O through the SCSI host stuck as the error state cannot advance. First, there is an memory ordering issue within scsi_dec_host_busy(). The write which clears SCMD_STATE_INFLIGHT may be reordered with reads counting in scsi_host_busy(). While the local CPU will see its own write, reordering can allow other CPUs in scsi_dec_host_busy() or scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to see a host busy equal to the host_failed count. This race condition can be prevented with a memory barrier on the error path to force the write to be visible before counting host busy commands. Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By counting busy commands before incrementing host_failed, it can race with a final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does not see host_failed incremented but scsi_eh_inc_host_failed() counts busy commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), resulting in neither waking the error handler task. This needs the call to scsi_host_busy() to be moved after host_failed is incremented to close the race condition. 2026-02-04 not yet calculated CVE-2026-23110 https://git.kernel.org/stable/c/cc872e35c0df80062abc71268d690a2f749e542e
https://git.kernel.org/stable/c/6d9a367be356101963c249ebf10ea10b32886607
https://git.kernel.org/stable/c/9fdc6f28d5e81350ab1d2cac8389062bd09e61e1
https://git.kernel.org/stable/c/64ae21b9c4f0c7e60cf47a53fa7ab68852079ef0
https://git.kernel.org/stable/c/219f009ebfd1ef3970888ee9eef4c8a06357f862
https://git.kernel.org/stable/c/fe2f8ad6f0999db3b318359a01ee0108c703a8c3
 
Six Apart Ltd.--Movable Type (Software Edition) A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. 2026-02-04 not yet calculated CVE-2026-23704 https://movabletype.org/news/2026/02/mt-906-released.html
https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html
https://jvn.jp/en/jp/JVN45405689/
 
Apache Software Foundation--Apache Syncope Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. 2026-02-03 not yet calculated CVE-2026-23794 https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxofrm8ygjo
 
Apache Software Foundation--Apache Syncope Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. 2026-02-03 not yet calculated CVE-2026-23795 https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos
 
OpenSolution--Quick.Cart Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. 2026-02-05 not yet calculated CVE-2026-23796 https://opensolution.org/sklep-internetowy-quick-cart.html
https://cert.pl/posts/2026/02/CVE-2026-23796
 
OpenSolution--Quick.Cart In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. 2026-02-05 not yet calculated CVE-2026-23797 https://opensolution.org/sklep-internetowy-quick-cart.html
https://cert.pl/posts/2026/02/CVE-2026-23796
 
parallax--jsPDF jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0. 2026-02-02 not yet calculated CVE-2026-24040 https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4
https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e
https://github.com/parallax/jsPDF/releases/tag/v4.1.0
 
parallax--jsPDF jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0. 2026-02-02 not yet calculated CVE-2026-24043 https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422
https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff
https://github.com/parallax/jsPDF/releases/tag/v4.1.0
 
zulip--zulip Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the problematic object. This vulnerability is fixed in 11.5. 2026-02-06 not yet calculated CVE-2026-24050 https://github.com/zulip/zulip/security/advisories/GHSA-56qv-8823-6fq9
https://github.com/zulip/zulip/commit/e6093d9e4788f4d82236d856c5ed7b16767886a7
https://github.com/zulip/zulip/releases/tag/11.5
https://zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-11-5
 
anthropics--claude-code Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111. 2026-02-03 not yet calculated CVE-2026-24052 https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf
 
anthropics--claude-code Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.74. 2026-02-03 not yet calculated CVE-2026-24053 https://github.com/anthropics/claude-code/security/advisories/GHSA-q728-gf8j-w49r
 
Native Instruments--Native Access During the installation of the Native Access application, a privileged helper `com.native-instruments.NativeAccess.Helper2`, which is used by Native Access to trigger functions via XPC communication like copy-file, remove or set-permissions, is deployed as well. The communication with the XPC service of the privileged helper is only allowed if the client process is signed with the corresponding certificate and fulfills the following code signing requirement: "anchor trusted and certificate leaf[subject.CN] = \"Developer ID Application: Native Instruments GmbH (83K5EG6Z9V)\"" The Native Access application was found to be signed with the `com.apple.security.cs.allow-dyld-environment-variables` and `com.apple.security.cs.disable-library-validation` entitlements leading to DYLIB injection and therefore command execution in the context of this application. A low privileged user can exploit the DYLIB injection to trigger functions of the privileged helper XPC service resulting in privilege escalation by first deleting the /etc/sudoers file and then copying a malicious version of that file to /etc/sudoers. 2026-02-02 not yet calculated CVE-2026-24070 https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/
 
Native Instruments--Native Access It was found that the XPC service offered by the privileged helper of Native Access uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks. The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks. 2026-02-02 not yet calculated CVE-2026-24071 https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/
 
parallax--jsPDF jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in jsPDF@4.1.0. 2026-02-02 not yet calculated CVE-2026-24133 https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c
https://github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d
https://github.com/parallax/jsPDF/releases/tag/v4.1.0
 
gogs--gogs Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev. 2026-02-06 not yet calculated CVE-2026-24135 https://github.com/gogs/gogs/security/advisories/GHSA-jp7c-wj6q-3qf2
 
devcode-it--openstamanager OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails to properly sanitize the idarticolo parameter before using it in SQL queries, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. 2026-02-06 not yet calculated CVE-2026-24416 https://github.com/devcode-it/openstamanager/security/advisories/GHSA-p864-fqgv-92q4
 
devcode-it--openstamanager OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. 2026-02-06 not yet calculated CVE-2026-24417 https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h
 
devcode-it--openstamanager OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. 2026-02-06 not yet calculated CVE-2026-24418 https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq
 
devcode-it--openstamanager OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. 2026-02-06 not yet calculated CVE-2026-24419 https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6
 
Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim's browser context. 2026-02-03 not yet calculated CVE-2026-24426 https://www.tendacn.com/product/AC7
https://www.vulncheck.com/advisories/tenda-ac7-reflected-xss-via-web-interface-output-encoding
 
Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose sensitive information in web management responses. Administrative credentials, including the router and/or admin panel password, are included in plaintext within configuration response bodies. In addition, responses lack appropriate Cache-Control directives, which may permit web browsers to cache pages containing these credentials and enable subsequent disclosure to an attacker with access to the client system or browser profile. 2026-02-03 not yet calculated CVE-2026-24427 https://www.tendacn.com/product/AC7
https://www.vulncheck.com/advisories/tenda-ac7-exposes-admin-credentials-in-configuration-responses
 
Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator to perform unintended state-changing requests and modify router settings. 2026-02-03 not yet calculated CVE-2026-24434 https://www.tendacn.com/product/AC7
https://www.vulncheck.com/advisories/tenda-ac7-web-interface-lacks-csrf-protections-for-admin-actions
 
Shenzhen Tenda Technology Co., Ltd.--Tenda AC7 Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material. 2026-02-03 not yet calculated CVE-2026-24441 https://www.tendacn.com/product/AC7
https://www.vulncheck.com/advisories/tenda-ac7-transmits-admin-credentials-without-https-protection
 
Six Apart Ltd.--Movable Type (Software Edition) If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. 2026-02-04 not yet calculated CVE-2026-24447 https://movabletype.org/news/2026/02/mt-906-released.html
https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html
https://jvn.jp/en/jp/JVN45405689/
 
ELECOM CO.,LTD.--WRC-X1500GS-B For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information. 2026-02-03 not yet calculated CVE-2026-24449 https://www.elecom.co.jp/news/security/20260203-01/
https://jvn.jp/en/jp/JVN94012927/
 
ELECOM CO.,LTD.--WAB-S733IW2-PD Stack-based buffer overflow vulnerability exists in ELECOM wireless LAN access point devices. A crafted packet may lead to arbitrary code execution. 2026-02-03 not yet calculated CVE-2026-24465 https://www.elecom.co.jp/news/security/20260203-01/
https://www.elecom.co.jp/news/security/20260203-02/
https://jvn.jp/en/jp/JVN94012927/
 
continuwuity--continuwuity continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9. 2026-02-02 not yet calculated CVE-2026-24471 https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v
https://forgejo.ellis.link/continuwuation/continuwuity/commit/12aecf809172205436c852a1eaf268c1a2c3a900
 
Roland Corporation--Roland Cloud Manager The installer for Roland Cloud Manager ver.3.1.19 and prior insecurely loads Dynamic Link Libraries (DLLs), which could allow an attacker to execute arbitrary code with the privileges of the application. 2026-02-03 not yet calculated CVE-2026-24694 https://www.roland.com/global/products/rc_roland_cloud_manager/support/#dl-support_documents
https://jvn.jp/en/jp/JVN89992160/
 
Apache Software Foundation--Apache Answer Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue. 2026-02-04 not yet calculated CVE-2026-24735 https://lists.apache.org/thread/whxloom7mpxlyt5wzdskflsg5mzdzd60
 
rustfs--rustfs RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This issue has been patched in version alpha.82. 2026-02-03 not yet calculated CVE-2026-24762 https://github.com/rustfs/rustfs/security/advisories/GHSA-r54g-49rx-98cr
 
RaspAP--raspap-webgui RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product. 2026-02-02 not yet calculated CVE-2026-24788 https://github.com/RaspAP/raspap-webgui/releases
https://jvn.jp/en/jp/JVN27202136/
 
openfga--openfga OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3. 2026-02-06 not yet calculated CVE-2026-24851 https://github.com/openfga/openfga/security/advisories/GHSA-jq9f-gm9w-rwm9
https://github.com/openfga/openfga/releases/tag/v1.11.3
 
anthropics--claude-code Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.72. 2026-02-03 not yet calculated CVE-2026-24887 https://github.com/anthropics/claude-code/security/advisories/GHSA-qgqw-h4xq-7w8w
 
AlgoNetLab--OrcaStatLLM-Researcher OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaScript code in victims' browsers through malicious research topic inputs. 2026-02-06 not yet calculated CVE-2026-24903 https://github.com/AlgoNetLab/OrcaStatLLM-Researcher/security/advisories/GHSA-47wv-g894-82m4
 
ASUSTOR--ADM The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle (MitM) attack, which may obtain the sensitive information of DDNS updating process, including the user's account email, MD5 hashed password, and device serial number. This issue affects ADM: from 4.1.0 through 4.3.3.ROF1, from 5.0.0 through 5.1.1.RCI1. 2026-02-03 not yet calculated CVE-2026-24932 https://www.asustor.com/security/security_advisory_detail?id=50
 
ASUSTOR--ADM The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user information, including account emails, MD5 hashed passwords, and device serial numbers. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. 2026-02-03 not yet calculated CVE-2026-24933 https://www.asustor.com/security/security_advisory_detail?id=50
 
ASUSTOR--ADM The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to spoof the response, leading the device to update its DDNS record with an incorrect IP address. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. 2026-02-03 not yet calculated CVE-2026-24934 https://www.asustor.com/security/security_advisory_detail?id=50
 
ASUSTOR--ADM A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or facilitate further targeted attacks by acting as a proxy between the user and the device services. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. 2026-02-03 not yet calculated CVE-2026-24935 https://www.asustor.com/security/security_advisory_detail?id=50
 
ASUSTOR--ADM When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. 2026-02-03 not yet calculated CVE-2026-24936 https://www.asustor.com/security/security_advisory_detail?id=51
 
Ajay--Better Search Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS. This issue affects Better Search: from n/a through <= 4.2.1. 2026-02-03 not yet calculated CVE-2026-24938 https://patchstack.com/database/Wordpress/Plugin/better-search/vulnerability/wordpress-better-search-plugin-4-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
WP Chill--Modula Image Gallery Missing Authorization vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Modula Image Gallery: from n/a through <= 2.13.6. 2026-02-03 not yet calculated CVE-2026-24939 https://patchstack.com/database/Wordpress/Plugin/modula-best-grid-gallery/vulnerability/wordpress-modula-image-gallery-plugin-2-13-6-broken-access-control-vulnerability?_s_id=cve
 
Themefic--Travelfic Toolkit Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travelfic Toolkit: from n/a through <= 1.3.3. 2026-02-03 not yet calculated CVE-2026-24940 https://patchstack.com/database/Wordpress/Plugin/travelfic-toolkit/vulnerability/wordpress-travelfic-toolkit-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve
 
magepeopleteam--WpEvently Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam WpEvently mage-eventpress allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through <= 5.1.1. 2026-02-03 not yet calculated CVE-2026-24942 https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Themefic--Ultimate Addons for Contact Form 7 Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.34. 2026-02-03 not yet calculated CVE-2026-24945 https://patchstack.com/database/Wordpress/Plugin/ultimate-addons-for-contact-form-7/vulnerability/wordpress-ultimate-addons-for-contact-form-7-plugin-3-5-34-broken-access-control-vulnerability?_s_id=cve
 
LA-Studio--LA-Studio Element Kit for Elementor Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3. 2026-02-03 not yet calculated CVE-2026-24947 https://patchstack.com/database/Wordpress/Plugin/lastudio-element-kit/vulnerability/wordpress-la-studio-element-kit-for-elementor-plugin-1-5-6-3-broken-access-control-vulnerability?_s_id=cve
 
Saad Iqbal--myCred Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects myCred: from n/a through <= 2.9.7.3. 2026-02-03 not yet calculated CVE-2026-24951 https://patchstack.com/database/Wordpress/Plugin/mycred/vulnerability/wordpress-mycred-plugin-2-9-7-3-broken-access-control-vulnerability?_s_id=cve
 
Craig Hewitt--Seriously Simple Podcasting Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Stored XSS. This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1. 2026-02-03 not yet calculated CVE-2026-24952 https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
magepeopleteam--WpEvently Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection. This issue affects WpEvently: from n/a through <= 5.0.8. 2026-02-03 not yet calculated CVE-2026-24954 https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-0-8-deserialization-of-untrusted-data-vulnerability?_s_id=cve
 
WP Chill--Strong Testimonials Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Strong Testimonials: from n/a through <= 3.2.20. 2026-02-03 not yet calculated CVE-2026-24957 https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-2-20-broken-access-control-vulnerability?_s_id=cve
 
Crocoblock--JetElements For Elementor Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS. This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2. 2026-02-03 not yet calculated CVE-2026-24958 https://patchstack.com/database/Wordpress/Plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThemeGoods--Grand Blog Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Server Side Request Forgery. This issue affects Grand Blog: from n/a through < 3.1.5. 2026-02-03 not yet calculated CVE-2026-24961 https://patchstack.com/database/Wordpress/Theme/grandblog/vulnerability/wordpress-grand-blog-theme-3-1-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
Brainstorm Force--Sigmize Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery. This issue affects Sigmize: from n/a through <= 0.0.9. 2026-02-03 not yet calculated CVE-2026-24962 https://patchstack.com/database/Wordpress/Plugin/sigmize/vulnerability/wordpress-sigmize-plugin-0-0-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Wasiliy Strecker / ContestGallery developer--Contest Gallery Missing Authorization vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contest Gallery: from n/a through <= 28.1.1. 2026-02-03 not yet calculated CVE-2026-24965 https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-1-broken-access-control-vulnerability?_s_id=cve
 
Copyscape--Copyscape Premium Cross-Site Request Forgery (CSRF) vulnerability in Copyscape Copyscape Premium copyscape-premium allows Cross Site Request Forgery. This issue affects Copyscape Premium: from n/a through <= 1.4.1. 2026-02-03 not yet calculated CVE-2026-24966 https://patchstack.com/database/Wordpress/Plugin/copyscape-premium/vulnerability/wordpress-copyscape-premium-plugin-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
ameliabooking--Amelia Missing Authorization vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Amelia: from n/a through <= 1.2.38. 2026-02-03 not yet calculated CVE-2026-24967 https://patchstack.com/database/Wordpress/Plugin/ameliabooking/vulnerability/wordpress-amelia-plugin-1-2-38-broken-access-control-vulnerability?_s_id=cve
 
Brainstorm Force--Spectra Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spectra: from n/a through <= 2.19.17. 2026-02-03 not yet calculated CVE-2026-24982 https://patchstack.com/database/Wordpress/Plugin/ultimate-addons-for-gutenberg/vulnerability/wordpress-spectra-plugin-2-19-17-broken-access-control-vulnerability?_s_id=cve
 
Brecht--Visual Link Preview Missing Authorization vulnerability in Brecht Visual Link Preview visual-link-preview allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Visual Link Preview: from n/a through <= 2.2.9. 2026-02-03 not yet calculated CVE-2026-24984 https://patchstack.com/database/Wordpress/Plugin/visual-link-preview/vulnerability/wordpress-visual-link-preview-plugin-2-2-9-broken-access-control-vulnerability?_s_id=cve
 
approveme--WP Forms Signature Contract Add-On Missing Authorization vulnerability in approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Forms Signature Contract Add-On: from n/a through <= 1.8.2. 2026-02-03 not yet calculated CVE-2026-24985 https://patchstack.com/database/Wordpress/Plugin/wp-forms-signature-contract-add-on/vulnerability/wordpress-wp-forms-signature-contract-add-on-plugin-1-8-2-broken-access-control-to-notice-dismissal-vulnerability?_s_id=cve
 
wp.insider--Simple Membership WP user Import Cross-Site Request Forgery (CSRF) vulnerability in wp.insider Simple Membership WP user Import simple-membership-wp-user-import allows Cross Site Request Forgery. This issue affects Simple Membership WP user Import: from n/a through <= 1.9.1. 2026-02-03 not yet calculated CVE-2026-24986 https://patchstack.com/database/Wordpress/Plugin/simple-membership-wp-user-import/vulnerability/wordpress-simple-membership-wp-user-import-plugin-1-9-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Brian Hogg--The Events Calendar Shortcode & Block Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Hogg The Events Calendar Shortcode &amp; Block the-events-calendar-shortcode allows Stored XSS. This issue affects The Events Calendar Shortcode &amp; Block: from n/a through <= 3.1.1. 2026-02-03 not yet calculated CVE-2026-24988 https://patchstack.com/database/Wordpress/Plugin/the-events-calendar-shortcode/vulnerability/wordpress-the-events-calendar-shortcode-block-plugin-3-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Fahad Mahmood--WP Docs Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Docs: from n/a through <= 2.2.8. 2026-02-03 not yet calculated CVE-2026-24990 https://patchstack.com/database/Wordpress/Plugin/wp-docs/vulnerability/wordpress-wp-docs-plugin-2-2-8-broken-access-control-vulnerability?_s_id=cve
 
HT Plugins--Extensions For CF7 Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Extensions For CF7: from n/a through <= 3.4.0. 2026-02-03 not yet calculated CVE-2026-24991 https://patchstack.com/database/Wordpress/Plugin/extensions-for-cf7/vulnerability/wordpress-extensions-for-cf7-plugin-3-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
WPFactory--Advanced WooCommerce Product Sales Reporting Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Retrieve Embedded Sensitive Data. This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.2. 2026-02-03 not yet calculated CVE-2026-24992 https://patchstack.com/database/Wordpress/Plugin/webd-woocommerce-advanced-reporting-statistics/vulnerability/wordpress-advanced-woocommerce-product-sales-reporting-plugin-4-1-2-sensitive-data-exposure-vulnerability?_s_id=cve
 
sunshinephotocart--Sunshine Photo Cart Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.2. 2026-02-03 not yet calculated CVE-2026-24994 https://patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-5-7-2-broken-access-control-vulnerability?_s_id=cve
 
Iulia Cazan--Latest Post Shortcode Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Latest Post Shortcode: from n/a through <= 14.2.0. 2026-02-03 not yet calculated CVE-2026-24995 https://patchstack.com/database/Wordpress/Plugin/latest-post-shortcode/vulnerability/wordpress-latest-post-shortcode-plugin-14-2-0-broken-access-control-vulnerability?_s_id=cve
 
wpelemento--WPElemento Importer Missing Authorization vulnerability in wpelemento WPElemento Importer wpelemento-importer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPElemento Importer: from n/a through <= 0.6.4. 2026-02-03 not yet calculated CVE-2026-24996 https://patchstack.com/database/Wordpress/Plugin/wpelemento-importer/vulnerability/wordpress-wpelemento-importer-plugin-0-6-4-broken-access-control-vulnerability?_s_id=cve
 
Wired Impact--Wired Impact Volunteer Management Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8. 2026-02-03 not yet calculated CVE-2026-24997 https://patchstack.com/database/Wordpress/Plugin/wired-impact-volunteer-management/vulnerability/wordpress-wired-impact-volunteer-management-plugin-2-8-broken-access-control-vulnerability?_s_id=cve
 
WPMU DEV - Your All-in-One WordPress Platform--Hustle Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data. This issue affects Hustle: from n/a through <= 7.8.9.2. 2026-02-03 not yet calculated CVE-2026-24998 https://patchstack.com/database/Wordpress/Plugin/wordpress-popup/vulnerability/wordpress-hustle-plugin-7-8-9-2-sensitive-data-exposure-vulnerability?_s_id=cve
 
ILLID--Share This Image Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Share This Image: from n/a through <= 2.09. 2026-02-03 not yet calculated CVE-2026-25010 https://patchstack.com/database/Wordpress/Plugin/share-this-image/vulnerability/wordpress-share-this-image-plugin-2-09-broken-access-control-vulnerability?_s_id=cve
 
Northern Beaches Websites--WP Custom Admin Interface Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Custom Admin Interface: from n/a through <= 7.41. 2026-02-03 not yet calculated CVE-2026-25011 https://patchstack.com/database/Wordpress/Plugin/wp-custom-admin-interface/vulnerability/wordpress-wp-custom-admin-interface-plugin-7-41-broken-access-control-vulnerability?_s_id=cve
 
gfazioli--WP Bannerize Pro Missing Authorization vulnerability in gfazioli WP Bannerize Pro wp-bannerize-pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Bannerize Pro: from n/a through <= 1.11.0. 2026-02-03 not yet calculated CVE-2026-25012 https://patchstack.com/database/Wordpress/Plugin/wp-bannerize-pro/vulnerability/wordpress-wp-bannerize-pro-plugin-1-11-0-broken-access-control-vulnerability?_s_id=cve
 
themelooks--Enter Addons Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery. This issue affects Enter Addons: from n/a through <= 2.3.2. 2026-02-03 not yet calculated CVE-2026-25014 https://patchstack.com/database/Wordpress/Plugin/enteraddons/vulnerability/wordpress-enter-addons-plugin-2-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Stiofan--UsersWP Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery. This issue affects UsersWP: from n/a through <= 1.2.53. 2026-02-03 not yet calculated CVE-2026-25015 https://patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-plugin-1-2-53-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Nelio Software--Nelio Popups Missing Authorization vulnerability in Nelio Software Nelio Popups nelio-popups allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nelio Popups: from n/a through <= 1.3.5. 2026-02-03 not yet calculated CVE-2026-25016 https://patchstack.com/database/Wordpress/Plugin/nelio-popups/vulnerability/wordpress-nelio-popups-plugin-1-3-5-broken-access-control-vulnerability?_s_id=cve
 
Vito Peleg--Atarim Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Atarim: from n/a through <= 4.3.1. 2026-02-03 not yet calculated CVE-2026-25019 https://patchstack.com/database/Wordpress/Plugin/atarim-visual-collaboration/vulnerability/wordpress-atarim-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve
 
WP connect--WP Sync for Notion Missing Authorization vulnerability in WP connect WP Sync for Notion wp-sync-for-notion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Sync for Notion: from n/a through <= 1.7.0. 2026-02-03 not yet calculated CVE-2026-25020 https://patchstack.com/database/Wordpress/Plugin/wp-sync-for-notion/vulnerability/wordpress-wp-sync-for-notion-plugin-1-7-0-broken-access-control-vulnerability?_s_id=cve
 
Mizan Themes--Mizan Demo Importer Missing Authorization vulnerability in Mizan Themes Mizan Demo Importer mizan-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mizan Demo Importer: from n/a through <= 0.1.3. 2026-02-03 not yet calculated CVE-2026-25021 https://patchstack.com/database/Wordpress/Plugin/mizan-demo-importer/vulnerability/wordpress-mizan-demo-importer-plugin-0-1-3-broken-access-control-vulnerability?_s_id=cve
 
Iqonic Design--KiviCare Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Blind SQL Injection. This issue affects KiviCare: from n/a through <= 3.6.16. 2026-02-03 not yet calculated CVE-2026-25022 https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-16-sql-injection-vulnerability?_s_id=cve
 
mdedev--Run Contests, Raffles, and Giveaways with ContestsWP Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Retrieve Embedded Sensitive Data. This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through <= 2.0.7. 2026-02-03 not yet calculated CVE-2026-25023 https://patchstack.com/database/Wordpress/Plugin/contest-code-checker/vulnerability/wordpress-run-contests-raffles-and-giveaways-with-contestswp-plugin-2-0-7-sensitive-data-exposure-vulnerability?_s_id=cve
 
Blair Williams--ThirstyAffiliates Cross-Site Request Forgery (CSRF) vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Cross Site Request Forgery. This issue affects ThirstyAffiliates: from n/a through <= 3.11.9. 2026-02-03 not yet calculated CVE-2026-25024 https://patchstack.com/database/Wordpress/Plugin/thirstyaffiliates/vulnerability/wordpress-thirstyaffiliates-plugin-3-11-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
ThemeMove--Unicamp Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion. This issue affects Unicamp: from n/a through <= 2.7.1. 2026-02-03 not yet calculated CVE-2026-25027 https://patchstack.com/database/Wordpress/Theme/unicamp/vulnerability/wordpress-unicamp-theme-2-7-1-local-file-inclusion-vulnerability?_s_id=cve
 
Element Invader--ElementInvader Addons for Elementor Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.4.1. 2026-02-03 not yet calculated CVE-2026-25028 https://patchstack.com/database/Wordpress/Plugin/elementinvader-addons-for-elementor/vulnerability/wordpress-elementinvader-addons-for-elementor-plugin-1-4-1-broken-access-control-vulnerability?_s_id=cve
 
WP Chill--Passster Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Passster: from n/a through <= 4.2.25. 2026-02-03 not yet calculated CVE-2026-25036 https://patchstack.com/database/Wordpress/Plugin/content-protector/vulnerability/wordpress-passster-plugin-4-2-25-broken-access-control-vulnerability?_s_id=cve
 
n8n-io--n8n n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2. 2026-02-04 not yet calculated CVE-2026-25049 https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8
https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d
https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b
 
n8n-io--n8n n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2. 2026-02-04 not yet calculated CVE-2026-25051 https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx
https://github.com/n8n-io/n8n/commit/ced34c0f93ab4c759a56065965986094d8ef7323
https://github.com/n8n-io/n8n/commit/e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9
 
n8n-io--n8n n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of any user on the instance. This issue has been patched in versions 1.123.18 and 2.5.0. 2026-02-04 not yet calculated CVE-2026-25052 https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc
 
n8n-io--n8n n8n is an open source workflow automation platform. Prior to versions 1.123.10 and 2.5.0, vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host. This issue has been patched in versions 1.123.10 and 2.5.0. 2026-02-04 not yet calculated CVE-2026-25053 https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw
 
n8n-io--n8n n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in versions 1.123.9 and 2.2.1. 2026-02-04 not yet calculated CVE-2026-25054 https://github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w
 
n8n-io--n8n n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0. 2026-02-04 not yet calculated CVE-2026-25055 https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9
 
n8n-io--n8n n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0. 2026-02-04 not yet calculated CVE-2026-25056 https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm
 
n8n-io--n8n n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. This issue has been patched in version 2.4.8. 2026-02-04 not yet calculated CVE-2026-25115 https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h
 
Intermesh--groupoffice Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5. 2026-02-02 not yet calculated CVE-2026-25134 https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849
https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b
 
RIOT-OS--RIOT RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists. 2026-02-04 not yet calculated CVE-2026-25139 https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c8fh-23qr-97mc
 
QwikDev--qwik Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0. 2026-02-03 not yet calculated CVE-2026-25148 https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c
https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094
 
QwikDev--qwik Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0. 2026-02-03 not yet calculated CVE-2026-25149 https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m
https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed
 
web2py--web2py web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack. 2026-02-05 not yet calculated CVE-2026-25198 https://github.com/web2py/web2py/commit/b4e1ddbd6d40fb30863f6263a67bcdf411a0c6df
https://github.com/web2py/web2py/releases
https://web2py.com/
https://jvn.jp/en/jp/JVN46925341/
 
polarnl--PolarLearn PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forgery (CSRF). The application fails to implement and verify the state parameter during the authentication flow. This allows an attacker to pre-authenticate a session and trick a victim into logging into the attacker's account. Any data the victim then enters or academic progress they make is stored on the attacker's account, leading to data loss for the victim and information disclosure to the attacker. 2026-02-02 not yet calculated CVE-2026-25221 https://github.com/polarnl/PolarLearn/security/advisories/GHSA-fhhm-574m-7rpw
https://github.com/polarnl/PolarLearn/commit/44669bbb5b647c7625f22dd82f3121c7d7bfbe19
 
polarnl--PolarLearn PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms). 2026-02-02 not yet calculated CVE-2026-25222 https://github.com/polarnl/PolarLearn/security/advisories/GHSA-wcr9-mvr9-4qh5
https://github.com/polarnl/PolarLearn/commit/6c276855172c7310cce0df996cb47ffe0d886741
 
pear--pearweb PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0. 2026-02-03 not yet calculated CVE-2026-25233 https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3
 
pear--pearweb PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0. 2026-02-03 not yet calculated CVE-2026-25234 https://github.com/pear/pearweb/security/advisories/GHSA-q28j-3p7r-6722
 
pear--pearweb PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0. 2026-02-03 not yet calculated CVE-2026-25235 https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf
 
pear--pearweb PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0. 2026-02-03 not yet calculated CVE-2026-25236 https://github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29f
 
pear--pearweb PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0. 2026-02-03 not yet calculated CVE-2026-25237 https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23
 
pear--pearweb PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0. 2026-02-03 not yet calculated CVE-2026-25238 https://github.com/pear/pearweb/security/advisories/GHSA-cv3c-27h5-7gmv
 
pear--pearweb PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0. 2026-02-03 not yet calculated CVE-2026-25239 https://github.com/pear/pearweb/security/advisories/GHSA-f9mg-x463-3vxg
 
pear--pearweb PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0. 2026-02-03 not yet calculated CVE-2026-25240 https://github.com/pear/pearweb/security/advisories/GHSA-xw9g-5gr2-c44f
 
pear--pearweb PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0. 2026-02-03 not yet calculated CVE-2026-25241 https://github.com/pear/pearweb/security/advisories/GHSA-63fv-vpq5-gv8p
 
langroid--langroid Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32. 2026-02-04 not yet calculated CVE-2026-25481 https://github.com/langroid/langroid/security/advisories/GHSA-x34r-63hx-w57f
https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj
https://github.com/langroid/langroid/commit/30abbc1a854dee22fbd2f8b2f575dfdabdb603ea
 
craftcms--commerce Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2. 2026-02-03 not yet calculated CVE-2026-25482 https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j
https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
 
craftcms--commerce Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce's Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2. 2026-02-03 not yet calculated CVE-2026-25483 https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5
https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
 
craftcms--commerce Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2. 2026-02-03 not yet calculated CVE-2026-25484 https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c
https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
 
craftcms--commerce Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. 2026-02-03 not yet calculated CVE-2026-25485 https://github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
 
craftcms--commerce Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2. 2026-02-03 not yet calculated CVE-2026-25486 https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
https://github.com/craftcms/commerce/releases/tag/5.5.2
 
craftcms--commerce Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. 2026-02-03 not yet calculated CVE-2026-25487 https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
 
craftcms--commerce Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. 2026-02-03 not yet calculated CVE-2026-25488 https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
 
craftcms--commerce Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. 2026-02-03 not yet calculated CVE-2026-25489 https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
 
craftcms--commerce Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. 2026-02-03 not yet calculated CVE-2026-25490 https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
 
bpg--terraform-provider-proxmox Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1. 2026-02-04 not yet calculated CVE-2026-25499 https://github.com/bpg/terraform-provider-proxmox/security/advisories/GHSA-gwch-7m8v-7544
https://github.com/bpg/terraform-provider-proxmox/commit/bd604c41a31e2a55dd6acc01b0608be3ea49c023
 
Intermesh--groupoffice Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built‑in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5. 2026-02-04 not yet calculated CVE-2026-25511 https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm
https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3
 
Intermesh--groupoffice Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5. 2026-02-04 not yet calculated CVE-2026-25512 https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4
http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792
 
NeoRazorX--facturascripts FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81. 2026-02-04 not yet calculated CVE-2026-25513 https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-cjfx-qhwm-hf99
https://github.com/NeoRazorX/facturascripts/commit/1b6cdfa9ee1bb3365ea4a4ad753452035a027605
 
NeoRazorX--facturascripts FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81. 2026-02-04 not yet calculated CVE-2026-25514 https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952
https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f
 
wagtail--wagtail Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3. 2026-02-04 not yet calculated CVE-2026-25517 https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348
https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719
https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f
https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190
https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915
https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03
 
locutusjs--locutus Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39. 2026-02-04 not yet calculated CVE-2026-25521 https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh
https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c
 
craftcms--commerce Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. 2026-02-03 not yet calculated CVE-2026-25522 https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
https://github.com/craftcms/commerce/releases/tag/4.10.1
https://github.com/craftcms/commerce/releases/tag/5.5.2
 
agentfront--enclave Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1. 2026-02-06 not yet calculated CVE-2026-25533 https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p
https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca
https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf
 
Keats--jsonwebtoken jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library's internal parsing mechanism marks the claim as "FailedToParse". Crucially, the validation logic treats this "FailedToParse" state identically to "NotPresent". This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like "Not Before" checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0. 2026-02-04 not yet calculated CVE-2026-25537 https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc
https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01
 
devtron-labs--devtron Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26. 2026-02-04 not yet calculated CVE-2026-25538 https://github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2
https://github.com/devtron-labs/devtron/commit/d2b0d260d858ab1354b73a8f50f7f078ca62706f
 
tokio-rs--bytes Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB. This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks. This issue has been patched in version 1.11.1. 2026-02-04 not yet calculated CVE-2026-25541 https://github.com/tokio-rs/bytes/security/advisories/GHSA-434x-w66g-qw3r
https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f
https://github.com/tokio-rs/bytes/releases/tag/v1.11.1
https://rustsec.org/advisories/RUSTSEC-2026-0007.html
 
mganss--HtmlSanitizer HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta. 2026-02-04 not yet calculated CVE-2026-25543 https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f
https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81
https://www.nuget.org/packages/HtmlSanitizer/9.0.892
https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta
 
isaacs--brace-expansion @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1. 2026-02-04 not yet calculated CVE-2026-25547 https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2
 
Artifex Software--MuPDF MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. 2026-02-06 not yet calculated CVE-2026-25556 https://bugs.ghostscript.com/show_bug.cgi?id=709029
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1
https://mupdf.com/
https://www.vulncheck.com/advisories/mupdf-barcode-decoding-double-free
 
WeKan--WeKan WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication. 2026-02-07 not yet calculated CVE-2026-25560 https://github.com/wekan/wekan/commit/0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb
https://wekan.fi/
https://www.vulncheck.com/advisories/wekan-ldap-authentication-filter-injection
 
WeKan--WeKan WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships. 2026-02-07 not yet calculated CVE-2026-25561 https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8
https://wekan.fi/
https://www.vulncheck.com/advisories/wekan-attachment-upload-object-relationship-validation-bypass
 
WeKan--WeKan WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users. 2026-02-07 not yet calculated CVE-2026-25562 https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820
https://wekan.fi/
https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure
 
WeKan--WeKan WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. 2026-02-07 not yet calculated CVE-2026-25563 https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14
https://wekan.fi/
https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor
 
WeKan--WeKan WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. 2026-02-07 not yet calculated CVE-2026-25564 https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac
https://wekan.fi/
https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation
 
WeKan--WeKan WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access. 2026-02-07 not yet calculated CVE-2026-25565 https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285
https://wekan.fi/
https://www.vulncheck.com/advisories/wekan-read-only-board-roles-can-update-cards
 
WeKan--WeKan WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves. 2026-02-07 not yet calculated CVE-2026-25566 https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e
https://wekan.fi/
https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destination-authorization
 
WeKan--WeKan WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier. 2026-02-07 not yet calculated CVE-2026-25567 https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62d
https://wekan.fi/
https://www.vulncheck.com/advisories/wekan-card-comment-author-spoofing-via-user-controlled-authorid
 
WeKan--WeKan WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement. 2026-02-07 not yet calculated CVE-2026-25568 https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8
https://wekan.fi/
https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass
 
TUM-Dev--NavigaTUM NavigaTUM is a website and API to search for rooms, buildings and other places. Prior to commit 86f34c7, there is a path traversal vulnerability in the propose_edits endpoint allows unauthenticated users to overwrite files in directories writable by the application user (e.g., /cdn). By supplying unsanitized file keys containing traversal sequences (e.g., ../../) in the JSON payload, an attacker can escape the intended temporary directory and replace public facing images or fill the server's storage. This issue has been patched via commit 86f34c7. 2026-02-04 not yet calculated CVE-2026-25575 https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm
https://github.com/TUM-Dev/NavigaTUM/pull/2650
https://github.com/TUM-Dev/NavigaTUM/commit/86f34c72886a59ec8f1e6c00f78a5ab889a70fd0
 
navidrome--navidrome Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0. 2026-02-04 not yet calculated CVE-2026-25579 https://github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68x3
https://github.com/navidrome/navidrome/releases/tag/v0.60.0
 
n8n-io--n8n n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the "Allowed domains" setting. This issue is fixed in version 1.121.0 and later. 2026-02-06 not yet calculated CVE-2026-25631 https://github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h
 
smn2gnt--MCP-Salesforce MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10. 2026-02-06 not yet calculated CVE-2026-25650 https://github.com/smn2gnt/MCP-Salesforce/security/advisories/GHSA-vf6j-c56p-cq58
https://github.com/smn2gnt/MCP-Salesforce/commit/a1e3a5a786f48508d066b6d40b58201ebf9b7fd6
https://github.com/smn2gnt/MCP-Salesforce/releases/tag/v0.1.10
 
anthropics--claude-code Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.57. 2026-02-06 not yet calculated CVE-2026-25722 https://github.com/anthropics/claude-code/security/advisories/GHSA-66q4-vfjg-2qhh
 
anthropics--claude-code Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this required the ability to execute commands through Claude Code with the "accept edits" feature enabled. This issue has been patched in version 2.0.55. 2026-02-06 not yet calculated CVE-2026-25723 https://github.com/anthropics/claude-code/security/advisories/GHSA-mhg7-666j-cqg4
 
anthropics--claude-code Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7. 2026-02-06 not yet calculated CVE-2026-25724 https://github.com/anthropics/claude-code/security/advisories/GHSA-4q92-rfm6-2cqx
 
anthropics--claude-code Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2. 2026-02-06 not yet calculated CVE-2026-25725 https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf
 
time-rs--time time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack. 2026-02-06 not yet calculated CVE-2026-25727 https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc
https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee
https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05
https://github.com/time-rs/time/releases/tag/v0.3.47
 
lintsinghua--DeepAudit DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresses, phone numbers, full names, and role information. 2026-02-06 not yet calculated CVE-2026-25729 https://github.com/lintsinghua/DeepAudit/security/advisories/GHSA-vmmm-48w2-q56q
https://github.com/lintsinghua/DeepAudit/commit/b2a3b26579d3fdbab5236ae12ed67ae2313175fd
 
frangoteam--FUXA FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. 2026-02-06 not yet calculated CVE-2026-25751 https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx
https://github.com/frangoteam/FUXA/releases/tag/v1.2.10
 
frangoteam--FUXA FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. 2026-02-06 not yet calculated CVE-2026-25752 https://github.com/frangoteam/FUXA/security/advisories/GHSA-ggxw-g3cp-mgf8
https://github.com/frangoteam/FUXA/releases/tag/v1.2.10
 
Praskla-Technology--assessment-placipy PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known. 2026-02-06 not yet calculated CVE-2026-25753 https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2
 
spree--spree Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2. 2026-02-06 not yet calculated CVE-2026-25757 https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9
https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab
https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be
https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d
https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8
https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45
 
spree--spree Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2. 2026-02-06 not yet calculated CVE-2026-25758 https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734
https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f
https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8
https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748
https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48
https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96
 
opf--openproject OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject's repository changes endpoint (/projects/:project_id/repository/changes) when rendering the "latest changes" view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3. 2026-02-06 not yet calculated CVE-2026-25763 https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7
https://github.com/opf/openproject/releases/tag/v16.6.7
https://github.com/opf/openproject/releases/tag/v17.0.3
 
slackhq--nebula Nebula is a scalable overlay networking tool. In versions from 1.7.0 to 1.10.2, when using P256 certificates (which is not the default configuration), it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. This issue has been patched in version 1.10.3. 2026-02-06 not yet calculated CVE-2026-25793 https://github.com/slackhq/nebula/security/advisories/GHSA-69x3-g4r3-p962
https://github.com/slackhq/nebula/commit/f573e8a26695278f9d71587390fbfe0d0933aa21
 
antrea-io--antrea Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority calculations when handling a large numbers of policies with various priority values. This results in potentially incorrect traffic enforcement. This issue has been patched in versions 2.4.3. 2026-02-06 not yet calculated CVE-2026-25804 https://github.com/antrea-io/antrea/security/advisories/GHSA-86x4-wp9f-wrr9
https://github.com/antrea-io/antrea/pull/7496
https://github.com/antrea-io/antrea/commit/86c4b6010f3be536866f339b632621c23d7186fa
 
Shenzhen Tenda Technology--Tenda G300-F Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process. 2026-02-07 not yet calculated CVE-2026-25857 https://blog.evan.lat/blog/cve-2026-25857/
https://www.tendacn.com/material/show/736333682028613
https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag
 
macrozheng--mall macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim's telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number. 2026-02-07 not yet calculated CVE-2026-25858 https://github.com/macrozheng/mall/issues/946
https://www.macrozheng.com/
https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure
 
WeKan--WeKan Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations. 2026-02-07 not yet calculated CVE-2026-25859 https://github.com/wekan/wekan/commit/cbb1cd78de3e40264a5e047ace0ce27f8635b4e6
https://wekan.fi/
https://www.vulncheck.com/advisories/wekan-migration-functionality-insufficient-permission-checks
 

Back to top

Vulnerability Summary for the Week of January 26, 2026
Posted on Monday February 02, 2026

High Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
10-Strike Software--Bandwidth Monitor 10-Strike Bandwidth Monitor 3.9 contains a buffer overflow vulnerability that allows attackers to bypass SafeSEH, ASLR, and DEP protections through carefully crafted input. Attackers can exploit the vulnerability by sending a malicious payload to the application's registration key input, enabling remote code execution and launching arbitrary system commands. 2026-01-30 9.8 CVE-2020-37043 ExploitDB-48570
Product Webpage
VulnCheck Advisory: 10-Strike Bandwidth Monitor 3.9 - Buffer Overflow
 
10-Strike Software--Network Inventory Explorer 10-Strike Network Inventory Explorer 8.65 contains a buffer overflow vulnerability in exception handling that allows remote attackers to execute arbitrary code. Attackers can craft a malicious file with 209 bytes of padding and a specially constructed Structured Exception Handler to trigger code execution. 2026-01-28 9.8 CVE-2020-36961 ExploitDB-49134
10-Strike Network Inventory Explorer Vendor Homepage
VulnCheck Advisory: 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)
 
10-Strike--Bandwidth Monitor 10-Strike Bandwidth Monitor 3.9 contains an unquoted service path vulnerability in multiple services that allows local attackers to escalate privileges. Attackers can place a malicious executable in specific file path locations to achieve privilege escalation to SYSTEM during service startup. 2026-01-29 7.8 CVE-2020-37021 ExploitDB-48591
Vendor Homepage
VulnCheck Advisory: Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path
 
Acer--Global Registration Service Acer Global Registration Service 1.0.0.3 contains an unquoted service path vulnerability in its service configuration that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Acer\Registration\ to inject malicious executables that would run with elevated LocalSystem privileges during service startup. 2026-01-27 7.8 CVE-2020-36976 ExploitDB-49142
Acer Official Homepage
VulnCheck Advisory: Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path
 
Ajenti Project--Ajenti Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a specified IP and port. 2026-01-29 9.8 CVE-2020-37002 ExploitDB-48929
Ajenti GitHub Repository
VulnCheck Advisory: Ajenti 2.1.36 - Remote Code Execution
 
Akn Software Computer Import Export Industry and Trade Ltd.--QR Menu Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse. This issue affects QR Menu: before s1.05.12. 2026-01-29 8 CVE-2025-7016 https://www.usom.gov.tr/bildirim/tr-26-0006
 
aliasrobotics--cai Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a "safe" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix. 2026-01-30 9.7 CVE-2026-25130 https://github.com/aliasrobotics/cai/security/advisories/GHSA-jfpc-wj3m-qw2m
https://github.com/aliasrobotics/cai/commit/e22a1220f764e2d7cf9da6d6144926f53ca01cde
https://github.com/aliasrobotics/cai/blob/559de8fcbc2b44f3b0360f35ffdc2bb975e7d7e4/src/cai/tools/reconnaissance/filesystem.py#L60
 
amitkolloldey--e-learning PHP Script e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. Attackers can inject malicious SQL code in the 'search' parameter to potentially extract, modify, or access sensitive database information. 2026-01-30 8.2 CVE-2020-37035 ExploitDB-48629
Vendor Homepage
VulnCheck Advisory: e-learning Php Script 0.1.0 - 'search' SQL Injection
 
ammarfaizi2--Tea LaTex Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API action. 2026-01-29 9.8 CVE-2020-37012 ExploitDB-48805
Vendor Homepage
VulnCheck Advisory: Tea LaTex 1.0 - Remote Code Execution
 
Andrea Electronics--Andrea ST Filters Service Andrea ST Filters Service 1.0.64.7 contains an unquoted service path vulnerability in its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code that will execute with elevated LocalSystem privileges during service startup. 2026-01-30 7.8 CVE-2020-37058 ExploitDB-48396
Andrea Electronics Official Homepage
VulnCheck Advisory: Andrea ST Filters Service 1.0.64.7 - Unquoted service path
 
Arcadia Technology, LLC--Crafty Controller An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. 2026-01-30 9.9 CVE-2026-0963 GitLab Issue #660
 
Arcadia Technology, LLC--Crafty Controller An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. 2026-01-30 8.2 CVE-2026-0805 GitLab Issue #650
 
asc Applied Software Consultants, s.r.o.--asc Timetables aSc TimeTables 2021.6.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting subject title fields with excessive data. Attackers can generate a 10,000-character buffer and paste it into the subject title to trigger application instability and potential crash. 2026-01-28 7.5 CVE-2020-36943 ExploitDB-49147
Vendor Homepage
Software Download Page
VulnCheck Advisory: aSc TimeTables 2021.6.2 - Denial of Service
 
Ashkon Software--Simple Startup Manager Simple Startup Manager 1.17 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory through the 'File' input parameter. Attackers can craft a malicious payload with 268 bytes to trigger code execution, bypassing DEP and overwriting memory addresses to launch calc.exe. 2026-01-30 8.4 CVE-2020-37031 ExploitDB-48678
Product Webpage
VulnCheck Advisory: Simple Startup Manager 1.17 - 'File' Local Buffer Overflow
 
Atheros--Coex Service Application Atheros Coex Service Application 8.0.0.255 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path by placing malicious executables in the service path to gain elevated system privileges during service startup. 2026-01-27 7.8 CVE-2020-36979 ExploitDB-49053
Vendor Homepage
Software Download Link
VulnCheck Advisory: Atheros Coex Service Application 8.0.0.255 -'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path
 
avalanche123--Cassandra Web Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating path traversal parameters. Attackers can exploit the disabled Rack::Protection module to read sensitive system files like /etc/passwd and retrieve Apache Cassandra database credentials. 2026-01-27 7.5 CVE-2020-36939 ExploitDB-49362
Cassandra Web GitHub Repository
Cassandra Web RubyGems Package
VulnCheck Advisory: Cassandra Web 0.5.0 - Remote File Read
 
Avast--AVAST SecureLine Avast SecureLine 5.5.522.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup. 2026-02-01 7.8 CVE-2020-37037 ExploitDB-48249
Avast Official Homepage
VulnCheck Advisory: AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path
 
backstage--backstage Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package. 2026-01-30 7.7 CVE-2026-25153 https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf
 
Barcode-Ocr--BarcodeOCR BarcodeOCR 19.3.6 contains an unquoted service path vulnerability that allows local attackers to execute code with elevated privileges during system startup. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will run with LocalSystem privileges. 2026-01-29 7.8 CVE-2020-37016 ExploitDB-48740
BarcodeOCR Official Homepage
VulnCheck Advisory: BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path
 
BearshareOfficial--BearShare Lite BearShare Lite 5.2.5 contains a buffer overflow vulnerability in the Advanced Search keywords input that allows attackers to execute arbitrary code. Attackers can craft a specially designed payload to overwrite the EIP register and execute shellcode by pasting malicious content into the search keywords field. 2026-01-29 9.8 CVE-2020-37010 ExploitDB-48839
Official BearShare Homepage
BearShare Lite 5.2.5 Download Page
VulnCheck Advisory: BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)
 
Beckhoff Automation--Beckhoff.Device.Manager.XAR A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes. 2026-01-27 8.8 CVE-2025-41726 https://certvde.com/de/advisories/VDE-2025-092
 
Beckhoff Automation--Beckhoff.Device.Manager.XAR A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access. 2026-01-27 7.8 CVE-2025-41727 https://certvde.com/de/advisories/VDE-2025-092
 
bentoml--BentoML BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. Version 1.4.34 contains a patch for the issue. 2026-01-26 7.4 CVE-2026-24123 https://github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf
https://github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4
https://github.com/bentoml/BentoML/releases/tag/v1.4.34
 
bloompixel--TableMaster for Elementor Advanced Responsive Tables for Elementor The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config.php via the 'csv_url' parameter. 2026-01-28 7.2 CVE-2025-14610 https://www.wordfence.com/threat-intel/vulnerabilities/id/ef07d6b0-ccdb-4b33-817f-6d4b3ad96243?source=cve
https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/trunk/modules/data-table/widgets/data-table.php#L446
https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/tags/1.3.6/modules/data-table/widgets/data-table.php#L446
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442158%40tablemaster-for-elementor&new=3442158%40tablemaster-for-elementor&sfp_email=&sfph_mail=
 
Broadcom--Symantec Web Security Services Agent WSS Agent, prior to 9.8.5, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. 2026-01-28 7 CVE-2025-13917 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36778
 
C4illin--ConvertX ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue. 2026-01-27 8.1 CVE-2026-24741 https://github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jp
https://github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77
 
ChurchCRM--CRM ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue. 2026-01-30 8.8 CVE-2026-24854 https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr
http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38
 
Cleanersoft Software--Free MP3 CD Ripper Free MP3 CD Ripper 2.8 contains a stack buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting a malicious WAV file with oversized payload. Attackers can leverage a specially crafted exploit file with shellcode, SEH bypass, and egghunter technique to achieve remote code execution on vulnerable Windows systems. 2026-01-29 9.8 CVE-2020-37000 ExploitDB-48696
Vendor Homepage
VulnCheck Advisory: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)
 
code-projects--Online Examination System A vulnerability was found in code-projects Online Examination System 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login Page. Performing a manipulation of the argument User results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. 2026-01-26 7.3 CVE-2026-1422 VDB-342838 | code-projects Online Examination System Login Page index.php sql injection
VDB-342838 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736606 | code-projects Online Examination System 1 SQL Injection
https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-2-sql-injection-on-login-page
https://code-projects.org/
 
code-projects--Online Music Site A flaw has been found in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminDeleteUser.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. 2026-01-26 7.3 CVE-2026-1443 VDB-342872 | code-projects Online Music Site AdminDeleteUser.php sql injection
VDB-342872 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736967 | code-projects Online Music Site V1.0 SQL Injection
https://github.com/Volije/cve/issues/1
https://code-projects.org/
 
code-projects--Online Music Site A weakness has been identified in code-projects Online Music Site 1.0. This affects an unknown function of the file /Administrator/PHP/AdminEditUser.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-28 7.3 CVE-2026-1534 VDB-343220 | code-projects Online Music Site AdminEditUser.php sql injection
VDB-343220 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #738705 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection
https://github.com/yuji0903/silver-guide/issues/3
https://code-projects.org/
 
code-projects--Online Music Site A security vulnerability has been detected in code-projects Online Music Site 1.0. This impacts an unknown function of the file /Administrator/PHP/AdminReply.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. 2026-01-28 7.3 CVE-2026-1535 VDB-343221 | code-projects Online Music Site AdminReply.php sql injection
VDB-343221 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #738706 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection
https://github.com/yuji0903/silver-guide/issues/4
https://code-projects.org/
 
Code::Blocks--Code::Blocks Code Blocks 17.12 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious file name with Unicode characters. Attackers can trigger the vulnerability by pasting a specially crafted payload into the file name field during project creation, potentially executing system commands like calc.exe. 2026-01-30 8.4 CVE-2020-37040 ExploitDB-48594
Code Blocks Official Website
Code Blocks SourceForge Page
VulnCheck Advisory: Code Blocks 17.12 - 'File Name' Local Buffer Overflow
 
Code::Blocks--Code::Blocks Code Blocks 20.03 contains a denial of service vulnerability that allows attackers to crash the application by manipulating input in the FSymbols search field. Attackers can paste a large payload of 5000 repeated characters into the search field to trigger an application crash. 2026-01-30 7.5 CVE-2020-37038 ExploitDB-48617
Code Blocks Official Homepage
Code Blocks SourceForge Page
VulnCheck Advisory: Code Blocks 20.03 - Denial Of Service
 
codexcube--Ultimate Project Manager CRM PRO Ultimate Project Manager CRM PRO 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to progressively guess and retrieve user credentials through boolean-based inference techniques. 2026-01-29 8.2 CVE-2020-37004 ExploitDB-48912
Ultimate Project Manager CRM PRO Vendor Homepage
VulnCheck Advisory: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage
 
Codriapp Innovation and Software Technologies Inc.--HeyGarson Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping. This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted several times to verifying fixing process but did not respond in any way. 2026-01-30 8.2 CVE-2025-1395 https://www.usom.gov.tr/bildirim/tr-26-0009
 
crm-now GmbH--berliCRM berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information. 2026-01-29 8.2 CVE-2020-37006 ExploitDB-48872
Vendor Homepage
VulnCheck Advisory: berliCRM 1.0.24 - 'src_record' SQL Injection
 
Crystal Shard--http-protection Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and gain unauthorized access. 2026-01-30 9.8 CVE-2020-37056 ExploitDB-48533
HTTP Protection Crystal Shard Repository
VulnCheck Advisory: Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass
 
D-Link--DIR-615 A vulnerability was detected in D-Link DIR-615 up to 4.10. This impacts an unknown function of the file /wiz_policy_3_machine.php of the component Web Management Interface. Performing a manipulation of the argument ipaddr results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. 2026-01-26 7.2 CVE-2026-1448 VDB-342880 | D-Link DIR-615 Web Management wiz_policy_3_machine.php os command injection
VDB-342880 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #737006 | Dlink DIR615 Firmware v4.10 and earlier (DIR-615 Rev D) OS Command Injection
https://pentagonal-time-3a7.notion.site/DIR-615-v4-10-2e7e5dd4c5a580a5aac5c8ce35933396?pvs=73
https://www.dlink.com/
 
D-Link--DIR-615 A vulnerability was found in D-Link DIR-615 4.10. This issue affects some unknown processing of the file /set_temp_nodes.php of the component URL Filter. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. 2026-01-28 7.2 CVE-2026-1505 VDB-343117 | D-Link DIR-615 URL Filter set_temp_nodes.php os command injection
VDB-343117 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #737061 | Dlink DIR-615 v4.10 OS Command Injection
https://pentagonal-time-3a7.notion.site/D-Link-DIR-615-2e7e5dd4c5a580109a14fdeb6f105cd6
https://www.dlink.com/
 
D-Link--DIR-615 A vulnerability was determined in D-Link DIR-615 4.10. Impacted is an unknown function of the file /adv_mac_filter.php of the component MAC Filter Configuration. This manipulation of the argument mac causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer. 2026-01-28 7.2 CVE-2026-1506 VDB-343118 | D-Link DIR-615 MAC Filter Configuration adv_mac_filter.php os command injection
VDB-343118 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #737078 | Dlink DIR-615 v4.10 OS Command Injection
https://pentagonal-time-3a7.notion.site/DIR-615-MAC_FILTER-2e7e5dd4c5a58091b027f50271cc7c6a
https://www.dlink.com/
 
Dassault Systmes--SOLIDWORKS eDrawings A Heap-based Buffer Overflow vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. 2026-01-26 7.8 CVE-2026-1283 https://www.3ds.com/trust-center/security/security-advisories/cve-2026-1283
 
Dassault Systmes--SOLIDWORKS eDrawings An Out-Of-Bounds Write vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. 2026-01-26 7.8 CVE-2026-1284 https://www.3ds.com/trust-center/security/security-advisories/cve-2026-1284
 
Deepinstinct--Deep Instinct Windows Agent Deep Instinct Windows Agent 1.2.29.0 contains an unquoted service path vulnerability in the DeepMgmtService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure Sense\DeepMgmtService.exe to inject malicious code that would execute with LocalSystem permissions during service startup. 2026-02-01 7.8 CVE-2020-37047 ExploitDB-48174
Deep Instinct Official Homepage
VulnCheck Advisory: Deep Instinct Windows Agent 1.2.29.0 - 'DeepMgmtService' Unquoted Service Path
 
Dell--CloudBoost Virtual Appliance Dell CloudBoost Virtual Appliance, versions prior to 19.14.0.0, contains a Plaintext Storage of Password vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. 2026-01-27 7 CVE-2026-21417 https://www.dell.com/support/kbdoc/en-us/000419894/dsa-2026-025-security-update-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities
 
Dell--PremierColor Dell PremierColor Panel Driver, versions prior to 1.0.0.1 A01, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. 2026-01-28 7.8 CVE-2025-46691 https://www.dell.com/support/kbdoc/en-us/000394670/dsa-2025-444?lang=en
 
Dell--Unity Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. 2026-01-30 7.8 CVE-2026-21418 https://www.dell.com/support/kbdoc/en-us/000421197/dsa-2026-054-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
 
Dell--UnityVSA Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. 2026-01-30 7.8 CVE-2026-22277 https://www.dell.com/support/kbdoc/en-us/000421197/dsa-2026-054-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities
 
Delta Electronics--ASDA-Soft ASDA-Soft Stack-based Buffer Overflow Vulnerability 2026-01-27 7.8 CVE-2026-1361 https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00003_ASDA-Soft%20Stack-based%20Buffer%20Overflow%20Vulnerability%20(CVE-2026-1361).pdf
 
discourse--discourse Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. 2026-01-28 7.1 CVE-2025-68479 https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327
 
discourse--discourse Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. 2026-01-28 7.6 CVE-2025-68662 https://github.com/discourse/discourse/security/advisories/GHSA-gcfp-rjfc-925c
 
dnnsoftware--Dnn.Platform DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue. 2026-01-27 9.1 CVE-2026-24838 https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-w9pf-h6m6-v89h
 
dnnsoftware--Dnn.Platform DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue. 2026-01-27 7.7 CVE-2026-24833 https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-9r3h-mpf8-25gj
 
dnnsoftware--Dnn.Platform DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue. 2026-01-27 7.7 CVE-2026-24836 https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2g5g-hcgh-q3rp
 
dnnsoftware--Dnn.Platform DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue. 2026-01-27 7.7 CVE-2026-24837 https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-vm5q-8qww-h238
 
Dokploy--dokploy Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue. 2026-01-28 9.9 CVE-2026-24841 https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r
https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f
https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts
 
Dokploy--dokploy Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue. 2026-01-28 8 CVE-2026-24840 https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc
https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d
 
Drive-Software--Atomic Alarm Clock x86 Atomic Alarm Clock 6.3 contains a local privilege escalation vulnerability in its service configuration that allows attackers to execute arbitrary code with SYSTEM privileges. Attackers can exploit the unquoted service path by placing a malicious executable named 'Program.exe' to gain persistent system-level access. 2026-01-30 7.8 CVE-2020-37060 ExploitDB-48352
Vendor Homepage
VulnCheck Advisory: Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path
 
Dummysoftware--BacklinkSpeed BacklinkSpeed 2.4 contains a buffer overflow vulnerability that allows attackers to corrupt the Structured Exception Handler (SEH) chain through malicious file import. Attackers can craft a specially designed payload file to overwrite SEH addresses, potentially executing arbitrary code and gaining control of the application. 2026-01-29 9.8 CVE-2020-36997 ExploitDB-48726
Vendor Homepage
Software Download Page
VulnCheck Advisory: BacklinkSpeed 2.4 - Buffer Overflow PoC (SEH)
 
Eclipse Foundation--Eclipse Theia - Website In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository. 2026-01-30 10 CVE-2026-1699 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332
 
Eclipse Foundation--Eclipse ThreadX The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted. As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption. This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access. 2026-01-27 7.8 CVE-2026-0648 https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-xj75-fc68-h4rw
 
Elaniin--Elaniin CMS Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by sending crafted email and password parameters with '=''or' payload to login.php, granting unauthorized access to the system. 2026-01-29 8.2 CVE-2020-36999 ExploitDB-48705
Vendor Homepage
Elaniin CMS GitHub Repository
VulnCheck Advisory: elaniin CMS 1.0 - Authentication Bypass
 
Elektraweb--EasyPMS EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user passwords without proper token authentication. 2026-01-29 7.5 CVE-2020-37008 ExploitDB-48858
Vendor Homepage
VulnCheck Advisory: EasyPMS 1.0.0 - Authentication Bypass
 
Enigmasoftware--SpyHunter SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations to gain elevated access during service startup. 2026-02-01 7.8 CVE-2020-37055 ExploitDB-48172
Vendor Homepage
VulnCheck Advisory: SpyHunter 4 - 'SpyHunter 4 Service' Unquoted Service Path
 
Epson--EPSON EPSON 1.124 contains an unquoted service path vulnerability in the SENADB service that allows local attackers to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\ to inject malicious executables that will run with LocalSystem permissions. 2026-01-28 7.8 CVE-2020-36984 ExploitDB-48965
EPSON Official Support Page
VulnCheck Advisory: EPSON 1.124 - 'seksmdb.exe' Unquoted Service Path
 
Epson--EPSON EasyMP Network Projection EPSON EasyMP Network Projection 2.81 contains an unquoted service path vulnerability in the EMP_NSWLSV service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\ to inject malicious code that would execute with LocalSystem privileges. 2026-02-01 7.8 CVE-2020-37064 ExploitDB-48069
EPSON EasyMP Network Projection Support Page
VulnCheck Advisory: EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path
 
ErugoOSS--Erugo Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue. 2026-01-28 10 CVE-2026-24897 https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369
https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38
https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15
 
Filehorse--Motorola Device Manager Motorola Device Manager 2.4.5 contains an unquoted service path vulnerability in the PST Service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in ForwardDaemon.exe to inject malicious code that will execute with elevated system privileges during service startup. 2026-01-27 7.8 CVE-2020-36981 ExploitDB-49011
Motorola Device Manager Download Page
ExploitDB-49013
VulnCheck Advisory: Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path
 
Filigran--OpenCTI OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. For example, requesting /static/css//../../../../../../../../etc/passwd returns the contents of /etc/passwd. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10. 2026-01-30 7.5 CVE-2020-37041 ExploitDB-48595
OpenCTI Official Homepage
OpenCTI GitHub Repository
VulnCheck Advisory: OpenCTI 3.3.1 - Directory Traversal
 
Flexense Ltd.--SyncBreeze SyncBreeze 10.0.28 contains a denial of service vulnerability in the login endpoint that allows remote attackers to crash the service. Attackers can send an oversized payload in the login request to overwhelm the application and potentially disrupt service availability. 2026-01-27 7.5 CVE-2020-36946 ExploitDB-49291
Vendor Homepage
VulnCheck Advisory: SyncBreeze 10.0.28 - 'login' Denial of Service
 
Forensit--ForensiTAppxService ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup. 2026-01-28 7.8 CVE-2020-36989 ExploitDB-48821
ForensiT Official Downloads Page
VulnCheck Advisory: ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path
 
Fortinet--FortiProxy An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices. 2026-01-27 9.4 CVE-2026-24858 https://fortiguard.fortinet.com/psirt/FG-IR-26-060
 
Frigate3--Frigate Professional Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the Pack File feature that allows attackers to execute arbitrary code by overflowing the 'Archive To' input field. Attackers can craft a malicious payload that overwrites the Structured Exception Handler (SEH) and uses an egghunter technique to execute a reverse shell payload. 2026-01-29 8.4 CVE-2020-37001 ExploitDB-48688
Archived Vendor Homepage
VulnCheck Advisory: Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter)
 
Gearboxcomputers--IP Watcher IP Watcher 3.0.0.30 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup. 2026-01-28 7.8 CVE-2020-36985 ExploitDB-48968
Vendor Homepage
VulnCheck Advisory: IP Watcher v3.0.0.30 - 'PACService.exe' Unquoted Service Path
 
Gearboxcomputers--Program Access Controller Program Access Controller 1.2.0.0 contains an unquoted service path vulnerability in PACService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. 2026-01-28 7.8 CVE-2020-36987 ExploitDB-48966
Vendor Homepage
VulnCheck Advisory: Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path
 
geraked--phpscript-sgh Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays, enabling them to extract sensitive database information through conditional sleep techniques. 2026-01-27 8.2 CVE-2020-36951 ExploitDB-49192
Vendor Homepage
VulnCheck Advisory: Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection
 
gerstrong--Commander-Genius Out-of-bounds Write vulnerability in gerstrong Commander-Genius. This issue affects Commander-Genius: before Release refs/pull/358/merge. 2026-01-27 7.5 CVE-2026-24827 https://github.com/gerstrong/Commander-Genius/pull/379
 
Getoutline--Outline Service Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:\Program Files (x86)\Outline to inject malicious code that would execute with LocalSystem permissions during service startup. 2026-01-30 7.8 CVE-2020-37030 ExploitDB-48414
Outline Service Official Homepage
VulnCheck Advisory: Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path
 
Getpopcorntime--Popcorn Time Popcorn Time 6.2.1.14 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can insert malicious executables in Program Files (x86) or system root directories to be executed with SYSTEM-level permissions during service startup. 2026-01-30 7.8 CVE-2020-37059 ExploitDB-48378
Popcorn Time Official Homepage
VulnCheck Advisory: Popcorn Time 6.2 - 'Update service' Unquoted Service Path
 
Gila CMS--Gila CMS Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent header with shell_exec() to run system commands by sending crafted requests to the admin endpoint. 2026-01-27 9.8 CVE-2021-47900 ExploitDB-49412
Official Vendor Homepage
Gila CMS GitHub Repository
VulnCheck Advisory: Gila CMS < 2.0.0 - Remote Code Execution
 
Global Interactive Design Media Software Inc.--Content Management System (CMS) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers. This issue affects Content Management System (CMS): through 21072025. 2026-01-29 7.5 CVE-2025-7713 https://www.usom.gov.tr/bildirim/tr-26-0008
 
Global Interactive Design Media Software Inc.--Content Management System (CMS) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows Command Line Execution through SQL Injection. This issue affects Content Management System (CMS): through 21072025. 2026-01-29 7.5 CVE-2025-7714 https://www.usom.gov.tr/bildirim/tr-26-0008
 
GNOME--Fonts Viewer Gnome Fonts Viewer 3.34.0 contains a heap corruption vulnerability that allows attackers to trigger an out-of-bounds write by crafting a malicious TTF font file. Attackers can generate a specially crafted TTF file with an oversized pattern to cause an infinite malloc() loop and potentially crash the gnome-font-viewer process. 2026-01-29 7.5 CVE-2020-37011 ExploitDB-48803
Gnome Official Website
Gnome Font Viewer App Webpage
VulnCheck Advisory: Gnome Fonts Viewer 3.34.0 Heap Corruption
 
GnuPG--GnuPG In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution. 2026-01-27 8.1 CVE-2026-24881 https://www.openwall.com/lists/oss-security/2026/01/27/8
https://dev.gnupg.org/T8044
 
GnuPG--GnuPG In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. 2026-01-27 8.4 CVE-2026-24882 https://www.openwall.com/lists/oss-security/2026/01/27/8
https://dev.gnupg.org/T8045
 
Grafana--grafana/grafana The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization internal privilege escalation. 2026-01-27 8.1 CVE-2026-21721 https://grafana.com/security/security-advisories/CVE-2026-21721
 
Grafana--grafana/grafana-enterprise Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems. 2026-01-27 7.5 CVE-2026-21720 https://grafana.com/security/security-advisories/CVE-2026-21720
 
guelfoweb--knock Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications. 2026-01-27 9.8 CVE-2020-36941 ExploitDB-49342
Knockpy GitHub Repository
VulnCheck Advisory: Knockpy 4.1.1 - CSV Injection
 
hayyatapps--Sell BTC Cryptocurrency Selling Calculator The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5. 2026-01-31 7.2 CVE-2025-14554 https://www.wordfence.com/threat-intel/vulnerabilities/id/720be34d-3fe4-4395-a27b-d386f8612ba9?source=cve
https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions-admin.php#L39
https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions/form_tab.php#L12
https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/Pages/orders.php#L30
https://plugins.trac.wordpress.org/changeset/3433480/
https://plugins.trac.wordpress.org/changeset/3450361/
 
HELLOWEB--HelloWeb HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files. 2026-01-30 7.5 CVE-2020-37034 ExploitDB-48659
Archived HelloWeb Vendor Homepage
VulnCheck Advisory: HelloWeb 2.0 - Arbitrary File Download
 
Hewlett Packard Enterprise (HPE)--HPE Aruba Networking Fabric Composer Insecure file operations in HPE Aruba Networking Fabric Composer’s backup functionality could allow authenticated attackers to achieve remote code execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. 2026-01-27 7.2 CVE-2026-23592 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04996en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--HPE Aruba Networking Fabric Composer A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an unauthenticated remote attacker to view some system files. Successful exploitation could allow an attacker to read files within the affected directory. 2026-01-27 7.5 CVE-2026-23593 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04996en_us&docLocale=en_US
 
HIKSEMI--HS-AFS-S1H1 Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages. 2026-01-30 7.2 CVE-2026-22623 https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html
 
Hikvision--DS-3WAP521-SI Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution. 2026-01-30 7.2 CVE-2026-0709 https://www.hikvision.com/en/support/cybersecurity/security-advisory/command-execution-vulnerability-in-some-hikvision-wireless-access-point-products/
 
Hisense TransTech--Smart Bus Management System A flaw has been found in Hisense TransTech Smart Bus Management System up to 20260113. Affected is the function Page_Load of the file YZSoft/Forms/XForm/BM/BusComManagement/TireMng.aspx. Executing a manipulation of the argument key can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-26 7.3 CVE-2026-1449 VDB-342881 | Hisense TransTech Smart Bus Management System TireMng.aspx Page_Load sql injection
VDB-342881 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #737032 | Hisense TransTech Hisense Smart Bus Management System 1.0 SQL Injection
https://github.com/master-abc/cve/issues/15
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Windows 12.1.0 - 12.1.3 could allow a local user with filesystem access to escalate their privileges due to the use of an unquoted search path element. 2026-01-30 8.4 CVE-2025-36384 https://www.ibm.com/support/pages/node/7257678
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level. 2026-01-30 7.2 CVE-2025-36184 https://www.ibm.com/support/pages/node/7257519
 
IDT--IDT PC Audio IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the STacSV service to inject malicious code that would execute with LocalSystem account permissions during service startup. 2026-01-26 7.8 CVE-2020-36959 ExploitDB-49191
Software Download Link
VulnCheck Advisory: IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path
 
iForwarder and upRedSun Technologies, LLC.--Port Forwarding Wizard Port Forwarding Wizard 4.8.0 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code through a long request in the Register feature. Attackers can craft a malicious payload with an egg tag and overwrite SEH handlers to potentially execute shellcode on vulnerable Windows systems. 2026-01-30 8.4 CVE-2020-37025 ExploitDB-48695
Vendor Homepage
VulnCheck Advisory: Port Forwarding Wizard 4.8.0 - Buffer Overflow
 
ik80--YATinyWinFTP YATinyWinFTP contains a denial of service vulnerability that allows attackers to crash the FTP service by sending a 272-byte buffer with a trailing space. Attackers can exploit the service by connecting and sending a malformed command that triggers a buffer overflow and service crash. 2026-01-28 9.8 CVE-2020-36964 ExploitDB-49127
YATinyWinFTP GitHub Repository
VulnCheck Advisory: YATinyWinFTP - Denial of Service
 
immich-app--immich immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue. 2026-01-29 7.2 CVE-2026-23896 https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv
 
inc2734--Snow Monkey Forms The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). 2026-01-28 9.8 CVE-2026-1056 https://www.wordfence.com/threat-intel/vulnerabilities/id/37a8642d-07f5-4b1b-8419-e30589089162?source=cve
https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/snow-monkey-forms.php#L186
https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Model/Directory.php#L58
https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Rest/Route/View.php#L189
https://plugins.trac.wordpress.org/changeset/3448278/
 
infiniflow--ragflow RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip" vulnerability, allowing an attacker to overwrite arbitrary files on the server (leading to Remote Code Execution) via a malicious ZIP archive. The MinerUParser class retrieves and extracts ZIP files from an external source (mineru_server_url). The extraction logic in `_extract_zip_no_root` fails to sanitize filenames within the ZIP archive. Commit 64c75d558e4a17a4a48953b4c201526431d8338f contains a patch for the issue. 2026-01-27 9.8 CVE-2026-24770 https://github.com/infiniflow/ragflow/security/advisories/GHSA-v7cf-w7gj-pgf4
https://github.com/infiniflow/ragflow/commit/64c75d558e4a17a4a48953b4c201526431d8338f
 
Inputdirector--Input Director Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. 2026-01-28 7.8 CVE-2020-36990 ExploitDB-48795
Input Director Official Homepage
VulnCheck Advisory: Input Director 1.4.3 - 'Input Director' Unquoted Service Path
 
Insite Software--Infor Storefront B2B Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'usr_name' parameter to potentially extract or modify database information. 2026-01-30 8.2 CVE-2020-37033 ExploitDB-48674
Archived Infor Storefront Homepage
VulnCheck Advisory: Infor Storefront B2B 1.0 - 'usr_name' SQL Injection
 
Intelbras--Intelbras Router RF 301K Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypass vulnerability that allows unauthenticated attackers to download router configuration files. Attackers can send a specific HTTP GET request to /cgi-bin/DownloadCfg/RouterCfm.cfg to retrieve sensitive router configuration without authentication. 2026-01-28 7.5 CVE-2020-36963 ExploitDB-49126
Intelbras Official Homepage
VulnCheck Advisory: Intelbras Router RF 301K 1.1.2 - Authentication Bypass
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available. 2026-01-28 7.8 CVE-2026-24856 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-w585-cv3v-c396
https://github.com/InternationalColorConsortium/iccDEV/issues/532
https://github.com/InternationalColorConsortium/iccDEV/pull/541
https://github.com/InternationalColorConsortium/iccDEV/commit/5e53a5d25923b7794ba44e390e9b35d391f2b9c1
 
Iobit--IObit Uninstaller IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path in the IObit Uninstaller Service to insert malicious code that would execute with SYSTEM-level permissions during service startup. 2026-01-26 7.8 CVE-2020-36952 ExploitDB-49371
IObit Official Homepage
VulnCheck Advisory: IObit Uninstaller 10 Pro - Unquoted Service Path
 
Is-Daouda--is-Engine Missing Release of Memory after Effective Lifetime vulnerability in Is-Daouda is-Engine. This issue affects is-Engine: before 3.3.4. 2026-01-27 7.5 CVE-2026-24828 https://github.com/Is-Daouda/is-Engine/pull/6
 
isaacs--node-tar node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue. 2026-01-28 8.2 CVE-2026-24842 https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46
 
Iskysoft--Iskysoft Application Framework Service Iskysoft Application Framework Service 2.4.3.241 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that would be run with the service's high-level system permissions. 2026-02-01 7.8 CVE-2020-37048 ExploitDB-48171
Vendor Homepage
VulnCheck Advisory: Iskysoft Application Framework Service 2.4.3.241 - 'IsAppService' Unquoted Service Path
 
itsourcecode--Directory Management System A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. 2026-01-30 7.3 CVE-2026-1688 VDB-343482 | itsourcecode Directory Management System index.php sql injection
VDB-343482 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #741283 | itsourcecode Directory Management System V1.0 SQL Injection
https://github.com/jackhong1236/CVE_1/issues/1
https://itsourcecode.com/
 
itsourcecode--School Management System A weakness has been identified in itsourcecode School Management System 1.0. The affected element is an unknown function of the file /course/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. 2026-01-28 7.3 CVE-2026-1545 VDB-343229 | itsourcecode School Management System index.php sql injection
VDB-343229 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #739647 | itsourcecode School Management System V1.0 SQL Injection
https://github.com/ltranquility/CVE/issues/33
https://itsourcecode.com/
 
itsourcecode--School Management System A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/inquiry/index.php. This manipulation of the argument txtsearch causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. 2026-01-29 7.3 CVE-2026-1589 VDB-343352 | itsourcecode School Management System index.php sql injection
VDB-343352 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740686 | itsourcecode School Management System v1.0 SQL Injection
https://mega.nz/file/DQUWSY7Y#CLcuhD1KE2s0VtEvYqH_PDCyhpGS0HDo_MKj9sheUPA
https://itsourcecode.com/
 
itsourcecode--School Management System A vulnerability was identified in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/faculty/index.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. 2026-01-29 7.3 CVE-2026-1590 VDB-343353 | itsourcecode School Management System index.php sql injection
VDB-343353 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740687 | itsourcecode School Management System v1.0 SQL Injection
https://mega.nz/file/GYsm2Q7K#B7NUGX5Fy9iLYssM474U3zFsmZp_14v0n5Sp-5N95yI
https://itsourcecode.com/
 
itsourcecode--Society Management System A weakness has been identified in itsourcecode Society Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/edit_expenses_query.php. Executing a manipulation of the argument detail can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-29 7.3 CVE-2026-1593 VDB-343355 | itsourcecode Society Management System edit_expenses_query.php sql injection
VDB-343355 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740689 | itsourcecode Society Management System V1.0 SQL injection
https://github.com/yyzq-wsx/for_cve/issues/3
https://itsourcecode.com/
 
itsourcecode--Society Management System A security vulnerability has been detected in itsourcecode Society Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/add_expenses.php. The manipulation of the argument detail leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. 2026-01-29 7.3 CVE-2026-1594 VDB-343356 | itsourcecode Society Management System add_expenses.php sql injection
VDB-343356 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740691 | itsourcecode Society Management System V1.0 SQL Injection
https://github.com/yyzq-wsx/for_cve/issues/2
https://itsourcecode.com/
 
itsourcecode--Society Management System A vulnerability was detected in itsourcecode Society Management System 1.0. This affects an unknown part of the file /admin/edit_student_query.php. The manipulation of the argument student_id results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. 2026-01-29 7.3 CVE-2026-1595 VDB-343357 | itsourcecode Society Management System edit_student_query.php sql injection
VDB-343357 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740692 | itsourcecode Society Management System V1.0 SQL Injection
https://github.com/yyzq-wsx/for_cve/issues/1
https://itsourcecode.com/
 
itsourcecode--Student Management System A security vulnerability has been detected in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. 2026-01-30 7.3 CVE-2026-1701 VDB-343491 | itsourcecode Student Management System index.php sql injection
VDB-343491 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742024 | itsourcecode Student Management System V1.0 SQL Injection
https://github.com/ltranquility/CVE/issues/34
https://itsourcecode.com/
 
Ivanti--Endpoint Manager Mobile A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. 2026-01-29 9.8 CVE-2026-1281 https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340
 
Ivanti--Endpoint Manager Mobile A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. 2026-01-29 9.8 CVE-2026-1340 https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340
 
ixray-team--ixray-1.6-stcop Out-of-bounds Write vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. 2026-01-27 9.8 CVE-2026-24832 https://github.com/ixray-team/ixray-1.6-stcop/pull/257
 
ixray-team--ixray-1.6-stcop Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. 2026-01-27 7.5 CVE-2026-24831 https://github.com/ixray-team/ixray-1.6-stcop/pull/248
 
Juniper Networks--Session Smart Router An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allows a network-based attacker to bypass authentication and take administrative control of the device. This issue affects Session Smart Router:  * from 5.6.7 before 5.6.17,  * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts,  * from 6.2 before 6.2.8-lts,  * from 6.3 before 6.3.3-r2;  This issue affects Session Smart Conductor:  * from 5.6.7 before 5.6.17,  * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts,  * from 6.2 before 6.2.8-lts,  * from 6.3 before 6.3.3-r2;  This issue affects WAN Assurance Managed Routers:  * from 5.6.7 before 5.6.17,  * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts,  * from 6.2 before 6.2.8-lts,  * from 6.3 before 6.3.3-r2. 2026-01-27 9.8 CVE-2025-21589 https://supportportal.juniper.net/
https://support.juniper.net/support/eol/software/ssr/
https://kb.juniper.net/JSA94663
 
K.soft--FTPDummy FTPDummy 4.80 contains a local buffer overflow vulnerability in its preference file handling that allows attackers to execute arbitrary code. Attackers can craft a malicious preference file with carefully constructed shellcode to trigger a structured exception handler overwrite and execute system commands. 2026-01-30 8.4 CVE-2020-37029 ExploitDB-48685
Official FTPDummy Software Homepage
VulnCheck Advisory: FTPDummy 4.80 - Local Buffer Overflow
 
KiloView--Encoder Series E1 hardware Version 1.4 A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant the attacker full administrative control over the product. 2026-01-29 9.8 CVE-2026-1453 https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-029-01.json
 
Kite--Kite Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Kite\KiteService.exe' to inject malicious executables and escalate privileges on the system. 2026-01-26 7.8 CVE-2020-36958 ExploitDB-49205
Vendor Homepage
VulnCheck Advisory: Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path
 
Kludex--python-multipart Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations. 2026-01-27 8.6 CVE-2026-24486 https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg
https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4
https://github.com/Kludex/python-multipart/releases/tag/0.0.22
 
Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co.--Online Exam and Assessment Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection. This issue affects Online Exam and Assessment: through 30012026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-30 8.6 CVE-2025-4686 https://www.usom.gov.tr/bildirim/tr-26-0010
 
kohler--hotcrp HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user's browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer's browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP's API. Malicious documents could be uploaded to submission fields with "file upload" or "attachment" type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`. 2026-01-30 7.3 CVE-2026-25156 https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476
https://github.com/kohler/hotcrp/commit/8933e86c9f384b356dc4c6e9e2814dee1074b323
https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508
https://github.com/kohler/hotcrp/commit/c3d88a7e18d52119c65df31c2cc994edd2beccc5
 
Koken--Koken CMS Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy and changing the file extension. 2026-01-30 8.8 CVE-2020-37023 ExploitDB-48706
Koken CMS Official Homepage
Softaculous Koken CMS Software Page
Researcher PoC
VulnCheck Advisory: Koken CMS 0.22.24 - Arbitrary File Upload
 
kyverno--kyverno Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy's namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno's admission controller identity, targeting any API path allowed by that ServiceAccount's RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability. 2026-01-27 10 CVE-2026-22039 https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2
https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b
https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e
 
kyverno--kyverno Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability. 2026-01-27 7.7 CVE-2026-23881 https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq
https://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f
https://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7
 
LibreNMS--LibreNMS LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection. 2026-01-27 7.1 CVE-2020-36947 ExploitDB-49246
LibreNMS Official Website
LibreNMS GitHub Repository
LibreNMS Community
VulnCheck Advisory: LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection
 
loft-sh--loft vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. However, the user still cannot access resources beyond what is accessible to the owner of the access key. Versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 fix the vulnerability. Some other mitigations are available. Users can limit exposure by reviewing access keys which are scoped and ensuring any users with access to them have appropriate permissions set. Creating automation users with very limited permissions and using access keys for these automation users can be used as a temporary workaround where upgrading is not immediately possible but scoped access keys are needed. 2026-01-29 9.1 CVE-2026-22806 https://github.com/loft-sh/loft/security/advisories/GHSA-c539-w4ch-7wxq
 
M.J.M Soft--Quick Player Quick Player 1.3 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious .m3l file with carefully constructed payload. Attackers can trigger the vulnerability by loading a specially crafted file through the application's file loading mechanism, potentially enabling remote code execution. 2026-01-30 9.8 CVE-2020-37050 ExploitDB-48564
Software Download Link
Archived Researcher Blog Post
Archived Researcher Video PoC
VulnCheck Advisory: Quick Player 1.3 - '.m3l' Buffer Overflow
 
maurosoria--dirsearch Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report. 2026-01-27 9.8 CVE-2021-47901 ExploitDB-49370
dirsearch GitHub Repository
VulnCheck Advisory: dirsearch 0.4.1 - CSV Injection
 
MedDream--MedDream PACS Server MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. Attackers can exploit the uploadImage.php endpoint by authenticating and uploading a PHP shell to execute arbitrary system commands with elevated privileges. 2026-01-29 8.8 CVE-2020-37009 ExploitDB-48853
MedDream PACS Server Product Page
VulnCheck Advisory: MedDream PACS Server 6.8.3.751 - Remote Code Execution
 
meshtastic--firmware Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5. 2026-01-27 8.2 CVE-2025-55292 https://github.com/meshtastic/firmware/security/advisories/GHSA-45vg-3f35-7ch2
https://github.com/meshtastic/firmware/commit/e5e8683cdba133e726033101586c3235a8678893
 
Microsoft--Microsoft Office 2019 Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. 2026-01-26 7.8 CVE-2026-21509 Microsoft Office Security Feature Bypass Vulnerability
 
midgetspy--Sickbeard Sickbeard alpha contains a remote command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands through the extra scripts configuration. Attackers can set malicious commands in the extra scripts field and trigger processing to execute remote code on the vulnerable Sickbeard installation. 2026-01-30 9.8 CVE-2020-37027 ExploitDB-48646
Archived Sickbeard Official Homepage
Sickbeard GitHub Repository
VulnCheck Advisory: Sickbeard 0.1 - Remote Command Injection
 
Mini-stream Software--RM Downloader RM Downloader 2.50.60 contains a local buffer overflow vulnerability in the 'Load' parameter that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload with an egg hunter technique to bypass memory protections and execute commands like launching calc.exe. 2026-01-30 8.4 CVE-2020-37036 ExploitDB-48628
Software v2.50.60 Archive
Software Informer Product Page
VulnCheck Advisory: RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow
 
Minitool--MiniTool ShadowMaker MiniTool ShadowMaker 3.2 contains an unquoted service path vulnerability in the MTAgentService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\MiniTool ShadowMaker\AgentService.exe' to inject malicious executables and escalate privileges. 2026-01-26 7.8 CVE-2020-36953 ExploitDB-49336
Vendor Homepage
VulnCheck Advisory: MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path
 
Mintplex-Labs--anything-llm AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue. 2026-01-26 7.2 CVE-2026-24478 https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jp2f-99h9-7vjv
 
MobSF--Mobile-Security-Framework-MobSF MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme="android_secret_code">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue. 2026-01-27 8.1 CVE-2026-24490 https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae
https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5
 
Motorola-Device-Manager--Motorola Device Manager Motorola Device Manager 2.5.4 contains an unquoted service path vulnerability in the MotoHelperService.exe service that allows local users to potentially inject malicious code. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with elevated system privileges during service startup. 2026-01-27 7.8 CVE-2020-36982 ExploitDB-49012
Motorola Device Manager Vendor Homepage
VulnCheck Advisory: Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path
 
n8n--n8n n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. 2026-01-27 9.9 CVE-2026-1470 https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04
https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/
 
NaturalIntelligence--fast-xml-parser fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue. 2026-01-30 7.5 CVE-2026-25128 https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh
https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc
https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4
 
Naviwebs S.C.--Navigate CMS Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts. 2026-01-30 7.1 CVE-2020-37053 ExploitDB-48545
Navigate CMS Official Homepage
Navigate CMS SourceForge Page
VulnCheck Advisory: Navigate CMS 2.8.7 - ''sidx' SQL Injection
 
NetPCLinker--NetPCLinker NetPCLinker 1.0.0.0 contains a buffer overflow vulnerability in the Clients Control Panel DNS/IP field that allows attackers to execute arbitrary shellcode. Attackers can craft a malicious payload in the DNS/IP input to overwrite SEH handlers and execute shellcode when adding a new client. 2026-01-30 9.8 CVE-2019-25232 ExploitDB-48680
NetPCLinker SourceForge Page
VulnCheck Advisory: NetPCLinker 1.0.0.0 - Buffer Overflow
 
neutrinolabs--xrdp xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems. 2026-01-27 9.1 CVE-2025-68670 https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f
https://github.com/neutrinolabs/xrdp/commit/488c8c7d4d189514a366cd8301b6e816c5218ffa
https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.5
 
Nidesoft Studio--Nidesoft DVD Ripper Nidesoft DVD Ripper 5.2.18 contains a local buffer overflow vulnerability in the License Code registration parameter that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the License Code field to trigger a stack-based buffer overflow and execute shellcode. 2026-01-30 8.4 CVE-2020-37024 ExploitDB-48687
Nidesoft DVD Ripper Software Download Page
VulnCheck Advisory: Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow
 
Nidesoft--Nidesoft 3GP Video Converter Nidesoft 3GP Video Converter 2.6.18 contains a local stack buffer overflow vulnerability in the license registration parameter. Attackers can craft a malicious payload and paste it into the 'License Code' field to execute arbitrary code on the system. 2026-01-28 8.4 CVE-2020-36971 ExploitDB-49034
Archived Software Repository
VulnCheck Advisory: Nidesoft 3GP Video Converter 2.6.18 - Local Stack Buffer Overflow
 
nmedia--Frontend File Manager Plugin The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only. 2026-01-28 7.5 CVE-2026-1280 https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve
https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98
https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98
 
nmedia--Simple User Registration The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update. 2026-01-28 8.8 CVE-2026-0844 https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0e77e1-7e9f-4f7e-8953-c86ab0e5ae7a?source=cve
https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.profile.php#L401
https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.user.php#L305
 
nordvpn--nordvpn Nord VPN 6.31.13.0 contains an unquoted service path vulnerability in its nordvpn-service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path during system startup or reboot to potentially run malicious code with LocalSystem permissions. 2026-01-28 7.8 CVE-2020-36992 ExploitDB-48790
NordVPN Official Homepage
VulnCheck Advisory: Nord VPN-6.31.13.0 - 'nordvpn-service' Unquoted Service Path
 
NVIDIA--GeForce NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. 2026-01-28 7.8 CVE-2025-33217 https://nvd.nist.gov/vuln/detail/CVE-2025-33217
https://www.cve.org/CVERecord?id=CVE-2025-33217
https://nvidia.custhelp.com/app/answers/detail/a_id/5747
 
NVIDIA--GeForce NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. 2026-01-28 7.8 CVE-2025-33218 https://nvd.nist.gov/vuln/detail/CVE-2025-33218
https://www.cve.org/CVERecord?id=CVE-2025-33218
https://nvidia.custhelp.com/app/answers/detail/a_id/5747
 
NVIDIA--GeForce NVIDIA Display Driver for Linux contains a vulnerability in the NVIDIA kernel module where an attacker could cause an integer overflow or wraparound. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. 2026-01-28 7.8 CVE-2025-33219 https://nvd.nist.gov/vuln/detail/CVE-2025-33219
https://www.cve.org/CVERecord?id=CVE-2025-33219
https://nvidia.custhelp.com/app/answers/detail/a_id/5747
 
NVIDIA--GeForce NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause heap memory access after the memory is freed. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. 2026-01-28 7.8 CVE-2025-33220 https://nvd.nist.gov/vuln/detail/CVE-2025-33220
https://www.cve.org/CVERecord?id=CVE-2025-33220
https://nvidia.custhelp.com/app/answers/detail/a_id/5747
 
NVIDIA--NVIDIA runx NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. 2026-01-27 7.8 CVE-2025-33234 https://nvd.nist.gov/vuln/detail/CVE-2025-33234
https://www.cve.org/CVERecord?id=CVE-2025-33234
https://nvidia.custhelp.com/app/answers/detail/a_id/5764
 
nyariv--SandboxJS SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`SandboxFunction`). This is handled in `utils.ts` by mapping `Function` to `sandboxFunction` within a map used for lookups. However, before version 0.8.26, the library did not include mappings for `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction`. These constructors are not global properties but can be accessed via the `.constructor` property of an instance (e.g., `(async () => {}).constructor`). In `executor.ts`, property access is handled. When code running inside the sandbox accesses `.constructor` on an async function (which the sandbox allows creating), the `executor` retrieves the property value. Since `AsyncFunction` was not in the safe-replacement map, the `executor` returns the actual native host `AsyncFunction` constructor. Constructors for functions in JavaScript (like `Function`, `AsyncFunction`) create functions that execute in the global scope. By obtaining the host `AsyncFunction` constructor, an attacker can create a new async function that executes entirely outside the sandbox context, bypassing all restrictions and gaining full access to the host environment (Remote Code Execution). Version 0.8.26 patches this vulnerability. 2026-01-27 10 CVE-2026-23830 https://github.com/nyariv/SandboxJS/security/advisories/GHSA-wxhw-j4hc-fmq6
https://github.com/nyariv/SandboxJS/commit/345aee6566e47979dee5c337b925b141e7f78ccd
 
OISF--suricata Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB. 2026-01-27 7.5 CVE-2026-22258 https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx
https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74
https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830
https://redmine.openinfosecfoundation.org/issues/8182
 
OISF--suricata Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain a patch. As a workaround, disable the DNP3 parser in the suricata yaml (disabled by default). 2026-01-27 7.5 CVE-2026-22259 https://github.com/OISF/suricata/security/advisories/GHSA-878h-2x6v-84q9
https://github.com/OISF/suricata/commit/50cac2e2465ca211eabfa156623e585e9037bb7e
https://github.com/OISF/suricata/commit/63225d5f8ef64cc65164c0bb1800730842d54942
https://redmine.openinfosecfoundation.org/issues/8181
 
OISF--suricata Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`. 2026-01-27 7.5 CVE-2026-22260 https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22
https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185
https://redmine.openinfosecfoundation.org/issues/8185
 
OISF--suricata Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet. 2026-01-27 7.4 CVE-2026-22264 https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5
https://github.com/OISF/suricata/commit/549d7bf60616de8e54686a188196453b5b22f715
https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2
https://github.com/OISF/suricata/commit/ac1eb394181530430fb7262969f423a1bf8f209b
https://redmine.openinfosecfoundation.org/issues/8190
 
OpenClaw--OpenClaw OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value. 2026-02-01 8.8 CVE-2026-25253 https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
https://openclaw.ai/blog
 
openemr--openemr OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user's record; the server accepts the modified IDs and applies the changes to that other user's profile. This allows one user to alter another user's profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue. 2026-01-27 8.8 CVE-2025-67645 https://github.com/openemr/openemr/security/advisories/GHSA-vjmv-cf46-gffv
https://github.com/openemr/openemr/commit/e2a682ee71aac71a9f04ae566f4ffca10052bc4a
 
opf--openproject OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user's ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim's behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled. 2026-01-28 8.9 CVE-2026-24772 https://github.com/opf/openproject/security/advisories/GHSA-r854-p5qj-x974
 
Pablosoftwaresolutions--Quick 'n Easy FTP Service Quick 'n Easy FTP Service 3.2 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code during service startup. Attackers can exploit the misconfigured service binary path to inject malicious executables with elevated LocalSystem privileges during system boot or service restart. 2026-01-27 7.8 CVE-2020-36983 ExploitDB-48983
Vendor Homepage
Software Download Page
VulnCheck Advisory: Quick 'n Easy FTP Service 3.2 - Unquoted Service Path
 
patriksimek--vm2 vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue. 2026-01-26 9.8 CVE-2026-22709 https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8
https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29
https://github.com/patriksimek/vm2/releases/tag/v3.10.2
 
Pdf-Complete--PDF Complete PDF Complete 3.5.310.2002 contains an unquoted service path vulnerability in its pdfsvc.exe service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. 2026-01-26 7.8 CVE-2020-36957 ExploitDB-49226
PDF Complete Vendor Homepage
VulnCheck Advisory: PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path
 
PHPSUGAR--PHP Melody PHP Melody version 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to inject malicious SQL commands. Attackers can exploit the unvalidated 'vid' parameter to execute arbitrary database queries and potentially compromise the web application and database management system. 2026-02-01 8.1 CVE-2021-47915 Vulnerability Lab Advisory
Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: PHP Melody 3.0 SQL Injection Vulnerability via Edit Video Parameter
 
PMB Services--PMB Services PMB 5.6 contains a local file disclosure vulnerability in getgif.php that allows attackers to read arbitrary system files by manipulating the 'chemin' parameter. Attackers can exploit the unsanitized file path input to access sensitive files like /etc/passwd by sending crafted requests to the getgif.php endpoint. 2026-01-28 8.4 CVE-2020-36970 ExploitDB-49054
Vendor Homepage
Software Download Repository
VulnCheck Advisory: PMB 5.6 - 'chemin' Local File Disclosure
 
polarnl--PolarLearn PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body's `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `"x"`) as `direction`. Downstream (`VoteServer`) treats any non-`"up"` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability. 2026-01-29 7.1 CVE-2026-25126 https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp
https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41
 
Preyproject--Prey Prey 1.9.6 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to insert malicious code that would execute during application startup or system reboot. 2026-01-28 7.8 CVE-2020-36986 ExploitDB-48967
Vendor Homepage
VulnCheck Advisory: Prey 1.9.6 - "CronService" Unquoted Service Path
 
ProjectSkyfire--SkyFire_548 improper pointer arithmetic vulnerability in ProjectSkyfire SkyFire_548. This issue affects SkyFire_548: before 5.4.8-stable5. 2026-01-27 9.8 CVE-2026-24872 https://github.com/cadaver/turso3d/pull/11
 
pytorch--pytorch PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue. 2026-01-27 8.8 CVE-2026-24747 https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p
https://github.com/pytorch/pytorch/issues/163105
https://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139
https://github.com/pytorch/pytorch/releases/tag/v2.10.0
 
Raimersoft--TapinRadio TapinRadio 2.13.7 contains a denial of service vulnerability in the application proxy settings that allows attackers to crash the program by overflowing input fields. Attackers can paste a large buffer of 20,000 characters into the username and address fields to cause the application to become unresponsive and require reinstallation. 2026-01-27 7.5 CVE-2020-36949 ExploitDB-49206
Vendor Homepage
VulnCheck Advisory: TapinRadio 2.13.7 - Denial of Service
 
Ralim--IronOS Integer Overflow or Wraparound vulnerability in Ralim IronOS. This issue affects IronOS: before v2.23-rc2. 2026-01-27 9.8 CVE-2026-24830 https://github.com/Ralim/IronOS/pull/2083
 
Realtek--Realtek Andrea RT Filters Realtek Andrea RT Filters 1.0.64.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in 'C:\Program Files\IDT\WDM\AESTSr64.exe' to inject malicious code that would execute during service startup or system reboot. 2026-01-27 7.8 CVE-2020-36974 ExploitDB-49158
Realtek Official Homepage
VulnCheck Advisory: Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path
 
Red Hat--OpenShift Serverless A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack. 2026-01-30 7.5 CVE-2024-4027 https://access.redhat.com/security/cve/CVE-2024-4027
RHBZ#2276410
 
Red Hat--osim The $uri$args concatenation in nginx configuration file present in Open Security Issue Management (OSIM) prior v2025.9.0 allows path traversal attacks via query parameters. 2026-01-29 7.5 CVE-2026-1616 https://github.com/RedHatProductSecurity/osim/pull/615
 
Red Hat--RHEL-9-CNV-4.19 A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism. 2026-01-26 8.5 CVE-2025-14459 RHSA-2026:0950
https://access.redhat.com/security/cve/CVE-2025-14459
RHBZ#2420938
 
Rinnegatamante--lpp-vita Out-of-bounds Read vulnerability in Rinnegatamante lpp-vita. This issue affects lpp-vita: before lpp-vita r6. 2026-01-27 7.8 CVE-2026-24873 https://github.com/Rinnegatamante/lpp-vita/pull/82
 
Ruijienetworks--Ruijie Networks Switch eWeb S29_RGOS Ruijie Networks Switch eWeb S29_RGOS 11.4 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by manipulating file path parameters. Attackers can exploit the /download.do endpoint with '../' sequences to retrieve system configuration files containing credentials and network settings. 2026-01-29 7.5 CVE-2020-37015 ExploitDB-48755
Ruijie Networks Official Homepage
Directory Traversal Vulnerability Source
VulnCheck Advisory: Ruijie Networks Switch eWeb S29_RGOS 11.4 - Directory Traversal
 
runtipi--runtipi Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability. 2026-01-29 7.6 CVE-2026-25116 https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6
https://github.com/runtipi/runtipi/releases/tag/v4.7.2
 
saadiqbal--New User Approve The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users. 2026-01-28 7.3 CVE-2026-0832 https://www.wordfence.com/threat-intel/vulnerabilities/id/f86a69ab-2fc5-4c84-872b-929dbec429cd?source=cve
https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L60
https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L60
https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L24
https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L24
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425140%40new-user-approve&new=3425140%40new-user-approve&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442291%40new-user-approve&new=3442291%40new-user-approve&sfp_email=&sfph_mail=
 
Salt Project--Salt Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process. 2026-01-30 7.8 CVE-2025-62348 Salt 3006.17 release notes (fix for CVE-2025-62348)
 
Sangfor--Operation and Maintenance Security Management System A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. The impacted element is an unknown function of the file /fort/audit/get_clip_img of the component HTTP POST Request Handler. Such manipulation of the argument frame/dirno leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2026-01-26 7.3 CVE-2026-1412 VDB-342801 | Sangfor Operation and Maintenance Security Management System HTTP POST Request get_clip_img command injection
VDB-342801 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736513 | Sangfor Operation and Maintenance Security Management System (OSM / 运维安全管理系统) v3.0.12 Command Injectiona
https://github.com/LX-LX88/cve/issues/22
 
Scille--parsec-cloud Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses `libparsec_crypto` with the libsodium backend). Version 3.6.0 of Parsec patches the issue. 2026-01-29 8.3 CVE-2025-62514 https://github.com/Scille/parsec-cloud/security/advisories/GHSA-hrc9-gm58-pgj9
https://github.com/Scille/parsec-cloud/commit/197bb6387b49fec872b5e4a04dcdb82b3d2995b2
https://github.com/Scille/parsec-cloud/blob/e7c5cdbc4234f606ccf3ab2be7e9edc22db16feb/libparsec/crates/crypto/src/rustcrypto/private.rs#L136-L138
https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/curve25519-dalek/src/montgomery.rs#L132-L146
https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/x25519-dalek/src/x25519.rs#L364-L366
 
script3--soroban-fixed-point-math soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are `fixed_div_floor` and `fixed_div_ceil`, as they often use non-constant numbers as the divisor $z$ in `mulDiv`. This error is present in all signed `FixedPoint` and `SorobanFixedPoint` implementations, including `i64`, `i128`, and `I256`. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available. 2026-01-27 7.5 CVE-2026-24783 https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65
https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a
https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1
https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1
 
sebastianbergmann--phpunit PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control. 2026-01-27 7.8 CVE-2026-24765 https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p
https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda
https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63
https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50
https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8
https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52
https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33
 
Segurazo--SAntivirus IC SAntivirus IC 10.0.21.61 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted executable path to inject malicious files in the service binary path, enabling privilege escalation to system-level permissions. 2026-01-27 7.8 CVE-2020-36980 ExploitDB-49042
Vendor Homepage
VulnCheck Advisory: SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path
 
SEIKO EPSON Corp--Status Monitor 3 EPSON Status Monitor 3 version 8.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can leverage the unquoted path in 'C:\Program Files\Common Files\EPSON\EPW!3SSRP\E_S60RPB.EXE' to inject malicious executables and escalate privileges. 2026-01-27 7.8 CVE-2020-36975 ExploitDB-49141
Official EPSON Corporate Homepage
VulnCheck Advisory: EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path
 
shahrukhlinkgraph--Search Atlas SEO Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the 'nonce_token' authentication value to log in to the first Administrator's account. 2026-01-28 8.8 CVE-2025-14386 https://www.wordfence.com/threat-intel/vulnerabilities/id/6f63d2c4-cbae-4177-8494-daca96449ecc?source=cve
https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L1042
https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L851
https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L1141
 
Sharemouse--ShareMouse ShareMouse 5.0.43 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the insecure service path configuration by placing malicious executables in specific system directories to gain elevated access during service startup. 2026-01-28 7.8 CVE-2020-36991 ExploitDB-48794
ShareMouse Official Vendor Homepage
VulnCheck Advisory: ShareMouse 5.0.43 - 'ShareMouse Service' Unquoted Service Path
 
Simplephpscripts--Simple CMS Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application. 2026-02-01 8.1 CVE-2021-47918 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: Simple CMS 2.1 SQL Injection Vulnerability via Users Module
 
smartdatasoft--SmartBlog SmartBlog 2.0.1 contains a blind SQL injection vulnerability in the 'id_post' parameter of the details controller that allows attackers to extract database information. Attackers can systematically test and retrieve database contents by injecting crafted SQL queries that compare character-by-character of database information. 2026-01-28 8.2 CVE-2020-36972 ExploitDB-48995
SmartBlog GitHub Repository
VulnCheck Advisory: SmartBlog 2.0.1 - 'id_post' Blind SQL injection
 
SOCUSOFT--Photo to Video Converter Professional Socusoft Photo to Video Converter Professional 8.07 contains a local buffer overflow vulnerability in the 'Output Folder' input field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the output folder field to trigger a stack-based buffer overflow and potentially execute shellcode. 2026-01-30 8.4 CVE-2020-37028 ExploitDB-48691
Archived Vendor Homepage
VulnCheck Advisory: Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow
 
SolarWinds--Web Help Desk SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. 2026-01-28 9.8 CVE-2025-40551 https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40551
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
 
SolarWinds--Web Help Desk SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication. 2026-01-28 9.8 CVE-2025-40552 https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40552
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
 
SolarWinds--Web Help Desk SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. 2026-01-28 9.8 CVE-2025-40553 https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40553
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
 
SolarWinds--Web Help Desk SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk. 2026-01-28 9.8 CVE-2025-40554 https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40554
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
 
SolarWinds--Web Help Desk SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality. 2026-01-28 8.1 CVE-2025-40536 https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40536
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
 
SolarWinds--Web Help Desk SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. 2026-01-28 7.5 CVE-2025-40537 https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40537
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
 
Sonarqube--SonarQube SonarQube 8.3.1 contains an unquoted service path vulnerability that allows local attackers to gain SYSTEM privileges by exploiting the service executable path. Attackers can replace the wrapper.exe in the service path with a malicious executable to execute code with highest system privileges during service restart. 2026-01-29 7.8 CVE-2020-37020 ExploitDB-48677
SonarQube Official Homepage
VulnCheck Advisory: SonarQube 8.3.1 - Unquoted Service Path
 
Squidex--squidex Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127.0.0.1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a "Blind" SSRF into a "Full Read" SSRF. As of time of publication, no patched versions are available. 2026-01-27 9.1 CVE-2026-24736 https://github.com/Squidex/squidex/security/advisories/GHSA-wxg2-953m-fg2w
 
sunnygkp10--Online-Exam-System Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate user password characters. 2026-01-30 8.2 CVE-2020-37051 ExploitDB-48560
Software Repository
VulnCheck Advisory: Online-Exam-System 2015 - 'feedback' SQL Injection
 
sunnygkp10--Online-Exam-System Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information. 2026-01-30 8.2 CVE-2020-37057 ExploitDB-48529
Software Repository
VulnCheck Advisory: Online-Exam-System 2015 - 'fid' SQL Injection
 
Techraft--Digital Multivendor Marketplace Online Store Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system. 2026-02-01 8.1 CVE-2021-47909 Vulnerability Lab Advisory
Product Homepage
Product Homepage
VulnCheck Advisory: Mult-E-Cart Ultimate 2.4 SQL Injection via Vulnerable ID Parameters
 
telnet-lite--Mocha Telnet Lite for iOS Mocha Telnet Lite for iOS 4.2 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the user configuration input. Attackers can overwrite the 'User' field with 350 bytes of repeated characters to trigger an application crash and prevent normal functionality. 2026-01-29 7.5 CVE-2020-36995 ExploitDB-48728
Official App Store Page for Mocha Telnet Lite
VulnCheck Advisory: Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service
 
Tenda--AC21 A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function fromAdvSetMacMtuWan of the file /goform/AdvSetMacMtuWan. The manipulation leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. 2026-01-29 8.8 CVE-2026-1637 VDB-343416 | Tenda AC21 AdvSetMacMtuWan fromAdvSetMacMtuWan stack-based overflow
VDB-343416 | CTI Indicators (IOB, IOC, IOA)
Submit #740865 | Tenda AC21 V16.03.08.16 Buffer Overflow
https://github.com/LX-LX88/cve/issues/25
https://www.tenda.com.cn/
 
Tenda--AC23 A flaw has been found in Tenda AC23 16.03.07.52. This impacts an unknown function of the file /goform/WifiExtraSet. This manipulation of the argument wpapsk_crypto causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. 2026-01-26 8.8 CVE-2026-1420 VDB-342836 | Tenda AC23 WifiExtraSet buffer overflow
VDB-342836 | CTI Indicators (IOB, IOC, IOA)
Submit #736559 | Tenda AC23 V16.03.07.52 Buffer Overflow
https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow_WifiExtraSet/Tenda%20AC23_Buffer_Overflow_WifiExtraSet.md
https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow_WifiExtraSet/Tenda%20AC23_Buffer_Overflow_WifiExtraSet.md#poc
https://www.tenda.com.cn/
 
Tenda--AX12 Pro V2 A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used. 2026-01-29 8.1 CVE-2026-1610 VDB-343378 | Tenda AX12 Pro V2 Telnet Service hard-coded credentials
VDB-343378 | CTI Indicators (IOB, IOC, TTP)
Submit #740766 | Tenda AX12 pro V2 V16.03.49.24_cn Hard-coded Credentials
https://github.com/QIU-DIE/CVE/issues/49
https://www.tenda.com.cn/
 
Tenda--HG10 A weakness has been identified in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-30 7.3 CVE-2026-1687 VDB-343481 | Tenda HG10 Boa Webserver formSamba command injection
VDB-343481 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #741281 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection
https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSamba-serverString-command.md
https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSamba-serverString-command.md#poc
https://www.tenda.com.cn/
 
Tenda--HG10 A vulnerability was detected in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. The impacted element is the function checkUserFromLanOrWan of the file /boaform/admin/formLogin of the component Login Interface. The manipulation of the argument Host results in command injection. The attack can be launched remotely. The exploit is now public and may be used. 2026-01-30 7.3 CVE-2026-1689 VDB-343483 | Tenda HG10 Login formLogin checkUserFromLanOrWan command injection
VDB-343483 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #741411 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection
https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formLogin-Host-command.md
https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formLogin-Host-command.md#poc
https://www.tenda.com.cn/
 
Tendenci--Tendenci Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications. 2026-01-28 9.8 CVE-2020-36962 ExploitDB-49145
Official Vendor Homepage
Tendenci GitHub Repository
VulnCheck Advisory: Tendenci 12.3.1 - CSV/ Formula Injection
 
Testa--Testa Online Test Management System Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. Attackers can inject malicious SQL code in the search field to extract database information, potentially accessing sensitive user or system data. 2026-01-27 8.2 CVE-2021-47902 ExploitDB-49194
Archived Vendor Homepage
VulnCheck Advisory: Testa Online Test Management System 3.4.7 - 'q' SQL Injection
 
themrdemonized--xray-monolith Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith. This issue affects xray-monolith: before 2025.12.30. 2026-01-27 9.1 CVE-2026-24874 https://github.com/themrdemonized/xray-monolith/pull/399
 
tigroumeow--AI Engine The Chatbot and AI Framework for WordPress The AI Engine - The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory. 2026-01-28 7.2 CVE-2026-1400 https://www.wordfence.com/threat-intel/vulnerabilities/id/d5227269-4406-4fcf-af37-f1db0af857d6?source=cve
https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1104
https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1141
https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/rest.php
 
Tildeslash Ltd.--M/Monit M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standard user account. 2026-01-28 8.8 CVE-2020-36969 ExploitDB-49080
M/Monit Official Vendor Homepage
VulnCheck Advisory: M/Monit 3.7.4 - Privilege Escalation
 
TimeClock Software--TimeClock Software TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. Attackers can inject conditional time delays in the add_entry.php endpoint to determine user existence by measuring response time differences. 2026-01-29 7.1 CVE-2020-37005 ExploitDB-48874
Archived Product Homepage
VulnCheck Advisory: TimeClock Software 1.01 Authenticated Time-Based SQL Injection
 
Totolink--A3600R A security flaw has been discovered in Totolink A3600R 5.9c.4959. This issue affects the function setAppEasyWizardConfig in the library /lib/cste_modules/app.so. Performing a manipulation of the argument apcliSsid results in buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. 2026-01-30 8.8 CVE-2026-1686 VDB-343480 | Totolink A3600R app.so setAppEasyWizardConfig buffer overflow
VDB-343480 | CTI Indicators (IOB, IOC, IOA)
Submit #740888 | TOTOLINK A3600R V5.9c.4959 Buffer Overflow
https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A3600R/4959-apcliSsid-setAppEasyWizardConfig.md
https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A3600R/4959-apcliSsid-setAppEasyWizardConfig.md#poc
https://www.totolink.net/
 
TrustTunnel--TrustTunnel TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) => peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114. 2026-01-29 7.1 CVE-2026-24902 https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76
https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0
 
TryGhost--Ghost Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version. 2026-01-27 8.8 CVE-2026-24778 https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h
https://github.com/TryGhost/Ghost/commit/da858e640e88e69c1773a7b7ecdc2008fa143849
 
Tucows Inc.--Audio Playback Recorder Audio Playback Recorder 3.2.2 contains a local buffer overflow vulnerability in the eject and registration parameters that allows attackers to execute arbitrary code. Attackers can craft malicious payloads and overwrite Structured Exception Handler (SEH) to execute shellcode when pasting specially crafted input into the application's input fields. 2026-01-29 8.4 CVE-2020-37013 ExploitDB-48796
Archived Researcher Proof of Concept Video
Product Software Archive
VulnCheck Advisory: Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH)
 
Tucows--Easy CD & DVD Cover Creator Easy CD & DVD Cover Creator 4.13 contains a buffer overflow vulnerability in the serial number input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the serial number field to trigger an application crash. 2026-01-27 9.8 CVE-2020-36940 ExploitDB-49337
VulnCheck Advisory: Easy CD & DVD Cover Creator 4.13 - Denial of Service
 
Ubiquiti, Inc.--AirControl AirControl 1.4.2 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through malicious Java expression injection. Attackers can exploit the /.seam endpoint by crafting a specially constructed URL with embedded Java expressions to run commands with the application's system privileges. 2026-01-30 9.8 CVE-2020-37052 ExploitDB-48541
Vendor Homepage
VulnCheck Advisory: AirControl 1.4.2 - PreAuth Remote Code Execution
 
Veritas--NetBackup Veritas NetBackup 7.0 contains an unquoted service path vulnerability in the NetBackup INET Daemon service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe to inject malicious code that would execute with elevated LocalSystem privileges. 2026-02-01 7.8 CVE-2020-37045 ExploitDB-48227
Veritas Official Homepage
VulnCheck Advisory: NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path
 
VeryPDF.com, Inc.--docPrint Pro docPrint Pro 8.0 contains a local buffer overflow vulnerability in the 'Add URL' input field that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload that triggers a structured exception handler (SEH) overwrite to execute shellcode and gain remote system access. 2026-01-28 8.4 CVE-2020-36965 ExploitDB-49100
Vendor Homepage
VulnCheck Advisory: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)
 
VestaCP--VestaCP VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions. 2026-01-27 9.8 CVE-2020-36948 ExploitDB-49219
VestaCP Official Homepage
Vulnerability Lab Advisory
Benjamin Kunz Mejri Profile
VulnCheck Advisory: VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation
 
VictorAlagwu--CMSsite Victor CMS 1.0 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the profile image upload feature. Attackers can upload a PHP shell to the /img directory and execute system commands by accessing the uploaded file via web browser. 2026-01-27 8.8 CVE-2020-36942 ExploitDB-49310
Victor CMS Project Repository
VulnCheck Advisory: Victor CMS 1.0 - File Upload To RCE
 
vllm-project--vllm vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue. 2026-01-27 7.1 CVE-2026-24779 https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc
https://github.com/vllm-project/vllm/pull/32746
https://github.com/vllm-project/vllm/commit/f46d576c54fb8aeec5fc70560e850bed38ef17d7
 
WEBDAMN.COM--WebDamn User Registration & Login System with User Panel WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inject the payload '<email>' OR '1'='1' in both username and password fields to gain unauthorized access to the user panel. 2026-01-28 8.2 CVE-2020-36945 ExploitDB-49170
Vendor Homepage
Software Product Page
VulnCheck Advisory: WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass
 
Weird Solutions--DHCP Turbo DHCP Turbo 4.61298 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can place malicious executables in the service path to gain elevated privileges when the service starts. 2026-02-01 7.8 CVE-2020-37062 ExploitDB-48080
Vendor Homepage
VulnCheck Advisory: DHCP Turbo 4.6.1298- 'DHCP Turbo 4' Unquoted Service Path
 
Weird-Solutions--BOOTP Turbo BOOTP Turbo 2.0.1214 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted executable path to inject malicious code that will be executed when the service starts with LocalSystem permissions. 2026-02-01 7.8 CVE-2020-37061 ExploitDB-48078
Vendor Homepage
VulnCheck Advisory: BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path
 
Weird-Solutions--TFTP Turbo TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. 2026-02-01 7.8 CVE-2020-37063 ExploitDB-48085
Vendor Homepage
VulnCheck Advisory: TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path
 
WellChoose--Single Sign-On Portal System Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. 2026-01-26 8.8 CVE-2026-1427 https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html
https://www.twcert.org.tw/en/cp-139-10655-59160-2.html
 
WellChoose--Single Sign-On Portal System Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. 2026-01-26 8.8 CVE-2026-1428 https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html
https://www.twcert.org.tw/en/cp-139-10655-59160-2.html
 
Wibu--CodeMeter CodeMeter 6.60 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CodeMeter Runtime Server service to inject malicious code that would execute with LocalSystem permissions. 2026-01-29 7.8 CVE-2020-37017 ExploitDB-48735
CodeMeter Runtime Product Homepage
VulnCheck Advisory: CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path
 
WinAVR--WinAVR WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory. 2026-01-27 8.8 CVE-2020-36938 ExploitDB-49379
WinAVR Official Project Homepage
VulnCheck Advisory: WinAVR Version 20100110 - Insecure Folder Permissions
 
WinFrigate--Frigate 2 Frigate 2.02 contains a denial of service vulnerability that allows attackers to crash the application by sending oversized input to the command line interface. Attackers can generate a payload of 8000 repeated characters and paste it into the application's command line field to trigger an application crash. 2026-01-30 7.5 CVE-2020-37039 ExploitDB-48613
Archived Vendor Homepage
VulnCheck Advisory: Frigate 2.02 - Denial Of Service
 
WinFrigate--Frigate 3 Professional Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the 'Find Computer' feature that allows attackers to execute arbitrary code by overflowing the computer name input field. Attackers can craft a malicious payload that triggers a buffer overflow, enabling code execution and launching calculator as a proof of concept. 2026-01-30 8.4 CVE-2020-37042 ExploitDB-48579
Archived Vendor Homepage
VulnCheck Advisory: Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow
 
WinFrigate--Frigate 3 Professional Frigate 3.36.0.9 contains a local buffer overflow vulnerability in the Command Line input field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload to overflow the buffer, bypass DEP, and execute commands like launching calc.exe through a specially crafted input sequence. 2026-01-30 8.4 CVE-2020-37049 ExploitDB-48563
Archived Vendor Homepage
VulnCheck Advisory: Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow
 
Wing FTP Server--Wing FTP Server Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function. 2026-01-30 8.8 CVE-2020-37032 ExploitDB-48676
Wing FTP Server Official Homepage
VulnCheck Advisory: Wing FTP Server 6.3.8 - Remote Code Execution
 
Wondershare--Wondershare Driver Install Service help Wondershare Driver Install Service contains an unquoted service path vulnerability in the ElevationService executable that allows local attackers to potentially inject malicious code. Attackers can exploit the unquoted path to replace the service binary with a malicious executable, enabling privilege escalation to LocalSystem account. 2026-01-27 7.8 CVE-2020-36977 ExploitDB-49101
Vendor Homepage
Software Product Page
VulnCheck Advisory: Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path
 
wpcreatix--VidShop Shoppable Videos for WooCommerce The VidShop - Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-01-28 7.5 CVE-2026-0702 https://www.wordfence.com/threat-intel/vulnerabilities/id/a61d8d2a-742f-45f1-9146-f733b80ef195?source=cve
https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L224
https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L297
https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/utils/class-query-builder.php#L778
https://plugins.trac.wordpress.org/changeset/3441106/
 
yoyofr--modizer Integer Overflow or Wraparound vulnerability in yoyofr modizer. This issue affects modizer: before 4.1.1. 2026-01-27 7.8 CVE-2026-24875 https://github.com/yoyofr/modizer/pull/133
 
zalando--skipper Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions. 2026-01-26 8.1 CVE-2026-24470 https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9
https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219
https://kubernetes.io/docs/concepts/services-networking/service/#externalname
 
Zortam.com--Zortam Mp3 Media Studio Zortam Mp3 Media Studio 27.60 contains a buffer overflow vulnerability in the library creation file selection process that allows remote code execution. Attackers can craft a malicious text file with shellcode to trigger a structured exception handler (SEH) overwrite and execute arbitrary commands on the target system. 2026-01-28 9.8 CVE-2020-36967 ExploitDB-49084
Zortam Official Homepage
Zortam Software Download Page
VulnCheck Advisory: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)
 

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
2100 Technology--Official Document Management System Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official documents. 2026-01-28 6.5 CVE-2026-1514 https://www.twcert.org.tw/tw/cp-132-10658-c5a07-1.html
https://www.twcert.org.tw/en/cp-139-10659-264cd-2.html
 
Adikiss--Sistem Informasi Pengumuman Kelulusan Online Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative accounts without the victim's consent. 2026-01-30 5.3 CVE-2020-37046 ExploitDB-48571
Vendor Homepage
Software Download Page
VulnCheck Advisory: Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery
 
ajay138--Knap Advanced PHP Login Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. Attackers can exploit the vulnerability to execute arbitrary scripts in users and activity log backend modules, potentially leading to session hijacking and persistent phishing attacks. 2026-02-01 6.4 CVE-2022-50940 Vulnerability Lab Advisory
Laravel & Vue.js
VulnCheck Advisory: Knap Advanced PHP Login 3.1.3 Persistent Cross-Site Scripting via Name Parameter
 
Akn Software Computer Import Export Industry and Trade Ltd.--QR Menu Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation. This issue affects QR Menu: before s1.05.12. 2026-01-29 5.7 CVE-2025-7015 https://www.usom.gov.tr/bildirim/tr-26-0006
 
Author: Scott Ferreira--Free Photo & Video Vault - WiFi Transfer Free Photo & Video Vault 0.0.2 contains a directory traversal web vulnerability that allows remote attackers to manipulate application path requests and access sensitive system files. Attackers can exploit the vulnerability without privileges to retrieve environment variables and access unauthorized system paths. 2026-02-01 6.5 CVE-2021-47921 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: Free Photo & Video Vault 0.0.2 Directory Traversal Vulnerability via Web Request
 
ays-pro--Popup Box Create Countdown, Coupon, Video, Contact Form Popups The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. 2026-01-31 4.3 CVE-2026-1165 https://www.wordfence.com/threat-intel/vulnerabilities/id/585a9eb4-f394-4cb2-9050-659171a994d9?source=cve
https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/admin/partials/ays-pb-admin-display.php#L22
https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/includes/lists/class-ays-pb-list-table.php#L701
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3439514@ays-popup-box/tags/6.1.1/&new=3444612@ays-popup-box/tags/6.1.2/
 
B&R Industrial Automation GmbH--Process Visualization Interface (PVI) An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. The logging function of the PVI client application is disabled by default and must be explicitly enabled by the user. 2026-01-29 5 CVE-2026-0936 https://www.br-automation.com/fileadmin/SA26P001-2862434c.pdf
 
backstage--backstage Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, a path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with `techdocs.generator.runIn: local`. When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation. This vulnerability is fixed in` @backstage/plugin-techdocs-node` versions 1.13.11 and 1.14.1. Some workarounds are available. Switch to `runIn: docker` in `app-config.yaml` and/or restrict write access to TechDocs source repositories to trusted users only. 2026-01-30 5.3 CVE-2026-25152 https://github.com/backstage/backstage/security/advisories/GHSA-w669-jj7h-88m9
 
Banco de Guayaquil--Banco Guayaquil Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST request that executes on application review without user interaction. 2026-02-01 6.4 CVE-2022-50952 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: Banco Guayaquil 8.0.0 Mobile iOS Cross-Site Scripting via Profile Name Input
 
Bdtask--Bhojon All-In-One Restaurant Management System A vulnerability was determined in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The affected element is an unknown function of the file /hungry/placeorder of the component Checkout. Executing a manipulation of the argument orggrandTotal/vat/service_charge/grandtotal can lead to business logic errors. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-29 4.3 CVE-2026-1599 VDB-343361 | Bdtask Bhojon All-In-One Restaurant Management System Checkout placeorder logic error
VDB-343361 | CTI Indicators (IOB, IOC, IOA)
Submit #740740 | Bdtask Bhojon All-In-One Restaurant Management System latest Business Logic Errors
https://github.com/4m3rr0r/PoCVulDb/issues/13
https://www.youtube.com/watch?v=n7xLBAOrKAU
 
Bdtask--Bhojon All-In-One Restaurant Management System A vulnerability was identified in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The impacted element is an unknown function of the file /hungry/addtocart of the component Add-to-Cart Submission Endpoint. The manipulation of the argument price/allprice leads to business logic errors. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-29 4.3 CVE-2026-1600 VDB-343362 | Bdtask Bhojon All-In-One Restaurant Management System Add-to-Cart Submission Endpoint addtocart logic error
VDB-343362 | CTI Indicators (IOB, IOC, IOA)
Submit #740741 | Bdtask Bhojon All-In-One Restaurant Management System latest Business Logic Errors
https://github.com/4m3rr0r/PoCVulDb/issues/14
https://www.youtube.com/watch?v=UESZTjVS4Fs
 
Bdtask--SalesERP A vulnerability has been found in Bdtask SalesERP up to 20260116. This issue affects some unknown processing of the component Administrative Endpoint. Such manipulation of the argument ci_session leads to improper authorization. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-29 6.3 CVE-2026-1597 VDB-343359 | Bdtask SalesERP Administrative Endpoint improper authorization
VDB-343359 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740735 | Bdtask SalesERP -- AI-Powered ERP Software For Small Business Unknown Broken Access Control / Privilege Escalation
https://github.com/4m3rr0r/PoCVulDb/issues/11
https://www.youtube.com/watch?v=KSducixS3pk
 
Beckhoff Automation--Beckhoff.Device.Manager.XAR A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response. 2026-01-27 5.3 CVE-2025-41728 https://certvde.com/de/advisories/VDE-2025-092
 
Beetel--777VR1 A vulnerability was detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. Impacted is an unknown function of the component UART Interface. The manipulation results in missing authentication. An attack on the physical device is feasible. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-26 6.4 CVE-2026-1410 VDB-342799 | Beetel 777VR1 UART missing authentication
VDB-342799 | CTI Indicators (IOB, IOC)
Submit #739433 | Beetel Beetel 777VR1 Broadband Router Firmware Versions: V01.00.09 / V01.00.09_55 CWE-306” Missing Authentication for Critical Function
https://gist.github.com/raghav20232023/96a6b13ab00c493d21362e744627ea9f
 
Beetel--777VR1 A flaw has been found in Beetel 777VR1 up to 01.00.09/01.00.09_55. The affected element is an unknown function of the component UART Interface. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-26 6.1 CVE-2026-1411 VDB-342800 | Beetel 777VR1 UART access control
VDB-342800 | CTI Indicators (IOB, IOC, TTP)
Submit #740674 | Beetel Beetel 777VR1 Broadband Router Firmware Versions: V01.00.09 / V01.00.09_55 CWE-284” Improper Access Control
https://gist.github.com/raghav20232023/ea6adcd6d1eca35683570a1094164bd3
 
bfintal--Interactions Create Interactive Experiences in the Block Editor The Interactions - Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-28 6.4 CVE-2025-12709 https://www.wordfence.com/threat-intel/vulnerabilities/id/ab97f125-3a4a-4293-b218-07586c1c021c?source=cve
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448073%40interactions&new=3448073%40interactions
 
birkir--prime birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query parameters. 2026-01-29 5.3 CVE-2025-15550 GitHub Issue #547
VulnCheck Advisory: birkir prime <= 0.4.0.beta.0 - Cross-Site Request Forgery in GraphQL
 
bobthecow--psysh PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim's context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user's context. If a privileged user (e.g., root, a CI runner, or an ops/debug account) launches PsySH with CWD set to an attacker-writable directory containing a malicious `.psysh.php`, the attacker can execute commands with that privileged user's permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH inherit this risk. For example, Laravel Tinker (`php artisan tinker`) uses PsySH. If a privileged user runs Tinker while their shell is in an attacker-writable directory, the `.psysh.php` auto-load behavior can be abused in the same way to execute attacker-controlled code under the victim's privileges. Versions 0.11.23 and 0.12.19 patch the issue. 2026-01-30 6.7 CVE-2026-25129 https://github.com/bobthecow/psysh/security/advisories/GHSA-4486-gxhx-5mg7
https://github.com/bobthecow/psysh/releases/tag/v0.11.23
https://github.com/bobthecow/psysh/releases/tag/v0.12.19
 
bolo-solo--bolo-solo A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2026-01-30 6.3 CVE-2026-1691 VDB-343485 | bolo-solo SnakeYAML BackupService.java importMarkdownsSync deserialization
VDB-343485 | CTI Indicators (IOB, IOC, IOA)
Submit #741899 | bolo-solo V2.6.4 SnakeYAML deserialization vulnerability
https://github.com/bolo-blog/bolo-solo/issues/325
https://github.com/bolo-blog/bolo-solo/issues/325#issue-3828755519
 
bplugins--Document Embedder Embed PDFs, Word, Excel, and Other Files The Document Embedder - Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter. 2026-01-28 5.3 CVE-2026-1389 https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=cve
https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L66
https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L103
https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L159
https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php
 
Broadcom--Symantec Endpoint Protection Windows Client Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. 2026-01-28 6.7 CVE-2025-13918 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36774
 
Broadcom--Symantec Endpoint Protection Windows Client Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking COM references in the Windows Registry. 2026-01-28 4.4 CVE-2025-13919 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36774
 
Brother Industries, Ltd.--Multiple MFPs Hidden functionality issue exists in multiple MFPs provided by Brother Industries, Ltd., which may allow an attacker to obtain the logs of the affected product and obtain sensitive information within the logs. 2026-01-29 5.3 CVE-2025-55704 https://faq.brother.co.jp/app/answers/detail/a_id/13716
https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2026-0001.pdf
https://jvn.jp/en/vu/JVNVU92878805/
 
Bun--Bun In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github). 2026-01-27 5.9 CVE-2026-24910 https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack
https://bun.com/blog/bun-v1.3.5
https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act
 
chainguard-dev--malcontent malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI image reference. malcontent uses google/go-containerregistry for OCI image pulls, which by default uses the Docker credential keychain. A malicious registry could return a `WWW-Authenticate` header redirecting token authentication to an attacker-controlled endpoint, causing credentials to be sent to that endpoint. Version 1.20.3 fixes the issue by defaulting to anonymous auth for OCI pulls. 2026-01-29 6.5 CVE-2026-24845 https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-9m43-p3cx-w8j5
https://github.com/chainguard-dev/malcontent/commit/538ed00cdc639d687a4bd1e843a2be0428a3b3e7
 
chainguard-dev--malcontent malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory. 2026-01-29 5.5 CVE-2026-24846 https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh
https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96
https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017
 
chrisnowak--Change WP URL The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-28 4.3 CVE-2026-1398 https://www.wordfence.com/threat-intel/vulnerabilities/id/f5dead05-5960-4ccb-89c2-c8bb0cd9c9e9?source=cve
https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L18
https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L18
https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L85
https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L85
 
code-projects--Online Examination System A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. 2026-01-26 6.3 CVE-2026-1423 VDB-342839 | code-projects Online Examination System admin_pic.php unrestricted upload
VDB-342839 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736607 | code-projects Online Examination System 1 Unrestricted Upload
https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-3-remote-code-execution-via-unsafe-file-upload
https://code-projects.org/
 
code-projects--Online Music Site A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminAddCategory.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. 2026-01-28 4.7 CVE-2026-1533 VDB-343219 | code-projects Online Music Site AdminAddCategory.php sql injection
VDB-343219 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #738704 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection
https://github.com/yuji0903/silver-guide/issues/2
https://code-projects.org/
 
codeccoop--Forms Bridge Infinite integrations The Forms Bridge - Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in the 'financoop_campaign' shortcode in all versions up to, and including, 4.2.5. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' parameter in the forms_bridge_financoop_shortcode_error function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-28 6.4 CVE-2026-1244 https://www.wordfence.com/threat-intel/vulnerabilities/id/3e047822-5766-4e7f-be89-f4a15f0e6d51?source=cve
https://plugins.trac.wordpress.org/browser/forms-bridge/trunk/addons/financoop/shortcodes.php#L389
https://plugins.trac.wordpress.org/browser/forms-bridge/tags/4.2.3/addons/financoop/shortcodes.php#L389
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3446693%40forms-bridge&new=3446693%40forms-bridge&sfp_email=&sfph_mail=#file1
 
codepeople--Appointment Hour Booking Booking Calendar The Appointment Hour Booking - Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' and 'Max length/characters' field configuration values. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the form builder interface. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-28 4.4 CVE-2026-1083 https://www.wordfence.com/threat-intel/vulnerabilities/id/a5cb1fea-134f-4c81-8f2f-76ee42df7f77?source=cve
https://plugins.trac.wordpress.org/browser/appointment-hour-booking/trunk/js/fields-admin/01_fbuilder.ftext.js#L64
https://plugins.trac.wordpress.org/browser/appointment-hour-booking/tags/1.5.57/js/fields-admin/01_fbuilder.ftext.js#L64
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442650%40appointment-hour-booking&new=3442650%40appointment-hour-booking&sfp_email=&sfph_mail=
 
CriticalGears--PayPal PRO Payment Terminal Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vulnerable parameters to manipulate client-side requests and potentially execute session hijacking or phishing attacks. 2026-02-01 6.4 CVE-2021-47885 Vulnerability Lab Advisory
Product Homepage
Product Homepage
Product Homepage
VulnCheck Advisory: Payment Terminal Multiple Versions Non-Persistent Cross-Site Scripting
 
crmperks--Database for Contact Form 7, WPforms, Elementor forms The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions. 2026-01-28 5.3 CVE-2026-0825 https://www.wordfence.com/threat-intel/vulnerabilities/id/4048ae11-fece-42aa-baf3-c636c4875635?source=cve
https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L76
https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.4.5/contact-form-entries.php#L76
https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L301
https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/templates/leads-table.php#L10
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442962%40contact-form-entries&new=3442962%40contact-form-entries&sfp_email=&sfph_mail=
 
D-Link--DCS700l A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-26 4.7 CVE-2026-1419 VDB-342815 | D-Link DCS700l Web Form setDayNightMode command injection
VDB-342815 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736554 | D-Link DCS700l v1.03.09 Command Injection
https://tzh00203.notion.site/D-Link-DCS700l-v1-03-09-Command-Injection-Vulnerability-in-LightSensorControl-Parameter-2e6b5c52018a80ada0f6d7e72efd7a45?source=copy_link
https://www.dlink.com/
 
D-Link--DIR-823X A security flaw has been discovered in D-Link DIR-823X 250416. Impacted is the function sub_41E2A0 of the file /goform/set_mode. Performing a manipulation of the argument lan_gateway results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. 2026-01-28 6.3 CVE-2026-1544 VDB-343228 | D-Link DIR-823X set_mode sub_41E2A0 os command injection
VDB-343228 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #739155 | D-Link DIR-823X 250416 OS Command Injection
https://github.com/master-abc/cve/issues/16
https://www.dlink.com/
 
D-Link--DWR-M961 A flaw has been found in D-Link DWR-M961 1.1.47. This vulnerability affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. 2026-01-29 6.3 CVE-2026-1596 VDB-343358 | D-Link DWR-M961 formLtefotaUpgradeQuectel sub_419920 command injection
VDB-343358 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740693 | D-Link DWR-M961 V1.1.47 Command Injection
https://github.com/QIU-DIE/CVE/issues/48
https://www.dlink.com/
 
D-Link--DWR-M961 A security vulnerability has been detected in D-Link DWR-M961 1.1.47. The affected element is an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. 2026-01-29 6.3 CVE-2026-1624 VDB-343383 | D-Link DWR-M961 formLtefotaUpgradeFibocom command injection
VDB-343383 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740770 | D-Link DWR-M961 V1.1.47 Command Injection
https://github.com/QIU-DIE/CVE/issues/50
https://www.dlink.com/
 
D-Link--DWR-M961 A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the argument action_value results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. 2026-01-29 6.3 CVE-2026-1625 VDB-343384 | D-Link DWR-M961 SMS Message formSmsManage sub_4250E0 command injection
VDB-343384 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740792 | D-Link DW V1.1.47 Command Injection
https://github.com/QIU-DIE/CVE/issues/51
https://www.dlink.com/
 
dcooney--Ajax Load More Infinite Scroll, Load More, & Lazy Load The Ajax Load More - Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts. 2026-01-31 5.3 CVE-2025-15525 https://www.wordfence.com/threat-intel/vulnerabilities/id/d01f4e67-a463-4973-97b1-41a64398686a?source=cve
https://plugins.trac.wordpress.org/browser/ajax-load-more/tags/7.8.1/core/classes/class-alm-queryargs.php#L500
 
Dell--OpenManage Network Integration Dell OpenManage Network Integration, versions prior to 3.9, contains an Improper Authentication vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. 2026-01-29 4.3 CVE-2026-22764 https://www.dell.com/support/kbdoc/en-us/000420893/dsa-2026-045-security-update-for-dell-openmanage-network-integration-omni-vulnerabilities
 
discourse--discourse Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature. 2026-01-28 6.9 CVE-2025-68933 https://github.com/discourse/discourse/security/advisories/GHSA-hpxv-mw7v-fqg2
 
discourse--discourse Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path. 2026-01-28 6.5 CVE-2025-68934 https://github.com/discourse/discourse/security/advisories/GHSA-vwjh-vrx9-9849
 
discourse--discourse Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance has been upgraded to a version that has been patched. 2026-01-28 6.5 CVE-2026-21865 https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39
 
discourse--discourse Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access. 2026-01-28 6.5 CVE-2026-24742 https://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6
 
discourse--discourse Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 fix the issue. As a workaround, disallow html or xml files for uploads in authorized_extensions. For existing html xml uploads, site owners can consider deleting them. 2026-01-28 4.6 CVE-2025-66488 https://github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rx
 
discourse--discourse Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX. 2026-01-28 4.6 CVE-2025-67723 https://github.com/discourse/discourse/security/advisories/GHSA-955h-m28g-5379
 
discourse--discourse Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. 2026-01-28 4.3 CVE-2025-68659 https://github.com/discourse/discourse/security/advisories/GHSA-rmp6-c9rq-6q7p
 
dnnsoftware--Dnn.Platform DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue. 2026-01-27 6.8 CVE-2026-24784 https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-jjwg-4948-6wxp
 
Dokploy--dokploy Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue. 2026-01-28 4.7 CVE-2026-24839 https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q
https://github.com/Dokploy/dokploy/pull/3500
https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8
 
Dolibarr--Dolibarr Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to execute arbitrary JavaScript and potentially steal user cookie information. 2026-01-30 6.4 CVE-2020-36966 ExploitDB-48504
Official Dolibarr Product Homepage
VulnCheck Advisory: Dolibarr 11.0.3 - 'ldap.php' - Persistent Cross-Site Scripting
 
Eclipse Foundation--Eclipse ThreadX - USBX The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. This recursion occurs in _ux_host_class_storage_partition_read(), which parses up to four partition entries. If an extended partition is found (with type UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), the code invokes: _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(...)); There is no limit on the recursion depth or tracking of visited sectors. As a result, a malicious or malformed disk image can include cyclic or excessively deep chains of extended partitions, causing the function to recurse until stack overflow occurs. 2026-01-27 4.2 CVE-2025-55095 https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-qfmp-wch9-rpv2
 
Esri--ArcGIS Pro There is a Cross Site Scripting issue in Esri ArcGIS Pro versions 3.6.0 and earlier. A local attacker could supply malicious strings into ArcGIS Pro which may execute when a specific dialog is opened. This issue is fixed in ArcGIS Pro 3.6.1. 2026-01-26 5 CVE-2026-1446 https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch
 
EVerest--everest-core EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with illegitimate data.cThanks to the modular design of EVerest, authorization is handled in a separate module and EVSEManager Charger internal state machine cannot transition out of the `WaitingForAuthentication` state through ISO 15118-2 communication. From this state, it was however possible through ISO 15118-2 messages which are published to the MQTT server to trick it into preparing to charge, and even to prepare to send current. The final requirement to actually send current to the EV was the closure of the contactors, which does not appear to be possible without leaving the `WaitingForAuthentication` state and leveraging ISO 15118-2 messages. As of time of publication, no fixed versions are available. 2026-01-26 4.3 CVE-2026-24003 https://github.com/EVerest/everest-core/security/advisories/GHSA-9vv5-67cv-9crq
https://github.com/EVerest/everest-core/blob/main/modules/EVSE/EvseV2G/iso_server.cpp#L44
 
Filigran--OpenCTI OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10. 2026-01-30 5.4 CVE-2020-37044 ExploitDB-48595
OpenCTI Official Homepage
OpenCTI GitHub Repository
VulnCheck Advisory: OpenCTI 3.3.1 - Cross Site Scripting
 
forma--E-Learning Suite Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization. 2026-01-30 6.4 CVE-2020-36998 ExploitDB-48478
Vendor Homepage
Software Download Link
VulnCheck Advisory: forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting
 
Formalms--Forma LMS Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<script>alert(document.cookie)</script>' to execute arbitrary JavaScript when the profile is viewed by other users. 2026-01-26 6.4 CVE-2020-36960 ExploitDB-49197
Official Product Website
VulnCheck Advisory: Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting
 
Free5GC--SMF A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been published and may be used. A patch should be applied to remediate this issue. 2026-01-30 5.3 CVE-2026-1682 VDB-343475 | Free5GC SMF PFCP UDP Endpoint handler.go HandlePfcpAssociationReleaseRequest null pointer dereference
VDB-343475 | CTI Indicators (IOB, IOC, IOA)
Submit #739508 | free5gc SMF v4.1.0 Denial of Service
https://github.com/free5gc/free5gc/issues/794
https://github.com/free5gc/free5gc/issues/794#issuecomment-3761063382
https://github.com/free5gc/free5gc/issues/794#issue-3811888505
https://github.com/free5gc/smf/pull/188
 
Free5GC--SMF A vulnerability has been found in Free5GC SMF up to 4.1.0. Affected by this vulnerability is the function HandlePfcpSessionReportRequest of the file internal/pfcp/handler/handler.go of the component PFCP. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. To fix this issue, it is recommended to deploy a patch. 2026-01-30 5.3 CVE-2026-1683 VDB-343476 | Free5GC SMF PFCP handler.go HandlePfcpSessionReportRequest denial of service
VDB-343476 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #739653 | free5gc SMF v4.1.0 Denial of Service
Submit #739654 | free5gc SMF v4.1.0 Denial of Service (Duplicate)
https://github.com/free5gc/free5gc/issues/804
https://github.com/free5gc/free5gc/issues/804#issue-3816086696
https://github.com/free5gc/smf/pull/188
 
Free5GC--SMF A vulnerability was found in Free5GC SMF up to 4.1.0. Affected by this issue is the function HandleReports of the file /internal/context/pfcp_reports.go of the component PFCP UDP Endpoint. The manipulation results in denial of service. The attack can be executed remotely. It is advisable to implement a patch to correct this issue. 2026-01-30 5.3 CVE-2026-1684 VDB-343477 | Free5GC SMF PFCP UDP Endpoint pfcp_reports.go HandleReports denial of service
VDB-343477 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #739655 | free5gc SMF v4.1.0 Denial of Service
Submit #739656 | free5gc SMF v4.1.0 Denial of Service (Duplicate)
https://github.com/free5gc/free5gc/issues/806
https://github.com/free5gc/smf/pull/188
 
Froxlor--Froxlor Froxlor Server Management Panel Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name, and firstname parameters to execute code when administrators view customer traffic modules. 2026-01-27 6.4 CVE-2020-36978 ExploitDB-49063
Official Froxlor Homepage
Froxlor Download Page
Vulnerability Lab Advisory
Vulnerability Lab Profile
Researcher Profile
VulnCheck Advisory: Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting
 
Getgrav--Grav CMS Admin Plugin Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the page is viewed in the admin panel or on the site. 2026-01-26 6.4 CVE-2020-36955 ExploitDB-49264
Grav CMS Official Homepage
VulnCheck Advisory: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting
 
gi-docgen--gi-docgen A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page - enabling DOM access, session cookie theft and other client-side attacks - via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS). 2026-01-26 6.1 CVE-2025-11687 https://access.redhat.com/security/cve/CVE-2025-11687
RHBZ#2403536
https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228
 
GitoxideLabs--gitoxide A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences. 2026-01-26 6.8 CVE-2026-0810 https://access.redhat.com/security/cve/CVE-2026-0810
RHBZ#2427057
https://crates.io/crates/gix-date
https://github.com/GitoxideLabs/gitoxide/issues/2305
https://rustsec.org/advisories/RUSTSEC-2025-0140.html
 
Goautodial--GOautodial GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. Attackers can craft messages with embedded JavaScript that will execute when an administrator reads the message, potentially stealing session cookies or executing client-side attacks. 2026-01-29 6.4 CVE-2020-37018 ExploitDB-48690
Official Vendor Homepage
VulnCheck Advisory: GOautodial 4.0 - Persistent Cross-Site Scripting
 
GPAc--GPAC A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue. 2026-01-26 5.3 CVE-2026-1418 VDB-342807 | GPAC SRT Subtitle Import text_to_bifs.c gf_text_import_srt_bifs out-of-bounds write
VDB-342807 | CTI Indicators (IOB, IOC, IOA)
Submit #736544 | gpac v2.4.0 Out-of-bounds Write
https://github.com/gpac/gpac/issues/3425
https://github.com/gpac/gpac/issues/3425#issue-3801961068
https://github.com/enocknt/gpac/commit/10c73b82cf0e367383d091db38566a0e4fe71772
 
GuidoNeele--PDW File Browser PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary JavaScript in victims' browsers when they access the file browser. 2026-01-28 5.4 CVE-2020-36988 ExploitDB-48947
PDW File Browser GitHub Repository
VulnCheck Advisory: PDW File Browser <= v1.3 - Cross-Site Scripting (XSS)
 
halfdata--Stripe Green Downloads Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. Attackers can exploit input parameters to execute arbitrary scripts, potentially leading to session hijacking and application module manipulation. 2026-02-01 6.4 CVE-2022-50797 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: Stripe Green Downloads Wordpress Plugin 2.03 Persistent XSS via Settings
 
HappyHackingSpace--gakido Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests. 2026-01-27 5.3 CVE-2026-24489 https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9
https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788
https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019
 
HCLSoftware--BigFix Compliance A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals. 2026-01-28 5.3 CVE-2023-37525 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128385
 
HIKSEMI--HS-AFS-S1H1 Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization. 2026-01-30 4.3 CVE-2026-22624 https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html
 
HIKSEMI--HS-AFS-S1H1 Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files. 2026-01-30 4.6 CVE-2026-22625 https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html
 
HIKSEMI--HS-AFS-S1H1 Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages. 2026-01-30 4.9 CVE-2026-22626 https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html
 
honojs--hono Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue. 2026-01-27 5.3 CVE-2026-24472 https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4
https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1
https://github.com/honojs/hono/releases/tag/v4.11.7
 
honojs--hono Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue. 2026-01-27 4.8 CVE-2026-24398 https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh
https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37
https://github.com/honojs/hono/releases/tag/v4.11.7
 
honojs--hono Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue. 2026-01-27 4.7 CVE-2026-24771 https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990
 
hu_chao--imwptip The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-28 4.3 CVE-2026-1377 https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe987f0-6887-4ad1-a748-eb987bb574fa?source=cve
https://plugins.trac.wordpress.org/browser/imwptip/trunk/classes/imwptipadmin.php#L11
https://plugins.trac.wordpress.org/browser/imwptip/tags/1.1/classes/imwptipadmin.php#L11
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query. 2026-01-30 6.5 CVE-2025-2668 https://www.ibm.com/support/pages/node/7257518
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion. 2026-01-30 6.5 CVE-2025-36001 https://www.ibm.com/support/pages/node/7257616
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an unauthenticated user to cause a denial of service due to excessive use of a global variable. 2026-01-30 6.5 CVE-2025-36009 https://www.ibm.com/support/pages/node/7257623
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables. 2026-01-30 6.5 CVE-2025-36070 https://www.ibm.com/support/pages/node/7257624
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper allocation of resources. 2026-01-30 6.5 CVE-2025-36098 https://www.ibm.com/support/pages/node/7257629
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service when copying large table containing XML data due to improper allocation of system resources. 2026-01-30 6.2 CVE-2025-36123 https://www.ibm.com/support/pages/node/7257627
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. 2026-01-30 6.2 CVE-2025-36353 https://www.ibm.com/support/pages/node/7257632
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass vulnerability using a user-controlled key. 2026-01-30 6.8 CVE-2025-36365 https://www.ibm.com/support/pages/node/7257665
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. 2026-01-30 6.5 CVE-2025-36366 https://www.ibm.com/support/pages/node/7257681
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 could allow an authenticated user to cause a denial of service when given specially crafted query. 2026-01-30 6.5 CVE-2025-36387 https://www.ibm.com/support/pages/node/7257690
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. 2026-01-30 6.5 CVE-2025-36407 https://www.ibm.com/support/pages/node/7257692
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. 2026-01-30 6.5 CVE-2025-36423 https://www.ibm.com/support/pages/node/7257694
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. 2026-01-30 6.5 CVE-2025-36424 https://www.ibm.com/support/pages/node/7257695
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. 2026-01-30 6.5 CVE-2025-36427 https://www.ibm.com/support/pages/node/7257696
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query with XML columns. 2026-01-30 6.5 CVE-2025-36442 https://www.ibm.com/support/pages/node/7257698
 
IBM--Db2 for Linux, UNIX and Windows IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when the RPSCAN feature is enabled. 2026-01-30 5.3 CVE-2025-36428 https://www.ibm.com/support/pages/node/7257697
 
igniterealtime--Openfire Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page. 2026-01-26 6.4 CVE-2020-36956 ExploitDB-49229
Openfire GitHub Repository
Openfire Software Downloads
VulnCheck Advisory: Openfire 4.6.0 - 'path' Stored XSS
 
iJason-Liu--Books_Manager A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This vulnerability affects unknown code of the file controllers/books_center/upload_bookCover.php. Performing a manipulation of the argument book_cover results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. 2026-01-26 4.7 CVE-2026-1445 VDB-342874 | iJason-Liu Books_Manager upload_bookCover.php unrestricted upload
VDB-342874 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736971 | https://github.com/iJason-Liu/Books_Manager Books_Manager 1.0 File Upload
https://blog.y1fan.work/2026/01/13/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0getshell/
 
ilias.de--ILIAS Learning Management System ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the portfolio is exported to PDF. 2026-01-28 4 CVE-2020-36944 ExploitDB-49148
ILIAS Official Vendor Homepage
ILIAS GitHub Repository
VulnCheck Advisory: ILIAS Learning Management System 4.3 - SSRF
 
Inciga--Inciga Web Inciga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks. 2026-02-01 5.4 CVE-2022-50942 Vulnerability Lab Advisory
Product Homepage
Product Homepage
VulnCheck Advisory: Inciga Web 2.8.2 Client-Side Cross-Site Scripting via EventListener
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, a heap buffer over-read when the strlen() function attempts to read a non-null-terminated buffer potentially leaking heap memory contents and causing application termination. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available. 2026-01-28 6.1 CVE-2026-24852 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-q8g2-mp32-3j7f
https://github.com/InternationalColorConsortium/iccDEV/pull/540
https://github.com/InternationalColorConsortium/iccDEV/commit/3092499cd4d0775f4a716b999899f9c26f9bc614
 
Is-Daouda--is-Engine Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in Is-Daouda is-Engine. This issue affects is-Engine: before 3.3.4. 2026-01-27 6.5 CVE-2026-24829 https://github.com/Is-Daouda/is-Engine/pull/7
 
itsourcecode--School Management System A weakness has been identified in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/course/controller.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-28 6.3 CVE-2026-1551 VDB-343247 | itsourcecode School Management System controller.php sql injection
VDB-343247 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740644 | itsourcecode School Management System V1.0 SQL Injection
Submit #740680 | itsourcecode School Management System v1.0 SQL Injection (Duplicate)
https://mega.nz/file/6cVwiA5A#BVwaxWlfeQCkkpHnuxPiMDZVb5qcYrsI6ftqdm_8mGk
https://itsourcecode.com/
 
iulia-cazan--Easy Replace Image The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to replace arbitrary image attachments on the site with images from external URLs, potentially enabling site defacement, phishing attacks, or content manipulation. 2026-01-28 5.3 CVE-2026-1298 https://www.wordfence.com/threat-intel/vulnerabilities/id/27332c13-c25f-47ec-980d-035fc35ce553?source=cve
https://plugins.trac.wordpress.org/browser/easy-replace-image/trunk/easy-replace-image.php#L961
https://plugins.trac.wordpress.org/browser/easy-replace-image/tags/3.5.2/easy-replace-image.php#L961
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3447984%40easy-replace-image&new=3447984%40easy-replace-image&sfp_email=&sfph_mail=
 
jdwebdesigner--Affiliate Pro Affiliate Pro 1.7 contains multiple reflected cross-site scripting vulnerabilities in the index module's input fields. Attackers can inject malicious scripts through fullname, username, and email parameters to execute client-side attacks and manipulate browser requests. 2026-02-01 5.4 CVE-2021-47911 Vulnerability Lab Advisory
Product Homepage
Product Homepage
VulnCheck Advisory: Affiliate Pro 1.7 Reflected Cross-Site Scripting via Index Module
 
Jirafeau project--Jirafeau Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff. 2026-01-28 6.1 CVE-2026-1466 https://gitlab.com/jirafeau/Jirafeau/-/commit/747afb20bfcff14bb67e40e7035d47a6311ba3e1
https://www.cve.org/CVERecord?id=CVE-2022-30110
https://www.cve.org/CVERecord?id=CVE-2024-12326
https://www.cve.org/CVERecord?id=CVE-2025-7066
 
jishenghua--jshERP A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the argument barCodes leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-28 6.3 CVE-2026-1546 VDB-343230 | jishenghua jshERP com.jsh.erp.datasource.mappers.DepotItemMapperEx importItemExcel getBillItemByParam sql injection
VDB-343230 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #739688 | https://github.com/jishenghua/jshERP jshERP v3.6 SQL Injection
https://github.com/jishenghua/jshERP/issues/145
https://github.com/jishenghua/jshERP/issues/145#issue-3816930151
https://github.com/jishenghua/jshERP/
 
jishenghua--jshERP A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such manipulation of the argument configFile leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-28 4.3 CVE-2026-1549 VDB-343245 | jishenghua jshERP PluginController uploadPluginConfigFile path traversal
VDB-343245 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #739805 | https://github.com/jishenghua/jshERP jshERP v3.6 Path Traversal
https://github.com/jishenghua/jshERP/issues/146
https://github.com/jishenghua/jshERP/issues/146#issue-3817997461
https://github.com/jishenghua/jshERP/
 
Laravel Holdings Inc.--Laravel Nova Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server. 2026-01-27 6.5 CVE-2020-36950 ExploitDB-49198
Laravel Nova Official Homepage
Laravel Nova Releases Page
VulnCheck Advisory: Laravel Nova 3.7.0 - 'range' DoS
 
libexpat project--libexpat In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. 2026-01-30 6.9 CVE-2026-25210 https://github.com/libexpat/libexpat/pull/1075
https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7
 
Limesurvey--LimeSurvey LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts. 2026-01-28 6.4 CVE-2020-36993 ExploitDB-48762
LimeSurvey Official Website
LimeSurvey Patch Commit
VulnCheck Advisory: LimeSurvey <= 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting
 
linknacional--Link Invoice Payment for WooCommerce The Link Invoice Payment for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the createPartialPayment and cancelPartialPayment functions in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create partial payments on any order or cancel any existing partial payment via ID enumeration. 2026-01-27 5.3 CVE-2025-14971 https://www.wordfence.com/threat-intel/vulnerabilities/id/96a8fc8b-6f0a-486c-89d1-7211b4ca31bd?source=cve
https://plugins.trac.wordpress.org/browser/invoice-payment-for-woocommerce/tags/2.8.0/Includes/WcPaymentInvoiceEndpoint.php#L19
https://plugins.trac.wordpress.org/browser/invoice-payment-for-woocommerce/tags/2.8.0/Includes/WcPaymentInvoiceEndpoint.php#L179
 
litonice13--WP Adminify White Label WordPress, Admin Menu Editor, Login Customizer The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs. 2026-01-28 5.3 CVE-2026-1060 https://www.wordfence.com/threat-intel/vulnerabilities/id/7ecb4f95-346e-49b3-859f-44f28a72f065?source=cve
https://plugins.trac.wordpress.org/browser/adminify/tags/4.0.6.1/Libs/Addons.php#L54
https://plugins.trac.wordpress.org/changeset/3442928/
 
localsend--localsend LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch. 2026-01-30 6.1 CVE-2026-25154 https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4
https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c
 
lxicon--Bitcoin Donate Button The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-28 4.3 CVE-2026-1380 https://www.wordfence.com/threat-intel/vulnerabilities/id/3c973dd9-cfa3-4f06-a25a-c2786e3dca4d?source=cve
https://plugins.trac.wordpress.org/browser/bitcoin-donate-button/trunk/btcbutton.php#L1
https://plugins.trac.wordpress.org/browser/bitcoin-donate-button/tags/1.0/btcbutton.php#L1
 
mamunreza--Vzaar Media Management The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-28 5.3 CVE-2026-1391 https://www.wordfence.com/threat-intel/vulnerabilities/id/398a75b1-6470-44b3-aaea-d5e8b10db115?source=cve
https://plugins.trac.wordpress.org/browser/vzaar-media-management/trunk/admin/vzaar-media-upload.php#L103
https://plugins.trac.wordpress.org/browser/vzaar-media-management/tags/1.2/admin/vzaar-media-upload.php#L103
 
mapstructure--mapstructure A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts. 2026-01-26 5.3 CVE-2025-11065 https://access.redhat.com/security/cve/CVE-2025-11065
RHBZ#2391829
https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c
https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm
 
metagauss--RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles. 2026-01-28 5.3 CVE-2026-1054 https://www.wordfence.com/threat-intel/vulnerabilities/id/daf4d246-85f3-48b3-985f-982fea4772f1?source=cve
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.9/admin/controllers/class_rm_options_controller.php#L209
https://plugins.trac.wordpress.org/changeset/3444777/
 
michalc--PDW File Browser PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using double-encoded path traversal techniques. 2026-01-28 6.5 CVE-2020-36973 ExploitDB-48987
PDW File Browser GitHub Repository
VulnCheck Advisory: PDW File Browser 1.3 - Remote Code Execution
 
microsoft--maker.js Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2. 2026-01-28 6.5 CVE-2026-24888 https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx
https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8
https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241
 
midgetspy--Sickbeard Sickbeard alpha contains a cross-site request forgery vulnerability that allows attackers to disable authentication by submitting crafted configuration parameters. Attackers can trick users into submitting a malicious form that clears web username and password, effectively removing authentication protection. 2026-01-30 5.3 CVE-2020-37026 ExploitDB-48712
Archived Sickbeard Official Homepage
Sickbeard GitHub Repository
VulnCheck Advisory: Sickbeard 0.1 - Cross-Site Request Forgery
 
migaweb--Simple calendar for Elementor The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authenticated and unauthenticated access enabled. This makes it possible for unauthenticated attackers to delete arbitrary calendar entries by sending a request with a valid nonce and the calendar entry ID. 2026-01-28 5.3 CVE-2026-1310 https://www.wordfence.com/threat-intel/vulnerabilities/id/e537c56d-7c5e-4f21-b266-ef3d1a87caf2?source=cve
https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/trunk/widget/includes/backend_functions.php#L3
https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/tags/1.6.6/widget/includes/backend_functions.php#L3
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444617%40simple-calendar-for-elementor&new=3444617%40simple-calendar-for-elementor&sfp_email=&sfph_mail=
 
miles99--WP Google Ad Manager Plugin The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-28 4.4 CVE-2026-1399 https://www.wordfence.com/threat-intel/vulnerabilities/id/f3185d82-a785-4165-8469-abc0be38f852?source=cve
https://plugins.trac.wordpress.org/browser/wp-google-ad-manager-plugin/trunk/WP-Google-Ad-Manager.php#L194
https://plugins.trac.wordpress.org/browser/wp-google-ad-manager-plugin/tags/1.1.0/WP-Google-Ad-Manager.php#L194
 
MongoDB--Mongo-c-driver User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container. 2026-01-27 6.5 CVE-2025-14911 https://jira.mongodb.org/browse/CDRIVER-6125
 
MrPlugins--BootCommerce BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unvalidated input parameters to execute arbitrary scripts, potentially leading to session hijacking, phishing attacks, and application module manipulation. 2026-02-01 6.4 CVE-2022-50941 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: BootCommerce 3.2.1 Persistent Cross-Site Scripting via Order Checkout
 
Naviwebs S.C.--Navigate CMS Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation. 2026-01-30 4.3 CVE-2020-37054 ExploitDB-48548
Navigate CMS Official Homepage
Navigate CMS SourceForge Page
VulnCheck Advisory: Navigate CMS 2.8.7 - Cross-Site Request Forgery
 
nebojsadabic--Target Video Easy Publish The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'placeholder_img' parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-28 6.4 CVE-2025-8072 https://www.wordfence.com/threat-intel/vulnerabilities/id/26e16dd3-66bc-4174-acc1-ee22713ae979?source=cve
https://plugins.trac.wordpress.org/browser/brid-video-easy-publish/tags/3.8.6/lib/BridShortcode.php#L204
https://wordpress.org/plugins/brid-video-easy-publish/#developers
https://plugins.trac.wordpress.org/changeset/3437514/brid-video-easy-publish/trunk/lib/BridShortcode.php
 
NetArt Media--Easy Cart Shopping Cart Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword parameter. Remote attackers can inject malicious script code through the search input to compromise user sessions and manipulate application content. 2026-02-01 6.4 CVE-2021-47856 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: Easy Cart Shopping Cart 2021 Cross-Site Scripting via Search Parameter
 
nocodb--nocodb NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue. 2026-01-28 4.9 CVE-2026-24766 https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9
 
nocodb--nocodb NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. Version 0.301.0 contains a patch for the issue. 2026-01-28 4.9 CVE-2026-24767 https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9
 
NVIDIA--GeForce NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. 2026-01-28 5.5 CVE-2025-33237 https://nvd.nist.gov/vuln/detail/CVE-2025-33237
https://www.cve.org/CVERecord?id=CVE-2025-33237
https://nvidia.custhelp.com/app/answers/detail/a_id/5747
 
OISF--suricata Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options. 2026-01-27 5.9 CVE-2026-22262 https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86
https://github.com/OISF/suricata/commit/0eff24213763c2aa2bb0957901d5dc1e18414dbf
https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1
https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb
https://github.com/OISF/suricata/commit/32a1b9ae6aa80a60c073897e38a2ac6ea0f64521
https://github.com/OISF/suricata/commit/d6bc718e303ecbec5999066b8bc88eeeca743658
https://github.com/OISF/suricata/commit/d767dfadcd166f82683757818b9e46943326ac90
https://redmine.openinfosecfoundation.org/issues/8110
 
OISF--suricata Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available. 2026-01-27 5.3 CVE-2026-22263 https://github.com/OISF/suricata/security/advisories/GHSA-rwc5-hxj6-hwx7
https://github.com/OISF/suricata/commit/018a377f74e3eb2b042c6f783ad9043060923428
https://redmine.openinfosecfoundation.org/issues/8201
 
Open5GS--Open5GS A security flaw has been discovered in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_bearer_resource_failure_indication of the file src/sgwc/s5c-handler.c of the component SGWC. Performing a manipulation results in denial of service. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The patch is named 69b53add90a9479d7960b822fc60601d659c328b. It is recommended to apply a patch to fix this issue. 2026-01-28 5.3 CVE-2026-1521 VDB-343192 | Open5GS SGWC s5c-handler.c denial of service
VDB-343192 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #738370 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4268
https://github.com/open5gs/open5gs/issues/4268#event-21989483261
https://github.com/open5gs/open5gs/issues/4268#issue-3795012861
https://github.com/open5gs/open5gs/commit/69b53add90a9479d7960b822fc60601d659c328b
 
Open5GS--Open5GS A weakness has been identified in Open5GS up to 2.7.6. This vulnerability affects the function sgwc_s5c_handle_modify_bearer_response of the file src/sgwc/s5c-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This patch is called b19cf6a. Applying a patch is advised to resolve this issue. The issue report is flagged as already-fixed. 2026-01-28 5.3 CVE-2026-1522 VDB-343193 | Open5GS SGWC s5c-handler.c sgwc_s5c_handle_modify_bearer_response denial of service
VDB-343193 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #738371 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4266
https://github.com/open5gs/open5gs/issues/4266#event-21968568116
https://github.com/open5gs/open5gs/issues/4266#issue-3794991595
https://github.com/open5gs/open5gs/commit/b19cf6a
 
Open5GS--Open5GS A flaw has been found in Open5GS up to 2.7.5. Impacted is the function ogs_gtp2_f_teid_to_ip of the file /sgwc/s11-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack may be performed from remote. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed. 2026-01-29 5.3 CVE-2026-1586 VDB-343349 | Open5GS SGWC s11-handler.c ogs_gtp2_f_teid_to_ip denial of service
VDB-343349 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #738375 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4273
https://github.com/open5gs/open5gs/issues/4273#event-21968643659
https://github.com/open5gs/open5gs/issues/4273#issue-3796030721
 
Open5GS--Open5GS A vulnerability has been found in Open5GS up to 2.7.6. The affected element is the function sgwc_s11_handle_modify_bearer_request of the file /sgwc/s11-handler.c of the component SGWC. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Applying a patch is the recommended action to fix this issue. The issue report is flagged as already-fixed. 2026-01-29 5.3 CVE-2026-1587 VDB-343350 | Open5GS SGWC s11-handler.c sgwc_s11_handle_modify_bearer_request denial of service
VDB-343350 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #738376 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4272
https://github.com/open5gs/open5gs/issues/4272#event-21968635948
https://github.com/open5gs/open5gs/issues/4272#issue-3795156752
 
OpenZ--OpenZ ERP OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules. 2026-01-30 6.4 CVE-2020-37022 ExploitDB-48450
OpenZ Official Website
OpenZ Download Page
Vulnerability Lab Advisory
VulnCheck Advisory: OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting
 
opf--openproject OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable. 2026-01-28 6.3 CVE-2026-24775 https://github.com/opf/openproject/security/advisories/GHSA-35c6-x276-2pvc
https://github.com/opf/op-blocknote-extensions/releases/tag/v0.0.22
 
Orchardcore--Orchard Core Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers. 2026-01-30 6.4 CVE-2020-37019 ExploitDB-48456
Orchard Core Official Website
Orchard Core GitHub Repository
GitHub Issue #5802
VulnCheck Advisory: Orchard Core RC1 - Persistent Cross-Site Scripting
 
Php-Fusion--PHPFusion PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages that will execute when the print page is generated, allowing script execution in victim browsers. 2026-01-30 6.4 CVE-2020-36996 ExploitDB-48497
PHPFusion Official Homepage
PHPFusion Download Page
VulnCheck Advisory: PHPFusion 9.03.50 - Persistent Cross-Site Scripting
 
PHPGurukul--Hospital Management System A security flaw has been discovered in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/hospital/docappsystem/adminviews.py of the component Admin Dashboard Page. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. 2026-01-28 6.3 CVE-2026-1550 VDB-343246 | PHPGurukul Hospital Management System Admin Dashboard adminviews.py improper authorization
VDB-343246 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #739837 | PHPGurukul Hospital Management System v1.0 Missing Authorization
https://github.com/rsecroot/Hospital-Management-System/blob/main/Broken%20Access%20Control.md
https://phpgurukul.com/
 
PHPGurukul--News Portal A vulnerability was identified in PHPGurukul News Portal 1.0. This affects an unknown part of the component Profile Pic Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. 2026-01-26 4.7 CVE-2026-1424 VDB-342840 | PHPGurukul News Portal Profile Pic unrestricted upload
VDB-342840 | CTI Indicators (IOB, IOC, TTP)
Submit #736637 | PHPGurukul News Portal v1.0 Cross Site Scripting
https://github.com/rsecroot/News-Portal/blob/main/Cross%20Site%20Scripting.md
https://phpgurukul.com/
 
PHPSUGAR--PHP Melody PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated parameters to execute client-side attacks and potentially hijack user sessions. 2026-02-01 6.4 CVE-2021-47912 Vulnerability Lab Advisory
Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: PHP Melody 3.0 Non-Persistent Cross-Site Scripting via Multiple Parameters
 
PHPSUGAR--PHP Melody PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor that allows privileged users to inject malicious scripts. Attackers can exploit the WYSIWYG editor to execute persistent scripts, potentially leading to session hijacking and application manipulation. 2026-02-01 6.4 CVE-2021-47913 Vulnerability Lab Advisory
Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: PHP Melody 3.0 Persistent Cross-Site Scripting via Video Editor
 
PHPSUGAR--PHP Melody PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. Attackers can exploit this vulnerability to execute arbitrary JavaScript, potentially leading to session hijacking, persistent phishing, and manipulation of application modules. 2026-02-01 6.4 CVE-2021-47914 Vulnerability Lab Advisory
Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: PHP Melody 3.0 Persistent XSS Vulnerability via Edit Video Parameter
 
pnpm--pnpm pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. The issue impacts all pnpm users who install packages with binary assets, users who configure custom Node.js binary locations and CI/CD pipelines that auto-install binary dependencies. It can lead to overwriting config files, scripts, or other sensitive files leading to RCE. Version 10.28.1 contains a patch. 2026-01-26 6.5 CVE-2026-23888 https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868
https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5
https://github.com/pnpm/pnpm/releases/tag/v10.28.1
 
pnpm--pnpm pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch. 2026-01-26 6.5 CVE-2026-23889 https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p
https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
https://github.com/pnpm/pnpm/releases/tag/v10.28.1
 
pnpm--pnpm pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch. 2026-01-26 6.5 CVE-2026-23890 https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
https://github.com/pnpm/pnpm/releases/tag/v10.28.1
 
presstigers--Simple Folio The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-28 6.4 CVE-2025-14039 https://www.wordfence.com/threat-intel/vulnerabilities/id/c32a71d6-d61c-4f6f-9d35-70140235af7c?source=cve
https://plugins.trac.wordpress.org/browser/simple-folio/trunk/templates/single-simple-folio.php#L70
https://plugins.trac.wordpress.org/browser/simple-folio/tags/1.1.1/templates/single-simple-folio.php#L70
https://plugins.trac.wordpress.org/browser/simple-folio/trunk/templates/single-simple-folio.php#L76
https://plugins.trac.wordpress.org/browser/simple-folio/tags/1.1.1/templates/single-simple-folio.php#L76
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442515%40simple-folio&new=3442515%40simple-folio&sfp_email=&sfph_mail=
 
Product Owner: Webile--Webile Webile 1.0.1 contains a directory traversal vulnerability that allows remote attackers to manipulate file system paths without authentication. Attackers can exploit path manipulation to access sensitive system directories and potentially compromise the mobile device's local file system. 2026-02-01 6.5 CVE-2022-50950 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: Webile 1.0.1 Directory Traversal Vulnerability via Web Application
 
psmplugins--SupportCandy Helpdesk & Customer Support Ticket System The SupportCandy - Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-01-31 6.5 CVE-2026-0683 https://www.wordfence.com/threat-intel/vulnerabilities/id/a7856d0f-bc7d-436c-968c-631fd6a686ab?source=cve
https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1265
https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1288
https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/custom-field-types/class-wpsc-cf-number.php#L371
https://plugins.trac.wordpress.org/changeset/3448376/
 
psmplugins--SupportCandy Helpdesk & Customer Support Ticket System The SupportCandy - Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners. 2026-01-31 5.4 CVE-2026-1251 https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2?source=cve
https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-individual-ticket.php#L1603
https://plugins.trac.wordpress.org/changeset/3448376/
 
pymumu--SmartDNS A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The patch is identified as 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised to resolve this issue. 2026-01-26 5.6 CVE-2026-1425 VDB-342841 | pymumu SmartDNS SVBC Record dns.c _dns_decode_SVCB_HTTPS stack-based overflow
VDB-342841 | CTI Indicators (IOB, IOC, IOA)
Submit #736827 | pymumu smartdns 47.1 Stack-based Buffer Overflow
https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8
 
QlikTech International AB--QlikView QlikView 12.50.20000.0 contains a denial of service vulnerability in the FTP server address input field that allows local attackers to crash the application. Attackers can paste a 300-character buffer into the FTP server address field to trigger an application crash and prevent normal functionality. 2026-01-29 6.2 CVE-2020-36994 ExploitDB-48732
Vendor Homepage
VulnCheck Advisory: QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service
 
QR Menu Pro Smart Menu Systems--Menu Panel Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Exploitation of Trusted Identifiers. This issue affects Menu Panel: through 29012026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-29 5.7 CVE-2025-7013 https://www.usom.gov.tr/bildirim/tr-26-0007
 
QR Menu Pro Smart Menu Systems--Menu Panel Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking. This issue affects Menu Panel: through 29012026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-29 5.7 CVE-2025-7014 https://www.usom.gov.tr/bildirim/tr-26-0007
 
QWE Labs--QWE DL QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. Attackers can exploit the vulnerability to execute persistent cross-site scripting attacks, potentially leading to session hijacking and application module manipulation. 2026-02-01 6.4 CVE-2023-54343 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: QWE DL 2.0.1 Persistent XSS Vulnerability via Path Parameter
 
recooty--Recooty Job Widget (Old Dashboard) The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. This makes it possible for unauthenticated attackers to update the recooty_key option and inject malicious content into iframe src attributes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-28 4.3 CVE-2025-14616 https://www.wordfence.com/threat-intel/vulnerabilities/id/eb14f084-6f36-4702-8a28-b62811739407?source=cve
https://plugins.trac.wordpress.org/browser/recooty/trunk/admin/init.php#L72
https://plugins.trac.wordpress.org/browser/recooty/tags/1.0.4/admin/init.php#L72
https://plugins.trac.wordpress.org/browser/recooty/trunk/init.php#L41
https://plugins.trac.wordpress.org/browser/recooty/tags/1.0.4/init.php#L41
 
Red Hat--Red Hat build of Quarkus A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausting available database connections. 2026-01-26 4.3 CVE-2025-14969 https://access.redhat.com/security/cve/CVE-2025-14969
RHBZ#2423822
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services. 2026-01-27 5.8 CVE-2026-1467 https://access.redhat.com/security/cve/CVE-2026-1467
RHBZ#2433174
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable. 2026-01-27 5.4 CVE-2026-1489 https://access.redhat.com/security/cve/CVE-2026-1489
RHBZ#2433348
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction. 2026-01-28 5.8 CVE-2026-1536 https://access.redhat.com/security/cve/CVE-2026-1536
RHBZ#2433834
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data. 2026-01-28 5.8 CVE-2026-1539 https://access.redhat.com/security/cve/CVE-2026-1539
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks. 2026-01-26 4 CVE-2025-9820 https://access.redhat.com/security/cve/CVE-2025-9820
RHBZ#2392528
https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5
https://gitlab.com/gnutls/gnutls/-/issues/1732
https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably. 2026-01-27 4.2 CVE-2026-1484 https://access.redhat.com/security/cve/CVE-2026-1484
RHBZ#2433259
 
Red Hat--Red Hat OpenShift Virtualization 4 A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator's ability to manage the VM, leading to a denial of service for administrative operations. 2026-01-26 6.4 CVE-2025-14525 https://access.redhat.com/security/cve/CVE-2025-14525
RHBZ#2421360
 
rupantorpay--Rupantorpay The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint. 2026-01-28 5.3 CVE-2025-15511 https://www.wordfence.com/threat-intel/vulnerabilities/id/1b21bdfd-42ec-43fe-b581-04276b86c50b?source=cve
https://plugins.trac.wordpress.org/browser/rupantorpay/tags/2.0.0/includes/class-wc-rupantorpay-gateway.php#L172
 
RustCrypto--signatures The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue. 2026-01-28 5.3 CVE-2026-24850 https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9
https://github.com/RustCrypto/signatures/issues/894
https://github.com/RustCrypto/signatures/pull/895
https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a
https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38
https://csrc.nist.gov/pubs/fips/204/final
https://datatracker.ietf.org/doc/html/rfc9881
https://github.com/C2SP/wycheproof
https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json
https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json
https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json
 
salihciftci--Liman Liman 0.7 contains a cross-site request forgery vulnerability that allows attackers to manipulate user account settings without proper request validation. Attackers can craft malicious HTML forms to change user passwords or modify account information by tricking logged-in users into submitting unauthorized requests. 2026-01-29 5.3 CVE-2020-37007 ExploitDB-48869
Archived Liman GitHub Repository
VulnCheck Advisory: Liman 0.7 - Cross-Site Request Forgery (Change Password)
 
Salt Project--Salt Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues. 2026-01-30 6.2 CVE-2025-62349 Salt 3006.17 release notes (fix and minimum_auth_version)
Salt 3007.9 release notes (fix and minimum_auth_version)
 
Sangfor--Operation and Maintenance Security Management System A vulnerability was found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function portValidate of the file /fort/ip_and_port/port_validate of the component HTTP POST Request Handler. Performing a manipulation of the argument port results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. 2026-01-26 6.3 CVE-2026-1413 VDB-342802 | Sangfor Operation and Maintenance Security Management System HTTP POST Request port_validate portValidate command injection
VDB-342802 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736522 | Sangfor Operation and Maintenance Security Management System (OSM / 运维安全管理系统) v3.0.12 Command Injection
https://github.com/LX-LX88/cve/issues/23
 
Sangfor--Operation and Maintenance Security Management System A vulnerability was determined in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This impacts the function getInformation of the file /equipment/get_Information of the component HTTP POST Request Handler. Executing a manipulation of the argument fortEquipmentIp can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. 2026-01-26 6.3 CVE-2026-1414 VDB-342803 | Sangfor Operation and Maintenance Security Management System HTTP POST Request get_Information getInformation command injection
VDB-342803 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736524 | Sangfor Operation and Maintenance Security Management System (OSM / 运维安全管理系统) v3.0.12 Command Injection
https://github.com/LX-LX88/cve/issues/24
 
SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted. 2026-01-27 4.3 CVE-2026-23683 https://me.sap.com/notes/3122486
https://url.sap/sapsecuritypatchday
 
Sellacious--Sellacious eCommerce Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules. 2026-01-30 6.4 CVE-2020-37003 ExploitDB-48467
Official Sellacious eCommerce Homepage
Sellacious Product Details
Vulnerability Lab Advisory
VulnCheck Advisory: Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting
 
SEMCMS--SEMCMS A security vulnerability has been detected in SEMCMS 5.0. This vulnerability affects unknown code of the file /SEMCMS_Info.php. The manipulation of the argument searchml leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-29 6.3 CVE-2026-1552 VDB-343248 | SEMCMS SEMCMS_Info.php sql injection
VDB-343248 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740549 | SEMCMS SEMCMS 外贸网站php多语言版 V5.0 SQL Injection
https://github.com/Sqli22/Sqli/issues/4
 
seomantis--SEO Links Interlinking The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-28 6.1 CVE-2025-14063 https://www.wordfence.com/threat-intel/vulnerabilities/id/d71143d6-d477-4a63-8f99-f4cc8a590536?source=cve
https://wordpress.org/plugins/seo-links-interlinking/
https://plugins.trac.wordpress.org/browser/seo-links-interlinking/trunk/scdata.php#L504
https://plugins.trac.wordpress.org/browser/seo-links-interlinking/tags/1.7.5/scdata.php#L504
https://plugins.trac.wordpress.org/browser/seo-links-interlinking/trunk/scdata.php#L512
https://plugins.trac.wordpress.org/browser/seo-links-interlinking/tags/1.7.5/scdata.php#L512
 
Simplephpscripts--Simple CMS Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. Attackers can exploit the newUser and editUser modules to inject persistent scripts that execute on user list preview, potentially leading to session hijacking and application manipulation. 2026-02-01 6.4 CVE-2021-47917 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: Simple CMS 2.1 Persistent Cross-Site Scripting via User Input Parameters
 
Simplephpscripts--Simple CMS Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. 2026-02-01 6.4 CVE-2021-47919 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: Simple CMS 2.1 Non-Persistent Cross-Site Scripting via Preview Parameter
 
smarterDroid--WiFi File Transfer WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the web server's input validation weakness to execute arbitrary JavaScript when users preview infected file paths, potentially compromising user browser sessions. 2026-02-01 6.4 CVE-2022-50951 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: WiFi File Transfer 1.0.8 Persistent XSS via Web Server Input Validation
 
SourceCodester--Pet Grooming Management Software A vulnerability was detected in SourceCodester Pet Grooming Management Software 1.0. Impacted is an unknown function of the file /admin/operation/user.php of the component User Management. Performing a manipulation of the argument group_id results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. 2026-01-30 6.3 CVE-2026-1702 VDB-343492 | SourceCodester Pet Grooming Management Software User Management user.php improper authorization
VDB-343492 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742226 | SourceCodester Pet grooming management software 1.0 Improper Access Controls
https://github.com/Asim-QAZi/Improper-Access-Control---in-Pet-Grooming-Management-Software
https://www.sourcecodester.com/
 
stellar--rs-soroban-sdk soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the `Bytes::slice`, `Vec::slice`, and `Prng::gen_range` (for `u64`) methods in the `soroban-sdk` in versions up to and including `25.0.1`, `23.5.1`, and `25.0.2`. Contracts that pass user-controlled or computed range bounds to `Bytes::slice`, `Vec::slice`, or `Prng::gen_range` may silently operate on incorrect data ranges or generate random numbers from an unintended range, potentially resulting in corrupted contract state. Note that the best practice when using the `soroban-sdk` and building Soroban contracts is to always enable `overflow-checks = true`. The `stellar contract init` tool that prepares the boiler plate for a Soroban contract, as well as all examples and docs, encourage the use of configuring `overflow-checks = true` on `release` profiles so that these arithmetic operations fail rather than silently wrap. Contracts are only impacted if they use `overflow-checks = false` either explicitly or implicitly. It is anticipated the majority of contracts could not be impacted because the best practice encouraged by tooling is to enable `overflow-checks`. The fix available in `25.0.1`, `23.5.1`, and `25.0.2` replaces bare arithmetic with `checked_add` / `checked_sub`, ensuring overflow traps regardless of the `overflow-checks` profile setting. As a workaround, contract workspaces can be configured with a profile available in the GitHub Securtity Advisory to enable overflow checks on the arithmetic operations. This is the best practice when developing Soroban contracts, and the default if using the contract boilerplate generated using `stellar contract init`. Alternatively, contracts can validate range bounds before passing them to `slice` or `gen_range` to ensure the conversions cannot overflow. 2026-01-28 5.3 CVE-2026-24889 https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-96xm-fv9w-pf3f
https://github.com/stellar/rs-soroban-sdk/pull/1703
https://github.com/stellar/rs-soroban-sdk/commit/3890521426d71bb4d892b21f5a283a1e836cfa38
https://github.com/stellar/rs-soroban-sdk/commit/59fcef437260ed4da42d1efb357137a5c166c02e
https://github.com/stellar/rs-soroban-sdk/commit/c2757c6d774dbb28b34a0b77ffe282e59f0f8462
https://github.com/stellar/rs-soroban-sdk/releases/tag/v22.0.9
https://github.com/stellar/rs-soroban-sdk/releases/tag/v23.5.1
https://github.com/stellar/rs-soroban-sdk/releases/tag/v25.0.2
 
supercleanse--Stripe Payments by Buy Now Plus Best WordPress Stripe Credit Card Payments Plugin The Buy Now Plus - Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-28 6.4 CVE-2026-1295 https://www.wordfence.com/threat-intel/vulnerabilities/id/87d228bb-eb5b-44ca-91f7-ada730635a3f?source=cve
https://plugins.trac.wordpress.org/browser/buy-now-plus/tags/1.0.2/class-bnp-buttons.php#L17
https://plugins.trac.wordpress.org/browser/buy-now-plus/tags/1.0.2/class-bnp-buttons.php#L36
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444416%40buy-now-plus&new=3444416%40buy-now-plus&sfp_email=&sfph_mail=
 
symfony--symfony Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as "special" when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2's argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior. 2026-01-28 6.3 CVE-2026-24739 https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6
https://github.com/symfony/symfony/issues/62921
https://github.com/symfony/symfony/pull/63164
https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3
https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b
 
Tanium--Asset Tanium addressed a SQL injection vulnerability in Asset. 2026-01-28 6.3 CVE-2025-15344 TAN-2025-035
 
Tanium--Discover Tanium addressed an uncontrolled resource consumption vulnerability in Discover. 2026-01-26 4.9 CVE-2026-1224 TAN-2026-001
 
Tanium--Tanium Server Tanium addressed an improper access controls vulnerability in Tanium Server. 2026-01-30 4.3 CVE-2025-15322 TAN-2025-028
 
TeamViewer--DEX A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause normally encrypted UDP traffic to be sent in cleartext. This can result in disclosure of sensitive information. 2026-01-29 6.5 CVE-2026-23564 https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
 
TeamViewer--DEX A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause the NomadBranch.exe process to terminate via crafted requests. This can result in a denial-of-service condition of the Content Distribution Service. 2026-01-29 6.5 CVE-2026-23565 https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
 
TeamViewer--DEX A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to inject, tamper with, or forge log entries in \Nomad Branch.log via crafted data sent to the UDP network handler. This can impact log integrity and nonrepudiation. 2026-01-29 6.5 CVE-2026-23566 https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
 
TeamViewer--DEX An integer underflow in the UDP command handler of the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to trigger a heap-based buffer overflow and cause a denial-of-service (service crash) via specially crafted UDP packets. 2026-01-29 6.5 CVE-2026-23567 https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
 
TeamViewer--DEX An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows a remote attacker to leak stack memory and cause a denial of service via a crafted request. The leaked stack memory could be used to bypass ASLR remotely and facilitate exploitation of other vulnerabilities on the affected system. 2026-01-29 6.5 CVE-2026-23569 https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
 
TeamViewer--DEX A missing validation of a user-controlled value in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to tamper with log timestamps via crafted UDP Sync command. This could result in forged or nonsensical datetime prefixes and compromising log integrity and forensic correlation. 2026-01-29 6.5 CVE-2026-23570 https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
 
TeamViewer--DEX A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-RunPkgStatusRequest instruction. Improper input validation allows authenticated attackers with actioner privilege to run elevated arbitrary commands on connected hosts via malicious commands injected into the instruction's input field. Users of 1E Client version 24.5 or higher are not affected. 2026-01-29 6.8 CVE-2026-23571 https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/
 
TeamViewer--DEX Improper Link Resolution Before File Access (invoked by 1E Explorer TachyonCore DeleteFileByPath instruction) in TeamViewer DEX - 1E Client before version 26.1 on Windows allows a low privileged local attacker to delete protected system files via a crafted RPC control junction or symlink that is followed when the delete instruction executes. 2026-01-29 5.7 CVE-2026-23563 https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/
 
TeamViewer--DEX An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause information disclosure or denial-of-service via a special crafted packet. The leaked memory could be used to bypass ASLR and facilitate further exploitation. 2026-01-29 5.4 CVE-2026-23568 https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
 
Tenda--AC21 A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. 2026-01-29 6.3 CVE-2026-1638 VDB-343417 | Tenda AC21 mDMZSetCfg command injection
VDB-343417 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740871 | Tenda AC21 V16.03.08.16 Command Injection
https://github.com/LX-LX88/cve/issues/26
https://www.tenda.com.cn/
 
Tenda--HG10 A flaw has been found in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. This affects the function system of the file /boaform/formSysCmd. This manipulation of the argument sysCmd causes command injection. The attack may be initiated remotely. The exploit has been published and may be used. 2026-01-30 4.7 CVE-2026-1690 VDB-343484 | Tenda HG10 formSysCmd system command injection
VDB-343484 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #741425 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection
https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSysCmd-sysCmd-command.md
https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSysCmd-sysCmd-command.md#poc
https://www.tenda.com.cn/
 
theupdateframework--go-tuf go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch. 2026-01-27 4.7 CVE-2026-24686 https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4
https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0
 
thewebfosters-thewebfosters Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability through product add or edit functions to execute arbitrary JavaScript and potentially hijack user sessions. 2026-02-01 6.4 CVE-2021-47908 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: Ultimate POS 4.4 Persistent Cross-Site Scripting via Product Name
 
tigroumeow--AI Engine The Chatbot and AI Framework for WordPress The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'get_audio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, if "Public API" is enabled in the plugin settings, and 'allow_url_fopen' is set to 'On' on the server. 2026-01-27 6.4 CVE-2026-0746 https://www.wordfence.com/threat-intel/vulnerabilities/id/cbba866d-93dd-4ef5-9670-ab958f61f06e?source=cve
https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.1/classes/engines/chatml.php#L946
https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/engines/chatml.php
 
Tildeslash Ltd.--M/Monit M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all users. 2026-01-28 6.5 CVE-2020-36968 ExploitDB-49081
M/Monit Official Vendor Homepage
VulnCheck Advisory: M/Monit 3.7.4 - Password Disclosure
 
Totolink--A7000R A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. 2026-01-28 6.3 CVE-2026-1547 VDB-343231 | Totolink A7000R cstecgi.cgi setUnloadUserData command injection
VDB-343231 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #739713 | TOTOLINK A7000R V4.1cu.4154 Command Injection
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md#poc
https://www.totolink.net/
 
Totolink--A7000R A flaw has been found in Totolink A7000R 4.1cu.4154. This impacts the function CloudACMunualUpdateUserdata of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument url causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. 2026-01-28 6.3 CVE-2026-1548 VDB-343232 | Totolink A7000R cstecgi.cgi CloudACMunualUpdateUserdata command injection
VDB-343232 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #739715 | TOTOLINK A7000R V4.1cu.4154 Command Injection
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/02_RCE_CloudACMunualUpdateUserdata_RCE.md
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/02_RCE_CloudACMunualUpdateUserdata_RCE.md#poc
https://www.totolink.net/
 
Totolink--A7000R A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-29 6.3 CVE-2026-1601 VDB-343373 | Totolink A7000R cstecgi.cgi setUploadUserData command injection
VDB-343373 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740760 | TOTOLINK A7000R V4.1cu.4154 Command Injection
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md#poc
https://www.totolink.net/
 
Totolink--A7000R A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-29 6.3 CVE-2026-1623 VDB-343382 | Totolink A7000R cstecgi.cgi setUpgradeFW command injection
VDB-343382 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740767 | TOTOLINK A7000R V4.1cu.4154 Command Injection
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/04_RCE_setUpgradeFW_RCE.md
https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/04_RCE_setUpgradeFW_RCE.md#poc
https://www.totolink.net/
 
TrustTunnel--TrustTunnel TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(...)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean "block non-matching prefixes" by itself. A rule with `client_random_prefix = ...` triggers its `action` only when the prefix matches (and the field is available to evaluate). Non-matches (or `None`) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115. 2026-01-29 5.3 CVE-2026-24904 https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87
https://github.com/TrustTunnel/TrustTunnel/commit/aa5060145506952b9431b0ed3edb52bb6c08d9a6
 
Tryton--Tryton Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces. 2026-01-30 6.4 CVE-2020-37014 ExploitDB-48466
Official Tryton Homepage
Tryton Download Page
Vulnerability Lab Advisory
VulnCheck Advisory: Tryton 5.4 - Persistent Cross-Site Scripting
 
vercel--next A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications. 2026-01-26 5.9 CVE-2025-59471 https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
 
vercel--next A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server. To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable. Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications. 2026-01-26 5.9 CVE-2025-59472 https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h
 
vinod-dalvi--Ivory Search WordPress Search Plugin The Ivory Search - WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-28 4.4 CVE-2026-1053 https://www.wordfence.com/threat-intel/vulnerabilities/id/cdc5ef6a-32d8-4c4b-b459-d9b543b56898?source=cve
https://plugins.svn.wordpress.org/add-search-to-menu/tags/5.5.13/public/class-is-public.php
https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.php#L204
https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.php#L249
https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/partials/is-ajax-results.php#L148
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444659%40add-search-to-menu&new=3444659%40add-search-to-menu&sfp_email=&sfph_mail=
 
vlt--vlt vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction. 2026-01-27 5.9 CVE-2026-24909 https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack
https://github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10
https://github.com/vltpkg/vltpkg/pull/1334
https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act
 
webaways--NEX-Forms Ultimate Forms Plugin for WordPress The NEX-Forms - Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter. 2026-01-31 5.3 CVE-2025-15510 https://www.wordfence.com/threat-intel/vulnerabilities/id/ddfa5a3d-fef2-4049-915c-51c3e28153bf?source=cve
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.7/includes/classes/class.export.php#L11
 
webguyio--Stop Spammers Classic The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1. 2026-01-28 4.3 CVE-2025-14795 https://www.wordfence.com/threat-intel/vulnerabilities/id/5d6f38d7-a769-422d-ae3f-565cb1cc8a73?source=cve
https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/tags/2025.4/classes/ss_addtoallowlist.php#L21
https://plugins.trac.wordpress.org/changeset/3436357/
https://plugins.trac.wordpress.org/changeset/3440788/
 
WebMO, LLC--WebMO Job Manager WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. Attackers can exploit the filterSearch and filterSearchType parameters to perform non-persistent attacks including session hijacking and external redirects. 2026-02-01 5.4 CVE-2021-47920 Vulnerability Lab Advisory
Product Homepage
VulnCheck Advisory: WebMO Job Manager 20.0 Cross-Site Scripting via Search Parameters
 
WellChoose--Single Sign-On Portal System Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. 2026-01-26 5.4 CVE-2026-1429 https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html
https://www.twcert.org.tw/en/cp-139-10655-59160-2.html
 
withstudiocms--studiocms StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users. Version 0.2.0 patches the issue. 2026-01-27 6.5 CVE-2026-24134 https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932
https://github.com/withstudiocms/studiocms/commit/efc10bee20db090fdd75463622c30dda390c50ad
https://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.2.0
 
wpbits--WPBITS Addons For Elementor Page Builder The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-28 6.4 CVE-2025-9082 https://www.wordfence.com/threat-intel/vulnerabilities/id/99b47856-502e-4e9d-b0ea-62c57509b46a?source=cve
https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/image_compare.php#L607
https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/tooltip.php#L860
https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/text_rotator.php#L369
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442812%40wpbits-addons-for-elementor&new=3442812%40wpbits-addons-for-elementor&sfp_email=&sfph_mail=
 
wpblockart--BlockArt Blocks Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library The BlockArt Blocks - Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-28 6.4 CVE-2025-14283 https://www.wordfence.com/threat-intel/vulnerabilities/id/d9526a8b-fefe-4ca6-871f-1ead3f498679?source=cve
https://plugins.trac.wordpress.org/browser/blockart-blocks/trunk/dist/counter.js
 
wpchill--Passster Password Protect Pages and Content The Passster - Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21. 2026-01-28 6.4 CVE-2025-14865 https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea939f5-8b56-44be-bd20-b69e9ded5970?source=cve
https://plugins.trac.wordpress.org/browser/content-protector/tags/4.2.20/inc/class-ps-public.php#L136
https://plugins.trac.wordpress.org/changeset/3422595/
https://plugins.trac.wordpress.org/changeset/3439532/
 
wpcodefactory--Order Minimum/Maximum Amount Limits for WooCommerce The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-28 4.4 CVE-2026-1381 https://www.wordfence.com/threat-intel/vulnerabilities/id/3f54f117-0dde-49f9-8014-7650bc1a00ac?source=cve
https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/settings/class-alg-wc-oma-settings-general.php
https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/class-alg-wc-oma-core.php#L86
https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/tags/4.6.8/includes/class-alg-wc-oma-core.php#L86
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3447432%40order-minimum-amount-for-woocommerce&new=3447432%40order-minimum-amount-for-woocommerce&sfp_email=&sfph_mail=
 
wpdevelop--Booking Calendar The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails. 2026-01-31 5.3 CVE-2026-1431 https://www.wordfence.com/threat-intel/vulnerabilities/id/0bd92f91-d9b1-4f6f-ac1a-477950ea2e80?source=cve
https://plugins.trac.wordpress.org/browser/booking/tags/10.14.13/core/lib/wpbc-ajax.php#L25
 
Xeroneit--Xeroneit Library Management System Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload in the Category Name field to execute arbitrary JavaScript code when the page is loaded. 2026-01-26 6.4 CVE-2020-36954 ExploitDB-49292
Vendor Homepage
Software Product Page
VulnCheck Advisory: Xeroneit Library Management System 3.1 - "Add Book Category " Stored XSS
 
zephyrproject-rtos--Zephyr A flaw in Zephyr's network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem. 2026-01-30 6.5 CVE-2025-12899 https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c2vg-hj83-c2vg
 
Zhong Bang--CRMEB A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missing authorization. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-01 5.3 CVE-2026-1734 VDB-343633 | Zhong Bang CRMEB crontab Endpoint CrontabController.php authorization
VDB-343633 | CTI Indicators (IOB, IOC, IOA)
Submit #736619 | Zhongbang CRMEB v5.6.3 Missing Authorization
https://github.com/foeCat/CVE/blob/main/CRMEB/crontab_unauthorized_access.md
https://github.com/foeCat/CVE/blob/main/CRMEB/crontab_unauthorized_access.md#proof-of-concept
 
Zhong Bang--CRMEB A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-02-01 4.3 CVE-2026-1733 VDB-343632 | Zhong Bang CRMEB :uni tidyOrder improper authorization
VDB-343632 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736558 | Zhongbang CRMEB v5.6.3 Improper Access Controls
https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md
https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md#%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0
 
Zohocorp--ManageEngine OpManager Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details. 2026-01-30 4.6 CVE-2025-9226 https://www.manageengine.com/itom/advisory/cve-2025-9226.html
 

Back to top

Low Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
Bdtask--Bhojon All-In-One Restaurant Management System A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. Performing a manipulation of the argument fullname results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-29 3.5 CVE-2026-1598 VDB-343360 | Bdtask Bhojon All-In-One Restaurant Management System User Information profile cross site scripting
VDB-343360 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740738 | Bdtask Bhojon All-In-One Restaurant Management System Latest Stored Cross-Site Scripting
https://github.com/4m3rr0r/PoCVulDb/issues/12
 
Brother Industries, Ltd.--Multiple MFPs Multiple MFPs provided by Brother Industries, Ltd. does not properly validate server certificates, which may allow a man-in-the-middle attacker to replace the set of root certificates used by the product with a set of arbitrary certificates. 2026-01-29 3.7 CVE-2025-53869 https://faq.brother.co.jp/app/answers/detail/a_id/13716
https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2026-0001.pdf
https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2026-000001
https://jvn.jp/en/vu/JVNVU92878805/
 
code-projects--Online Examination System A vulnerability has been found in code-projects Online Examination System 1.0. Affected is an unknown function of the component Add Pages. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. 2026-01-26 3.5 CVE-2026-1421 VDB-342837 | code-projects Online Examination System Add Pages cross site scripting
VDB-342837 | CTI Indicators (IOB, IOC, TTP)
Submit #736605 | code-projects Online Examination System 1 Cross Site Scripting
https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-1-stored-xss-in-all-add-pages
https://code-projects.org/
 
D-Link--DCS-700L A vulnerability was identified in D-Link DCS-700L 1.03.09. The affected element is the function uploadmusic of the file /setUploadMusic of the component Music File Upload Service. The manipulation of the argument UploadMusic leads to path traversal. The attack can only be initiated within the local network. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. 2026-01-28 2.4 CVE-2026-1532 VDB-343218 | D-Link DCS-700L Music File Upload Service setUploadMusic uploadmusic path traversal
VDB-343218 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #738693 | D-Link DCS700l v1.03.09 Absolute Path Traversal
https://tzh00203.notion.site/D-Link-DCS700l-v1-03-09-Path-Traversal-Vulnerability-in-Music-File-Upload-2e8b5c52018a80369553f07ab91aabe2?source=copy_link
https://www.dlink.com/
 
D-Link--DIR-823X A vulnerability was identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_40AC74 of the component Login. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. This attack is characterized by high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. 2026-01-30 3.7 CVE-2026-1685 VDB-343479 | D-Link DIR-823X Login sub_40AC74 excessive authentication
VDB-343479 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740886 | D-Link dir-823X 250416 A logical flaw in the authentication mechanism exists
https://github.com/master-abc/cve/issues/17
https://www.dlink.com/
 
D-Link--DSL-6641K A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. 2026-01-30 2.4 CVE-2026-1705 VDB-343510 | D-Link DSL-6641K Web ad_virtual_server_vdsl cross site scripting
VDB-343510 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #742421 | D-Link DSL6641K version N8.TR069.20131126 Cross Site Scripting
https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-ad_virtual_server_vdsl-Configuration-2eeb5c52018a805d97adfb23dfec39c9?source=copy_link
https://www.dlink.com/
 
GnuPG--GnuPG In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash). 2026-01-27 3.7 CVE-2026-24883 https://www.openwall.com/lists/oss-security/2026/01/27/8
https://dev.gnupg.org/T8049
 
GPAC--GPAC A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to null pointer dereference. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is af951b892dfbaaa38336ba2eba6d6a42c25810fd. To fix this issue, it is recommended to deploy a patch. 2026-01-26 3.3 CVE-2026-1415 VDB-342804 | GPAC media_export.c gf_media_export_webvtt_metadata null pointer dereference
VDB-342804 | CTI Indicators (IOB, IOC, IOA)
Submit #736541 | gpac v2.4.0 NULL Pointer Dereference
https://github.com/gpac/gpac/issues/3428
https://github.com/gpac/gpac/issues/3428#issue-3802223345
https://github.com/enocknt/gpac/commit/af951b892dfbaaa38336ba2eba6d6a42c25810fd
 
GPAC--GPAC A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as d45c264c20addf0c1cc05124ede33f8ffa800e68. It is advisable to implement a patch to correct this issue. 2026-01-26 3.3 CVE-2026-1416 VDB-342805 | GPAC filedump.c DumpMovieInfo null pointer dereference
VDB-342805 | CTI Indicators (IOB, IOC, IOA)
Submit #736542 | gpac v2.4.0 NULL Pointer Dereference
https://github.com/gpac/gpac/issues/3427
https://github.com/gpac/gpac/issues/3427#issue-3802197432
https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68
 
GPAC--GPAC A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: f96bd57c3ccdcde4335a0be28cd3e8fe296993de. Applying a patch is the recommended action to fix this issue. 2026-01-26 3.3 CVE-2026-1417 VDB-342806 | GPAC filedump.c dump_isom_rtp null pointer dereference
VDB-342806 | CTI Indicators (IOB, IOC, IOA)
Submit #736543 | gpac v2.4.0 NULL Pointer Dereference
https://github.com/gpac/gpac/issues/3426
https://github.com/gpac/gpac/issues/3426#issue-3802172856
https://github.com/enocknt/gpac/commit/f96bd57c3ccdcde4335a0be28cd3e8fe296993de
 
iJason-Liu--Books_Manager A vulnerability has been found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This affects an unknown part of the file controllers/books_center/add_book_check.php. Such manipulation of the argument mark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. 2026-01-26 2.4 CVE-2026-1444 VDB-342873 | iJason-Liu Books_Manager add_book_check.php cross site scripting
VDB-342873 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736968 | https://github.com/iJason-Liu/Books_Manager Books_Manager 1.0 Stored XSS
https://blog.y1fan.work/2026/01/13/%E5%AD%98%E5%82%A8%E5%9E%8Bxss/
 
ixray-team--ixray-1.6-stcop Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. 2026-01-27 3.7 CVE-2026-24870 https://github.com/ixray-team/ixray-1.6-stcop/pull/258
 
jishenghua--jshERP A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. The manipulation of the argument path results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-29 2.7 CVE-2026-1588 VDB-343351 | jishenghua jshERP installByPath install path traversal
VDB-343351 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #740649 | https://github.com/jishenghua/jshERP jshERP v3.6 Path Traversal
https://github.com/jishenghua/jshERP/issues/147
https://github.com/jishenghua/jshERP/
 
llamastack--Llama Stack Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log. 2026-01-30 3.2 CVE-2026-25211 https://github.com/llamastack/llama-stack/pull/4439
https://github.com/llamastack/llama-stack/compare/v0.4.0rc2...v0.4.0rc3
 
MoonshotAI--kimi-agent-sdk Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync() as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $(cmd) could execute arbitrary commands. Note: This vulnerability exists only in the repository's development scripts. The published VSCode extension does not include these files and end users are not affected. This is fixed in version 0.1.6 by replacing execSync with execFileSync using array arguments. As a workaround, ensure .vsix files in the project directory have safe filenames before running publish scripts. 2026-01-29 2.9 CVE-2026-25046 https://github.com/MoonshotAI/kimi-agent-sdk/security/advisories/GHSA-mv58-gxx5-8hj3
 
OISF--suricata Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default. 2026-01-27 3.7 CVE-2026-22261 https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf
https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44
https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667
https://redmine.openinfosecfoundation.org/issues/8156
 
projectworlds--House Rental and Property Listing A weakness has been identified in projectworlds House Rental and Property Listing 1.0. This vulnerability affects unknown code of the file /app/sms.php. This manipulation of the argument Message causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-30 3.5 CVE-2026-1700 VDB-343490 | projectworlds House Rental and Property Listing sms.php cross site scripting
VDB-343490 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #741977 | projectworlds.com House rental And Property Listing Project V1.0 cross site scripting
https://github.com/jiahao412/CVE/issues/3
 
Red Hat--Red Hat Build of Keycloak A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. 2026-01-26 3.1 CVE-2026-1190 https://access.redhat.com/security/cve/CVE-2026-1190
RHBZ#2430835
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability. 2026-01-27 2.8 CVE-2026-1485 https://access.redhat.com/security/cve/CVE-2026-1485
RHBZ#2433325
 
rethinkdb--rethinkdb A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-28 2.4 CVE-2026-1520 VDB-343191 | rethinkdb Secondary Index cross site scripting
VDB-343191 | CTI Indicators (IOB, IOC, TTP)
Submit #738312 | rethinkdb V2.4.3(latest) cross-site scripting(XSS)
https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20rethinkdb%20database.md
https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20rethinkdb%20database.md#poc
 
Tanium--Discover Tanium addressed an improper input validation vulnerability in Discover. 2026-01-26 2.7 CVE-2026-0925 TAN-2026-002
 
Tanium--Interact Tanium addressed an improper access controls vulnerability in Interact. 2026-01-29 3.1 CVE-2025-15288 TAN-2025-034
 

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
aangine--aangine An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints 2026-01-26 not yet calculated CVE-2025-67274 https://aangine.com
https://continuous.software/products
https://gist.github.com/c4m0uflag3/26fec868b764c4e7314ad246bab01c88
 
abcz316--SKRoot-linuxKernelRoot NULL Pointer Dereference vulnerability in abcz316 SKRoot-linuxKernelRoot (testRoot/jni/utils modules). This vulnerability is associated with program files cJSON.Cpp. This issue affects SKRoot-linuxKernelRoot. 2026-01-27 not yet calculated CVE-2026-24813 https://github.com/abcz316/SKRoot-linuxKernelRoot/pull/116
 
Acronis--Acronis Cloud Manager Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cloud Manager (Windows) before build 6.4.25342.354. 2026-01-27 not yet calculated CVE-2026-0705 SEC-7316
 
AhaChat--AhaChat Messenger Marketing The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 2026-01-26 not yet calculated CVE-2025-14316 https://wpscan.com/vulnerability/7d69ebec-f940-4491-a51e-70a9e1bf8a4c/
 
akuity--kargo Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue. 2026-01-27 not yet calculated CVE-2026-24748 https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5
https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772
https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7
https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c
 
ALSA Project--alsa-lib alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash. 2026-01-29 not yet calculated CVE-2026-25068 https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40
https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow
 
Altitude--Altitude Communication Server Illegal HTTP request traffic vulnerability (CL.0) in Altitude Communication Server, caused by inconsistent analysis of multiple HTTP requests over a single Keep-Alive connection using Content-Length headers. This can cause a desynchronization of requests between frontend and backend servers, which could allow request hiding, cache poisoning or security bypass. 2026-01-26 not yet calculated CVE-2025-41082 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-altitude-communication-server
 
Altitude--Altitude Communication Server Vulnerability in Altitude Authentication Service and Altitude Communication Server v8.5.3290.0 by Altitude, where manipulation of Host header in HTTP requests allows redirection to an arbitrary URL or modification of the base URL to trick the victim into sending login credentials to a malicious website. This behavior can be used to redirect clients to endpoints controlled by the attacker. 2026-01-26 not yet calculated CVE-2025-41083 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-altitude-communication-server
 
AltumCode--AltumCode A directory traversal (Zip Slip) vulnerability exists in the "Static Sites" feature of 66biolinks v44.0.0 by AltumCode. Uploaded ZIP archives are automatically extracted without validating or sanitizing file paths. An attacker can include traversal sequences (e.g., ../) in ZIP entries to write files outside the intended extraction directory. This allows static files (html, js, css, images) file write to unintended locations, or overwriting existing HTML files, potentially leading to content defacement and, in certain deployments, further impact if sensitive files are overwritten. 2026-01-28 not yet calculated CVE-2025-69601 https://gist.github.com/Waqar-Arain/9cd59aa74de540eeb3b09d15bac35e36
 
AltumCode--AltumCode A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in from the same browser, allowing an attacker who can set or predict a session ID to potentially hijack an authenticated session. 2026-01-28 not yet calculated CVE-2025-69602 https://gist.github.com/Waqar-Arain/c8117308325a91b8f3b7829646915275
 
Amidaware--Amidaware A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server. This occurs due to improper sanitization of the template_md parameter, enabling direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, the user-controlled value is inserted into `env.from_string`, a function that processes Jinja2 templates arbitrarily, making an SSTI possible. 2026-01-29 not yet calculated CVE-2025-69516 https://github.com/amidaware/tacticalrmm
https://www.amidaware.com/
https://gist.github.com/NtGabrielGomes/7c424367cc316fd7527f668ff076fece
 
Amidaware--Amidaware An HTML injection vulnerability in Amidaware Inc Tactical RMM v1.3.1 and earlier allows authenticated users to inject arbitrary HTML content during the creation of a new agent via the POST /api/v3/newagent/ endpoint. The agent_id parameter accepts up to 255 characters and is improperly sanitized using DOMPurify.sanitize() with the html: true option enabled, which fails to adequately filter HTML input. The injected HTML is rendered in the Tactical RMM management panel when an administrator attempts to remove or shut down the affected agent, potentially leading to client-side attacks such as UI manipulation or phishing. NOTE: the Supplier's position is that this has incorrect information. 2026-01-28 not yet calculated CVE-2025-69517 https://github.com/amidaware/tacticalrmm
https://www.amidaware.com/
https://gist.github.com/NtGabrielGomes/fdabcd9e85d841c5490739686e0f8b72
 
amir20--dozzle Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle's agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out of scope containers (for example, `env=prod`) on the same agent host by directly targeting their container IDs. Version 9.0.3 contains a patch for the issue. 2026-01-27 not yet calculated CVE-2026-24740 https://github.com/amir20/dozzle/security/advisories/GHSA-m855-r557-5rc5
https://github.com/amir20/dozzle/commit/620e59aa246347ba8a27e68c532853b8a5137bc1
https://github.com/amir20/dozzle/releases/tag/v9.0.3
 
anyrtcIO-Community--anyRTC-RTMP-OpenSource Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in anyrtcIO-Community anyRTC-RTMP-OpenSource (third_party/faad2-2.7/libfaad modules). This vulnerability is associated with program files bits.C, syntax.C. This issue affects anyRTC-RTMP-OpenSource: before 1.0. 2026-01-27 not yet calculated CVE-2026-1465 https://github.com/anyrtcIO-Community/anyRTC-RTMP-OpenSource/pull/166
 
Apache Software Foundation--Apache Karaf Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS. NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue. This issue affects Apache Karaf Decanter before 2.12.0. Users are recommended to upgrade to version 2.12.0, which fixes the issue. 2026-01-26 not yet calculated CVE-2026-24656 https://lists.apache.org/thread/dc5wmdn6hyc992olntkl75kk04ndzx34
 
Apache Software Foundation--HDFS native client Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. 2026-01-26 not yet calculated CVE-2025-27821 https://lists.apache.org/thread/kwjhyyx0wl2z9b0mw0styjk0hhdbyplh
 
Apple--iOS and iPadOS The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. Processing a maliciously crafted Keynote file may disclose memory contents. 2026-01-28 not yet calculated CVE-2025-46306 https://support.apple.com/en-us/125108
https://support.apple.com/en-us/126254
https://support.apple.com/en-us/125110
 
Apple--macOS An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. Processing a maliciously crafted Pages document may result in unexpected termination or disclosure of process memory. 2026-01-28 not yet calculated CVE-2025-46316 https://support.apple.com/en-us/125634
https://support.apple.com/en-us/126255
https://support.apple.com/en-us/125632
 
askbot--askbot All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This issue affects askbot: 0.12.2. 2026-01-27 not yet calculated CVE-2026-1213 https://fluidattacks.com/advisories/ghost
https://askbot.com/
https://github.com/ASKBOT/askbot-devel/commit/3da3d75f35204aa71633c7a315327ba39cb6295d
 
assertj--assertj AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. 2026-01-26 not yet calculated CVE-2026-24400 https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r
https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7
 
Atlassian--Crowd Data Center This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3 See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). This vulnerability was reported via our Atlassian (Internal) program. 2026-01-28 not yet calculated CVE-2026-21569 https://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819
https://jira.atlassian.com/browse/CWD-6453
 
azerothcore--azerothcore-wotlk Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in azerothcore azerothcore-wotlk (deps/zlib modules). This vulnerability is associated with program files inflate.C. This issue affects azerothcore-wotlk: through v4.0.0. 2026-01-27 not yet calculated CVE-2026-24793 https://github.com/azerothcore/azerothcore-wotlk/pull/21599
 
briandilley--jsonrpc4j Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java. This issue affects jsonrpc4j: through 1.6.0. 2026-01-27 not yet calculated CVE-2026-24802 https://github.com/briandilley/jsonrpc4j/pull/333
 
Budibase--budibase Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available. 2026-01-29 not yet calculated CVE-2026-25040 https://github.com/Budibase/budibase/security/advisories/GHSA-4wfw-r86x-qxrm
https://drive.google.com/file/d/1Dtn1WLJILRYUeoMjEbUfCbqQ3g2AW2Qz/view?usp=sharing
https://github.com/user-attachments/files/22066135/budibase-privileged-esc-poc.txt
 
bytecodealliance--wasmtime Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime. 2026-01-27 not yet calculated CVE-2026-24116 https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73
https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6
https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440
https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227
https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size
https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps
https://docs.wasmtime.dev/stability-release.html
https://rustsec.org/advisories/RUSTSEC-2026-0006.html
 
Cacti--Cacti A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. 2026-01-29 not yet calculated CVE-2025-45160 https://github.com/Cacti/cacti
https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32
 
cadaver--turso3d Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d. This issue affects . 2026-01-27 not yet calculated CVE-2026-24826 https://github.com/cadaver/turso3d/pull/11
 
Canonical--juju Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing. 2026-01-28 not yet calculated CVE-2026-1237 https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x
 
CardboardPowered--cardboard Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in CardboardPowered cardboard (src/main/java/org/cardboardpowered/impl/world modules). This vulnerability is associated with program files WorldImpl.Java. This issue affects cardboard: before 1.21.4. 2026-01-27 not yet calculated CVE-2026-24794 https://github.com/CardboardPowered/cardboard/pull/506
 
ChurchCRM--CRM ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover. Version 6.7.2 fixes the vulnerability. 2026-01-30 not yet calculated CVE-2026-24855 https://github.com/ChurchCRM/CRM/security/advisories/GHSA-49qp-cfqx-c767
https://github.com/ChurchCRM/CRM/commit/0cd0d211459b8c19509d36b3c1dfcd7f8c10d914
https://github.com/ChurchCRM/CRM/commit/ec4b16e9a3ca09c8a01a712bcb90579c42f2ba28
 
CloverHackyColor--CloverBootloader Out-of-bounds Write vulnerability in CloverHackyColor CloverBootloader (MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules). This vulnerability is associated with program files regcomp.C. This issue affects CloverBootloader: before 5162. 2026-01-27 not yet calculated CVE-2026-24795 https://github.com/CloverHackyColor/CloverBootloader/pull/733
 
CloverHackyColor--CloverBootloader Out-of-bounds Read vulnerability in CloverHackyColor CloverBootloader (MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules). This vulnerability is associated with program files regparse.C. This issue affects CloverBootloader: before 5162. 2026-01-27 not yet calculated CVE-2026-24796 https://github.com/CloverHackyColor/CloverBootloader/pull/732
 
code-projects--code-projects code-projects Computer Book Store 1.0 is vulnerable to File Upload in admin_add.php. 2026-01-27 not yet calculated CVE-2025-69559 https://gitee.com/Z_180yc/zyy/issues/IDBY27
https://gist.github.com/lih28984-commits/cd3a275dfd9c92a79b6a4a0e8801f4fa
 
code-projects--code-projects code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /insertmessage.php via the userid parameter. 2026-01-27 not yet calculated CVE-2025-69562 https://gitee.com/Z_180yc/zyy/issues/IDC5FU
https://gist.github.com/lih28984-commits/a847a034c3bb626904dcc6ab7576257f
 
code-projects--code-projects code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExLogin.php via the Password parameter. 2026-01-27 not yet calculated CVE-2025-69563 https://gitee.com/Z_180yc/zyy/issues/IDC3IB
https://gist.github.com/lih28984-commits/544eaaca3ea58563a807c43b521d76e6
 
code-projects--code-projects code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters. 2026-01-27 not yet calculated CVE-2025-69564 https://gitee.com/Z_180yc/zyy/issues/IDCEJP
https://gist.github.com/lih28984-commits/87eacfc32186020a04e03a2af448723f
 
code-projects--code-projects code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php. 2026-01-27 not yet calculated CVE-2025-69565 https://gitee.com/Z_180yc/zyy/issues/IDCFAQ
https://gist.github.com/lih28984-commits/81d523afde3b122c652f652bab808e33
 
coolsnowwolf--lede Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7615d/src/mt_wifi/embedded/security modules). This vulnerability is associated with program files bn_lib.C. This issue affects lede: through r25.10.1. 2026-01-27 not yet calculated CVE-2026-24803 https://github.com/coolsnowwolf/lede/pull/13346
 
coolsnowwolf--lede Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7603e/src/mt7603_wifi/common modules). This vulnerability is associated with program files bn_lib.C. This issue affects lede: through r25.10.1. 2026-01-27 not yet calculated CVE-2026-24804 https://github.com/coolsnowwolf/lede/pull/13368
 
CPU-Z--CPU-Z The kernel driver of CPUID CPU-Z v2.17 and earlier does not validate user-supplied values passed via its IOCTL interface, allowing an attacker to access sensitive information via a crafted request. 2026-01-27 not yet calculated CVE-2025-65264 https://www.cpuid.com/softwares/cpu-z.html
https://github.com/cwjchoi01/CVE-2025-65264
 
datavane--tis Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java. This issue affects tis: before v4.3.0. 2026-01-27 not yet calculated CVE-2026-24815 https://github.com/datavane/tis/pull/443
 
datavane--tis Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in datavane tis (tis-console/src/main/java/com/qlangtech/tis/runtime/module/action modules). This vulnerability is associated with program files ChangeDomainAction.Java. This issue affects tis: before v4.3.0. 2026-01-27 not yet calculated CVE-2026-24816 https://github.com/datavane/tis/pull/444
 
davisking--dlib Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in davisking dlib (dlib/external/zlib modules). This vulnerability is associated with program files inflate.C. This issue affects dlib: before v19.24.9. 2026-01-27 not yet calculated CVE-2026-24799 https://github.com/davisking/dlib/pull/3063
 
Delinea Inc.--Secret Server On-Prem Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules). This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password. Remediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails. 2026-01-27 not yet calculated CVE-2025-12810 https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-9-000047.htm
https://trust.delinea.com/?tcuUid=48260de9-954d-45c2-9c66-2c9510798a0b
 
discourse--discourse Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the ai_discover_persona access controls and gain ongoing DM access to personas that may be wired to staff-only categories, RAG document sets, or automated tooling, enabling unauthorized data disclosure. Because the controller also accepts arbitrary user_id, an attacker can impersonate other accounts to trigger unwanted AI conversations on their behalf, generating confusing or abusive PM traffic. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. 2026-01-28 not yet calculated CVE-2025-68660 https://github.com/discourse/discourse/security/advisories/GHSA-mrvm-rprq-jqqh
 
discourse--discourse Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched. 2026-01-28 not yet calculated CVE-2025-68666 https://github.com/discourse/discourse/security/advisories/GHSA-xmvw-jjqq-25mv
 
discourse--discourse Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. There is no workaround. Limit moderator privileges to trusted users until the patch is applied. 2026-01-28 not yet calculated CVE-2025-69218 https://github.com/discourse/discourse/security/advisories/GHSA-79f9-j8h4-3w6w
 
discourse--discourse Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the "require_change_email_confirmation" setting. 2026-01-28 not yet calculated CVE-2025-69289 https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq
 
discourse--discourse Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. 2026-01-28 not yet calculated CVE-2026-23743 https://github.com/discourse/discourse/security/advisories/GHSA-v5jw-rxc6-4cvv
 
DokuWiki--DokuWiki aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php. 2026-01-30 not yet calculated CVE-2025-51958 https://www.dokuwiki.org/plugin:runcommand
https://github.com/aelsantex/runcommand
https://gist.github.com/NtustLin/f64528002e4f61874045799127dc49a4
 
dormakaba--Access Manager 92xx-k5 The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps. This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication: - Re-configure Access Managers (e.g. remove alarming system requirements) - Freely re-configure the inputs and outputs - Open all connected doors permanently - Open all doors for a defined time interval - Change the admin password - and many more Network level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet. 2026-01-26 not yet calculated CVE-2025-59097 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Access Manager 92xx-k5 The Access Manager is offering a trace functionality to debug errors and issues with the device. The trace functionality is implemented as a simple TCP socket. A tool called TraceClient.exe, provided by dormakaba via the Access Manager web interface, is used to connect to the socket and receive debug information. The data is permanently broadcasted on the TCP socket. The socket can be accessed without any authentication or encryption. The transmitted data is based on the set verbosity level. The verbosity level can be set using the http(s) endpoint with the service interface password or with the guessable identifier of the device via the SOAP interface. The transmitted data contains sensitive data like the Card ID as well as all button presses on Registration units. This allows an attacker with network level access to retrieve all entered PINs on a registration unit. 2026-01-26 not yet calculated CVE-2025-59098 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Access Manager 92xx-k5 The Access Manager is using the open source web server CompactWebServer written in C#. This web server is affected by a path traversal vulnerability, which allows an attacker to directly access files via simple GET requests without prior authentication. Hence, it is possible to retrieve all files stored on the file system, including the SQLite database Database.sq3, containing badge information and the corresponding PIN codes. Additionally, when trying to access certain files, the web server crashes and becomes unreachable for about 60 seconds. This can be abused to continuously send the request and cause denial of service. 2026-01-26 not yet calculated CVE-2025-59099 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Access Manager 92xx-k5 The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes the device does not reboot and therefore the exported database is not deleted, or the device reboots and the export is not deleted for unknown reasons. The path where the database export is located can be accessed without prior authentication. This leads to the fact that an attacker might be able to get access to the exported database without prior authentication. The database includes sensitive data like passwords, card pins, encrypted Mifare sitekeys and much more. 2026-01-26 not yet calculated CVE-2025-59100 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Access Manager 92xx-k5 Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface. 2026-01-26 not yet calculated CVE-2025-59101 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Access Manager 92xx-k5 The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs are even stored unencrypted. Combined with the fact that an attacker can easily get access to the backup functionality by abusing the session management issue (CVE-2025-59101), or by exploiting the weak default password (CVE-2025-59108), or by simply setting a new password without prior authentication via the SOAP API (CVE-2025-59097), it is easily possible to access the sensitive data on the device. 2026-01-26 not yet calculated CVE-2025-59102 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Access Manager 92xx-k5 The Access Manager 92xx in hardware revision K7 is based on Linux instead of Windows CE embedded in older hardware revisions. In this new hardware revision it was noticed that an SSH service is exposed on port 22. By analyzing the firmware of the devices, it was noticed that there are two users with hardcoded and weak passwords that can be used to access the devices via SSH. The passwords can be also guessed very easily. The password of at least one user is set to a random value after the first deployment, with the restriction that the password is only randomized if the configured date is prior to 2022. Therefore, under certain circumstances, the passwords are not randomized. For example, if the clock is never set on the device, the battery of the clock module has been changed, the Access Manager has been factory reset and has not received a time yet. 2026-01-26 not yet calculated CVE-2025-59103 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Access Manager 92xx-k5 With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption. Thus, essential files, such as "/etc/passwd", as well as stored certificates, cryptographic keys, stored PINs and so on can be modified and read, in order to gain SSH root access on the Linux-based K7 model. On the Windows CE based K5 model, the password for the Access Manager can additionally be read in plain text from the stored SQLite database. 2026-01-26 not yet calculated CVE-2025-59105 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Access Manager 92xx-k5 Dormakaba provides the software FWServiceTool to update the firmware version of the Access Managers via the network. The firmware in some instances is provided in an encrypted ZIP file. Within this tool, the password used to decrypt the ZIP and extract the firmware is set statically and can be extracted. This password was valid for multiple observed firmware versions. 2026-01-26 not yet calculated CVE-2025-59107 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Access Manager 92xx-k5 By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced. 2026-01-26 not yet calculated CVE-2025-59108 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Access Manager 92xx-k7 With physical access to the device and enough time an attacker is able to solder test leads to the debug footprint (or use the 6-Pin tag-connect cable). Thus, the attacker gains access to the bootloader, where the kernel command line can be changed. An attacker is able to gain a root shell through this vulnerability. 2026-01-26 not yet calculated CVE-2025-59104 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Access Manager 92xx-k7 The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges. 2026-01-26 not yet calculated CVE-2025-59106 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--dormakaba registration unit 9002 The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi). 2026-01-26 not yet calculated CVE-2025-59109 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkaccess
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Kaba exos 9300 On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards. 2026-01-26 not yet calculated CVE-2025-59090 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkexos
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Kaba exos 9300 Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically visualize open doors and alerts. However, controlling the Access Managers via this interface is also possible. To send and receive status information, authentication is necessary. The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands to open arbitrary doors. 2026-01-26 not yet calculated CVE-2025-59091 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkexos
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Kaba exos 9300 An RPC service, which is part of exos 9300, is reachable on port 4000, run by the process FSMobilePhoneInterface.exe. This service is used for interprocess communication between services and the Kaba exos 9300 GUI, containing status information about the Access Managers. Interacting with the service does not require any authentication. Therefore, it is possible to send arbitrary status information about door contacts etc. without prior authentication. 2026-01-26 not yet calculated CVE-2025-59092 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkexos
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Kaba exos 9300 Exos 9300 instances are using a randomly generated database password to connect to the configured MSSQL server. The password is derived from static random values, which are concatenated to the hostname and a random string that can be read by every user from the registry. This allows an attacker to derive the database password and get authenticated access to the central exos 9300 database as the user Exos9300Common. The user has the roles ExosDialog and ExosDialogDotNet assigned, which are able to read most tables of the database as well as update and insert into many tables. 2026-01-26 not yet calculated CVE-2025-59093 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkexos
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Kaba exos 9300 A local privilege escalation vulnerability has been identified in the Kaba exos 9300 System management application (d9sysdef.exe). Within this application it is possible to specify an arbitrary executable as well as the weekday and start time, when the specified executable should be run with SYSTEM privileges. 2026-01-26 not yet calculated CVE-2025-59094 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkexos
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Kaba exos 9300 The program libraries (DLL) and binaries used by exos 9300 contain multiple hard-coded secrets. One notable example is the function "EncryptAndDecrypt" in the library Kaba.EXOS.common.dll. This algorithm uses a simple XOR encryption technique combined with a cryptographic key (cryptoKey) to transform each character of the input string. However, it's important to note that this implementation does not provide strong encryption and should not be considered secure for sensitive data. It's more of a custom encryption approach rather than a common algorithm used in cryptographic applications. The key itself is static and based on the founder's name of the company. The functionality is for example used to encrypt the user PINs before storing them in the MSSQL database. 2026-01-26 not yet calculated CVE-2025-59095 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkexos
https://www.dormakabagroup.com/en/security-advisories
 
dormakaba--Kaba exos 9300 The default password for the extended admin user mode in the application U9ExosAdmin.exe ("Kaba 9300 Administration") is hard-coded in multiple locations as well as documented in the locally stored user documentation. 2026-01-26 not yet calculated CVE-2025-59096 https://r.sec-consult.com/dormakaba
https://r.sec-consult.com/dkexos
https://www.dormakabagroup.com/en/security-advisories
 
Drupal--Acquia Content Hub Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery. This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. 2026-01-28 not yet calculated CVE-2025-14472 https://www.drupal.org/sa-contrib-2025-125
 
Drupal--AI (Artificial Intelligence) Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS). This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. 2026-01-28 not yet calculated CVE-2025-13981 https://www.drupal.org/sa-contrib-2025-119
 
Drupal--CKEditor 5 Premium Features Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass. This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. 2026-01-28 not yet calculated CVE-2025-13980 https://www.drupal.org/sa-contrib-2025-118
 
Drupal--Disable Login Page Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass. This issue affects Disable Login Page: from 0.0.0 before 1.1.3. 2026-01-28 not yet calculated CVE-2025-13986 https://www.drupal.org/sa-contrib-2025-124
 
Drupal--Drupal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS). This issue affects Drupal: from 7.X-1.0 through 7.X-1.22. 2026-01-28 not yet calculated CVE-2026-0749 https://www.herodevs.com/vulnerability-directory/cve-2026-0749
https://d7es.tag1.com/security-advisories/form-builder-less-critical-cross-site-scripting
 
Drupal--Drupal Commerce Paybox Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass. This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5. 2026-01-28 not yet calculated CVE-2026-0750 https://www.herodevs.com/vulnerability-directory/cve-2026-0750
https://d7es.tag1.com/security-advisories/commerce-paybox-moderately-critical-payment-bypass-vulnerability
 
Drupal--Entity Share Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing. This issue affects Entity Share: from 0.0.0 before 3.13.0. 2026-01-28 not yet calculated CVE-2025-13985 https://www.drupal.org/sa-contrib-2025-123
 
Drupal--HTTP Client Manager Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing. This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1. 2026-01-28 not yet calculated CVE-2025-14840 https://www.drupal.org/sa-contrib-2025-126
 
Drupal--Login Time Restriction Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery. This issue affects Login Time Restriction: from 0.0.0 before 1.0.3. 2026-01-28 not yet calculated CVE-2025-13982 https://www.drupal.org/sa-contrib-2025-120
 
Drupal--Mini site Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS. This issue affects Mini site: from 0.0.0 before 3.0.2. 2026-01-28 not yet calculated CVE-2025-13979 https://www.drupal.org/sa-contrib-2025-117
 
Drupal--Next.js Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS). This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. 2026-01-28 not yet calculated CVE-2025-13984 https://www.drupal.org/sa-contrib-2025-122
 
Drupal--Tagify Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS). This issue affects Tagify: from 0.0.0 before 1.2.44. 2026-01-28 not yet calculated CVE-2025-13983 https://www.drupal.org/sa-contrib-2025-121
 
Eclipse Foundation--Eclipse OMR In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0. 2026-01-29 not yet calculated CVE-2026-1188 https://github.com/eclipse-omr/omr/pull/8082
 
Eclipse Foundation--Eclipse ThreadX - NetX Duo A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too Big" with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. 2026-01-27 not yet calculated CVE-2025-55102 https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-f3rx-xrwm-q2rf
 
Edgemo (Danoffice IT)--Local Admin Service Improper access control in the WCF endpoint in Edgemo (now owned by Danoffice IT) Local Admin Service 1.2.7.23180 on Windows allows a local user to escalate their privileges to local administrator via direct communication with the LocalAdminService.exe named pipe, bypassing client-side group membership restrictions. 2026-01-30 not yet calculated CVE-2026-1680 https://retest.dk/local-privilege-escalation-vulnerability-found-in-local-admin-service/
https://www.danofficeit.com/howwedoit/workplace/management/
 
EGroupware--egroupware EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability. 2026-01-28 not yet calculated CVE-2026-22243 https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx
https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113
https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113
 
ESET, spol. s.r.o--ESET Inspect Connector Planting a custom configuration file in ESET Inspect Connector allow load a malicious DLL. 2026-01-30 not yet calculated CVE-2025-13176 https://support.eset.com/en/ca8910-eset-customer-advisory-local-privilege-escalation-vulnerability-fixed-in-eset-inspect-connector-for-windows
 
eslint--eslint Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow. 2026-01-26 not yet calculated CVE-2025-50537 https://github.com/eslint/eslint/issues/19646
https://gist.github.com/lyyffee/2ee1815e5c2da82c05e9838b9bfefbbc
 
Explorance--Blue Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker can supply crafted input that is executed as part of backend database queries. The issue is exploitable without authentication, significantly raising the risk. 2026-01-28 not yet calculated CVE-2025-57792 https://www.explorance.com/products/blue
https://online-help.explorance.com/blue/articles/security-advisories-(january-2026)
https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57792
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0001.md
 
Explorance--Blue Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user-supplied input in a web application component. Crafted input can be executed as part of backend database queries. The issue is exploitable without authentication, significantly elevating the risk. 2026-01-28 not yet calculated CVE-2025-57793 https://www.explorance.com/products/blue
https://online-help.explorance.com/blue/articles/security-advisories-(january-2026)
https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57793
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0002.md
 
Explorance--Blue Explorance Blue versions prior to 8.14.9 contain an authenticated unrestricted file upload vulnerability in the administrative interface. The application does not adequately restrict uploaded file types, allowing malicious files to be uploaded and executed by the server. This condition enables remote code execution under default configurations. 2026-01-28 not yet calculated CVE-2025-57794 https://www.explorance.com/products/blue
https://online-help.explorance.com/blue/articles/security-advisories-(january-2026)
https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57794
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0003.md
 
Explorance--Blue Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution. 2026-01-28 not yet calculated CVE-2025-57795 https://www.explorance.com/products/blue
https://online-help.explorance.com/blue/articles/security-advisories-(january-2026)
https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57795
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0004.md
 
Explorance--Blue Explorance Blue versions prior to 8.14.12 use reversible symmetric encryption with a hardcoded static key to protect sensitive data, including user passwords and system configurations. This approach allows stored values to be decrypted offline if the encrypted data are obtained. 2026-01-28 not yet calculated CVE-2025-57796 https://www.explorance.com/products/blue
https://online-help.explorance.com/blue/articles/security-advisories-(january-2026)
https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57796
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0005.md
 
ExpressionEngine--ExpressionEngine SQL Injection vulnerability in the Structure for Admin authenticated user 2026-01-26 not yet calculated CVE-2025-59473 https://hackerone.com/reports/3249794
 
EZCast--EZCast Pro II Multiple Buffer Overflows in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to cause a program crash and potential remote code execution 2026-01-27 not yet calculated CVE-2026-24344 https://hub.ntc.swiss/ntcf-2025-68873
 
EZCast--EZCast Pro II Cross-Site Request Forgery in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI 2026-01-27 not yet calculated CVE-2026-24345 https://hub.ntc.swiss/ntcf-2025-32832
 
EZCast--EZCast Pro II Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application 2026-01-27 not yet calculated CVE-2026-24346 https://hub.ntc.swiss/ntcf-2025-13993
 
EZCast--EZCast Pro II Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to manipulate files in the /tmp directory 2026-01-27 not yet calculated CVE-2026-24347 https://hub.ntc.swiss/ntcf-2025-32806
 
EZCast--EZCast Pro II Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users. 2026-01-27 not yet calculated CVE-2026-24348 https://hub.ntc.swiss/ntcf-2025-145332
 
FASTSHIFT--X-TRACK Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in FASTSHIFT X-TRACK (Software/X-Track/USER/App/Utils/lv_img_png/PNGdec/src modules). This vulnerability is associated with program files inflate.C. This issue affects X-TRACK: through v2.7. 2026-01-27 not yet calculated CVE-2026-24823 https://github.com/FASTSHIFT/X-TRACK/pull/120
 
Flexense--Sync Breeze Enterprise Server Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to change a user's password or create users via '/setup_login?sid=', affecting the 'username', 'password', and 'cpassword' parameters. 2026-01-28 not yet calculated CVE-2025-59891 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products
 
Flexense--Sync Breeze Enterprise Server Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete commands individually via '/delete_command?sid=', using the 'cid' parameter. 2026-01-28 not yet calculated CVE-2025-59892 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products
 
Flexense--Sync Breeze Enterprise Server Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to rename commands via '/rename_command?sid=', affecting the 'command_name' parameter. 2026-01-28 not yet calculated CVE-2025-59893 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products
 
Flexense--Sync Breeze Enterprise Server Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete all commands via '/delete_all_commands?sid='. 2026-01-28 not yet calculated CVE-2025-59894 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products
 
Flexense--Sync Breeze Enterprise Server Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insufficient validation of user-supplied data during this process. An attacker could send malicious requests to alter the configuration file, causing the application to become unresponsive. In a successful scenario, the service may not recover on its own and require a complete reinstallation, as the configuration becomes corrupted and prevents the service from restarting, even manually. 2026-01-28 not yet calculated CVE-2025-59895 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products
 
Flexense--Sync Breeze Enterprise Server Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/add_command?sid=', affecting the 'command_name' parameter. 2026-01-28 not yet calculated CVE-2025-59896 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products
 
Flexense--Sync Breeze Enterprise Server Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/edit_command?sid=', affecting the 'source_dir' and 'dest_dir' parameters. 2026-01-28 not yet calculated CVE-2025-59897 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products
 
Flexense--Sync Breeze Enterprise Server Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/add_exclude_dir?sid=', affecting the 'exclude_dir' parameter. 2026-01-28 not yet calculated CVE-2025-59898 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products
 
Flexense--Sync Breeze Enterprise Server Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in  '/server_options?sid=', affecting the 'tasks_logs_dir', 'errors_logs_dir', 'error_notifications_address', 'status_notifications_address', and 'status_reports_address' parameters. 2026-01-28 not yet calculated CVE-2025-59899 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products
 
Flexense--Sync Breeze Enterprise Server Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in  '/server_options?sid=', affecting the 'tasks_logs_dir', 'errors_logs_dir', 'error_notifications_address', 'status_notifications_address', and 'status_reports_address' parameters. 2026-01-28 not yet calculated CVE-2025-59900 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products
 
Flexense--Sync Breeze Enterprise Server Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent by POST. An attacker could exploit this weakness to send malicious content to an authenticated user and steal information from their session. 2026-01-28 not yet calculated CVE-2025-59901 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products
 
FluentCMS--FluentCMS FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in the browser of any user accessing the uploaded file URL. 2026-01-29 not yet calculated CVE-2025-15549 GitHub Issue #2404
VulnCheck Advisory: FluentCMS 2026 Stored XSS via SVG Upload in File Management
 
foxinmy--weixin4j Improperly Controlled Sequential Memory Allocation vulnerability in foxinmy weixin4j (weixin4j-base/src/main/java/com/foxinmy/weixin4j/util modules). This vulnerability is associated with program files CharArrayBuffer.Java, ClassUtil.Java. This issue affects weixin4j. 2026-01-27 not yet calculated CVE-2026-24819 https://github.com/foxinmy/weixin4j/pull/229
 
FUJIFILM Business Innovation Corp.--beat-access for Windows beat-access for Windows version 3.0.3 and prior contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with SYSTEM privileges. 2026-01-27 not yet calculated CVE-2026-21408 https://www.fujifilm.com/fbglobal/eng/company/news/notice/2026/0127_announce.html
https://jvn.jp/en/jp/JVN03776126/
 
Funambol--Cloud Server Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate 'self-signed' access URLs. 2026-01-28 not yet calculated CVE-2025-41351 https://www.incibe.es/en/incibe-cert/notices/aviso/weak-encryption-funambols-cloud-server
 
FunJSO--FunJSO FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26. 2026-01-28 not yet calculated CVE-2022-40619 https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117
https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities
 
FunJSO--FunJSO FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading update packages through its auto-update mechanism. An attacker (suitably positioned on the network) could intercept the update request and deliver a malicious update package in order to gain arbitrary code execution on affected devices. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26. 2026-01-28 not yet calculated CVE-2022-40620 https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117
https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities
 
GaijinEntertainment--DagorEngine Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in GaijinEntertainment DagorEngine (prog/3rdPartyLibs/miniupnpc modules). This vulnerability is associated with program files upnpreplyparse.C. This issue affects DagorEngine: through dagor_2025_01_15. 2026-01-27 not yet calculated CVE-2026-24798 https://github.com/GaijinEntertainment/DagorEngine/pull/136
 
geopandas--geopandas SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. 2026-01-30 not yet calculated CVE-2025-69662 https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas/
https://github.com/geopandas/geopandas/pull/3681
 
gmrtd--gmrtd gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cycles. ReadFile can consume an extended TLV with lengths well outside what would be available in ICs. It can accept something all the way up to 4GB which would take too many iterations in 256 byte chunks, and would also try to allocate memory that might not be available in constrained environments like phones. Or if an API sends data to ReadFile, the same problem applies. The very small chunked read also locks the goroutine in accepting data for a very large number of iterations. projects using the gmrtd library to read files from NFCs can experience extreme slowdowns or memory consumption. A malicious NFC can just behave like the mock transceiver described above and by just sending dummy bytes as each chunk to be read, can make the receiving thread unresponsive and fill up memory on the host system. Version 0.17.2 patches the issue. 2026-01-27 not yet calculated CVE-2026-24738 https://github.com/gmrtd/gmrtd/security/advisories/GHSA-j49h-6577-5xwq
https://github.com/gmrtd/gmrtd/commit/54469a95e5a20a8602ac1457b2110bfeb80c8891
https://github.com/gmrtd/gmrtd/releases/tag/v0.17.2
 
Go standard library--archive/zip archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. 2026-01-28 not yet calculated CVE-2025-61728 https://go.dev/cl/736713
https://go.dev/issue/77102
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
https://pkg.go.dev/vuln/GO-2026-4342
 
Go standard library--crypto/tls During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. 2026-01-28 not yet calculated CVE-2025-61730 https://go.dev/cl/724120
https://go.dev/issue/76443
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
https://pkg.go.dev/vuln/GO-2026-4340
 
Go standard library--net/url The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. 2026-01-28 not yet calculated CVE-2025-61726 https://go.dev/cl/736712
https://go.dev/issue/77101
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
https://pkg.go.dev/vuln/GO-2026-4341
 
Go toolchain--cmd/go Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location. 2026-01-28 not yet calculated CVE-2025-61731 https://go.dev/cl/736711
https://go.dev/issue/77100
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
https://pkg.go.dev/vuln/GO-2026-4339
 
Go toolchain--cmd/go Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths. 2026-01-28 not yet calculated CVE-2025-68119 https://go.dev/cl/736710
https://go.dev/issue/77099
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
https://pkg.go.dev/vuln/GO-2026-4338
 
Google--Chrome Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) 2026-01-27 not yet calculated CVE-2026-1504 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html
https://issues.chromium.org/issues/474435504
 
gradle--gradle-completion gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when a user triggers Bash tab completion in a project containing a malicious Gradle build file. The `gradle-completion` script for Bash fails to adequately sanitize Gradle task names and task descriptions, allowing command injection via a malicious Gradle build file when the user completes a command in Bash (without them explicitly running any task in the build). For example, given a task description that includes a string between backticks, then that string would be evaluated as a command when presenting the task description in the completion list. While task execution is the core feature of Gradle, this inherent execution may lead to unexpected outcomes. The vulnerability does not affect zsh completion. The first patched version is 9.3.1. As a workaround, it is possible and effective to temporarily disable bash completion for Gradle by removing `gradle-completion` from `.bashrc` or `.bash_profile`. 2026-01-29 not yet calculated CVE-2026-25063 https://github.com/gradle/gradle-completion/security/advisories/GHSA-qggc-44r3-cjgv
https://github.com/gradle/gradle-completion/commit/ecacc32bb882210e5d37cd79a74de1af0d0ccad7
 
Hiawatha--Hiawatha Web server Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver. 2026-01-26 not yet calculated CVE-2025-57783 https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/http.c?ref_type=heads#L205
 
Hiawatha--Hiawatha Web server Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client. 2026-01-26 not yet calculated CVE-2025-57784 https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/tomahawk.c?ref_type=heads#L429
 
Hiawatha--Hiawatha Web server A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution. 2026-01-26 not yet calculated CVE-2025-57785 https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/xslt.c?ref_type=heads#L675
 
Hitachi Energy--SuprOS Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment. 2026-01-28 not yet calculated CVE-2025-7740 https://publisher.hitachienergy.com/preview?DocumentID=8DBD000223&LanguageCode=en&DocumentPartId=&Action=launch
 
honojs--hono Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue. 2026-01-27 not yet calculated CVE-2026-24473 https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p
https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817
https://github.com/honojs/hono/releases/tag/v4.11.7
 
iba Systems--ibaPDA A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system. 2026-01-27 not yet calculated CVE-2025-14988 https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01
 
Icinga--icinga-powershell-framework The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permissions of the Icinga for Windows `certificate` directory grant every user read access, which results in the exposure of private key of the Icinga certificate for the given host. All installations are affected. Versions 1.13.4, 1.12.4, and 1.11.2 contains a patch. Please note that upgrading to a fixed version of Icinga for Windows will also automatically fix a similar issue present in Icinga 2, CVE-2026-24413. As a workaround, the permissions can be restricted manually by updating the ACL for the given folder `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` (and `C:\ProgramData\icinga2\var` to fix the issue for the Icinga 2 agent as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. 2026-01-29 not yet calculated CVE-2026-24414 https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-88h5-rrm6-5973
https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmr
https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2
 
Icinga--icinga2 Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. 2026-01-29 not yet calculated CVE-2026-24413 https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmr
https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-88h5-rrm6-5973
https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2
 
inspektor-gadget--inspektor-gadget Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The `ig` binary provides a subcommand for image building, used to generate custom gadget OCI images. A part of this functionality is implemented in the file `inspektor-gadget/cmd/common/image/build.go`. The `Makefile.build` file is the Makefile template employed during the building process. This file includes user-controlled data in an unsafe fashion, specifically some parameters are embedded without an adequate escaping in the commands inside the Makefile. Prior to version 0.48.1, this implementation is vulnerable to command injection: an attacker able to control values in the `buildOptions` structure would be able to execute arbitrary commands during the building process. An attacker able to exploit this vulnerability would be able to execute arbitrary command on the Linux host where the `ig` command is launched, if images are built with the `--local` flag or on the build container invoked by `ig`, if the `--local` flag is not provided. The `buildOptions` structure is extracted from the YAML gadget manifest passed to the `ig image build` command. Therefore, the attacker would need a way to control either the full `build.yml` file passed to the `ig image build` command, or one of its options. Typically, this could happen in a CI/CD scenario that builds untrusted gadgets to verify correctness. Version 0.48.1 fixes the issue. 2026-01-29 not yet calculated CVE-2026-24905 https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-79qw-g77v-2vfh
https://github.com/inspektor-gadget/inspektor-gadget/commit/7c83ad84ff7a68565655253e2cf1c5d2da695c1a
 
Internet Information Co., Ltd--DreamMaker A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication. 2026-01-30 not yet calculated CVE-2026-24728 https://zuso.ai/advisory/za-2026-01
 
Internet Information Co., Ltd--DreamMaker An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file. 2026-01-30 not yet calculated CVE-2026-24729 https://zuso.ai/advisory/za-2026-02
 
jmlepisto--clatter Clatter is a no_std compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule (Noise Protocol Framework Section 9.3). This could allow PSK-derived keys to be used for encryption without proper randomization by self-chosen ephemeral randomness, weakening security guarantees and potentially allowing catastrophic key reuse. Affected default patterns include `noise_pqkk_psk0`, `noise_pqkn_psk0`, `noise_pqnk_psk0`, `noise_pqnn_psk0``, and some hybrid variants. Users of these patterns may have been using handshakes that do not meet the intended security properties. The issue is fully patched and released in Clatter v2.2.0. The fixed version includes runtime checks to detect offending handshake patterns. As a workaround, avoid using offending `*_psk0` variants of post-quantum patterns. Review custom handshake patterns carefully. 2026-01-27 not yet calculated CVE-2026-24785 https://github.com/jmlepisto/clatter/security/advisories/GHSA-253q-9q78-63x4
https://github.com/jmlepisto/clatter/commit/b65ae6e9b8019bed5407771e21f89ddff17c5a71
https://noiseprotocol.org/noise.html#validity-rule
 
Johnson Controls--iSTAR Configuration Utility (ICU) Johnson Controls iSTAR Configuration Utility (ICU) has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility (ICU) version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the ICU tool. 2026-01-28 not yet calculated CVE-2025-26386 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-04
 
Johnson Controls--Metasys Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects  * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,  * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,  * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,  * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,  * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior. 2026-01-30 not yet calculated CVE-2025-26385 https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
 
json--json The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution. 2026-01-28 not yet calculated CVE-2025-61140 https://github.com/dchester/jsonpath
https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d
 
kata-containers--kata-containers Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host's block device being mounted as read-only. Version 3.26.0 contains a patch for the issue. 2026-01-29 not yet calculated CVE-2026-24054 https://github.com/kata-containers/kata-containers/security/advisories/GHSA-5fc8-gg7w-3g5c
https://github.com/kata-containers/kata-containers/commit/20ca4d2d79aa5bf63aa1254f08915da84f19e92a
https://github.com/containerd/containerd/blob/d939b6af5f8536c2cae85e919e7c40070557df0e/plugins/snapshots/overlay/overlay.go#L564-L581
https://github.com/kata-containers/kata-containers/blob/a164693e1afead84cd01d5bc3575e2cbfe64ce35/src/runtime/virtcontainers/container.go#L1122-L1126
https://github.com/kata-containers/kata-containers/blob/c7d0c270ee7dfaa6d978e6e07b99dabdaf2b9fda/src/runtime/virtcontainers/container.go#L1616-L1623
 
libpng--libpng Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive 2026-01-27 not yet calculated CVE-2025-28162 https://github.com/pnggroup/libpng/issues/656
https://gist.github.com/kittener/fbfdb9b5610c6b3db0d5dea045a07c60
 
libpng--libpng Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function. 2026-01-27 not yet calculated CVE-2025-28164 https://github.com/pnggroup/libpng/issues/655
https://gist.github.com/kittener/506516f8c22178005b4379c8b2a7de20
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as CONFIG_PROVE_RAW_LOCK_NESTING warns: ============================= [ BUG: Invalid wait context ] 6.18.0-rc1+git... #1 ----------------------------- some-user-space-process/1251 is trying to lock: (&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter] other info that might help us debug this: context-{2:2} no locks held by some-user-space-process/.... stack backtrace: CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT Call trace: show_stack (C) dump_stack_lvl dump_stack __lock_acquire lock_acquire _raw_spin_lock_irqsave counter_push_event [counter] interrupt_cnt_isr [interrupt_cnt] __handle_irq_event_percpu handle_irq_event handle_simple_irq handle_irq_desc generic_handle_domain_irq gpio_irq_handler handle_irq_desc generic_handle_domain_irq gic_handle_irq call_on_irq_stack do_interrupt_handler el0_interrupt __el0_irq_handler_common el0t_64_irq_handler el0t_64_irq ... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an alternative to switching to raw_spinlock_t, because the latter would limit all potential nested locks to raw_spinlock_t only. 2026-01-31 not yet calculated CVE-2025-71180 https://git.kernel.org/stable/c/ef668c9a2261ec9287faba6e6ef05a98b391aa2b
https://git.kernel.org/stable/c/51d2e5d6491447258cb39ff1deb93df15d3c23cb
https://git.kernel.org/stable/c/1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c
https://git.kernel.org/stable/c/49a66829dd3653695e60d7cae13521d131362fcd
https://git.kernel.org/stable/c/425886b1f8304621b3f16632b274357067d5f13f
https://git.kernel.org/stable/c/23f9485510c338476b9735d516c1d4aacb810d46
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: rust_binder: remove spin_lock() in rust_shrink_free_page() When forward-porting Rust Binder to 6.18, I neglected to take commit fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope") into account, and apparently I did not end up running the shrinker callback when I sanity tested the driver before submission. This leads to crashes like the following: ============================================ WARNING: possible recursive locking detected 6.18.0-mainline-maybe-dirty #1 Tainted: G IO -------------------------------------------- kswapd0/68 is trying to acquire lock: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: lock_list_lru_of_memcg+0x128/0x230 but task is already holding lock: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&l->lock); lock(&l->lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by kswapd0/68: #0: ffffffff90d2e260 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x597/0x1160 #1: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20 #2: ffffffff90cf3680 (rcu_read_lock){....}-{1:2}, at: lock_list_lru_of_memcg+0x2d/0x230 To fix this, remove the spin_lock() call from rust_shrink_free_page(). 2026-01-31 not yet calculated CVE-2025-71181 https://git.kernel.org/stable/c/30a98c97f7874031f2e1de19c777ce011143cba4
https://git.kernel.org/stable/c/361e0ff456a8daf9753c18030533256e4133ce7a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: j1939: make j1939_session_activate() fail if device is no longer registered syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 even after commit 93a27b5891b8 ("can: j1939: add missing calls in NETDEV_UNREGISTER notification handler") was added. A debug printk() patch found that j1939_session_activate() can succeed even after j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER) has completed. Since j1939_cancel_active_session() is processed with the session list lock held, checking ndev->reg_state in j1939_session_activate() with the session list lock held can reliably close the race window. 2026-01-31 not yet calculated CVE-2025-71182 https://git.kernel.org/stable/c/ebb0dfd718dd31c8d3600612ca4b7207ec3d923a
https://git.kernel.org/stable/c/c3a4316e3c746af415c0fd6c6d489ad13f53714d
https://git.kernel.org/stable/c/46ca9dc978923c5e1247a9e9519240ba7ace413c
https://git.kernel.org/stable/c/78d87b72cebe2a993fd5b017e9f14fb6278f2eae
https://git.kernel.org/stable/c/ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536
https://git.kernel.org/stable/c/79dd3f1d9dd310c2af89b09c71f34d93973b200f
https://git.kernel.org/stable/c/5d5602236f5db19e8b337a2cd87a90ace5ea776d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the inodes and after a power failure that can result in an attempt to delete the other inode when it should not because it was not deleted before the power failure. In some case that delete attempt fails when the target inode is a directory that contains a subvolume inside it, since the log replay code is not prepared to deal with directory entries that point to root items (only inode items). 1) We have directories "dir1" (inode A) and "dir2" (inode B) under the same parent directory; 2) We have a file (inode C) under directory "dir1" (inode A); 3) We have a subvolume inside directory "dir2" (inode B); 4) All these inodes were persisted in a past transaction and we are currently at transaction N; 5) We rename the file (inode C), so at btrfs_log_new_name() we update inode C's last_unlink_trans to N; 6) We get a rename exchange for "dir1" (inode A) and "dir2" (inode B), so after the exchange "dir1" is inode B and "dir2" is inode A. During the rename exchange we call btrfs_log_new_name() for inodes A and B, but because they are directories, we don't update their last_unlink_trans to N; 7) An fsync against the file (inode C) is done, and because its inode has a last_unlink_trans with a value of N we log its parent directory (inode A) (through btrfs_log_all_parents(), called from btrfs_log_inode_parent()). 8) So we end up with inode B not logged, which now has the old name of inode A. At copy_inode_items_to_log(), when logging inode A, we did not check if we had any conflicting inode to log because inode A has a generation lower than the current transaction (created in a past transaction); 9) After a power failure, when replaying the log tree, since we find that inode A has a new name that conflicts with the name of inode B in the fs tree, we attempt to delete inode B... this is wrong since that directory was never deleted before the power failure, and because there is a subvolume inside that directory, attempting to delete it will fail since replay_dir_deletes() and btrfs_unlink_inode() are not prepared to deal with dir items that point to roots instead of inodes. When that happens the mount fails and we get a stack trace like the following: [87.2314] BTRFS info (device dm-0): start tree-log replay [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259 [87.2332] ------------[ cut here ]------------ [87.2338] BTRFS: Transaction aborted (error -2) [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2368] Modules linked in: btrfs loop dm_thin_pool (...) [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full) [87.2489] Tainted: [W]=WARN [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2538] Code: c0 89 04 24 (...) [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286 [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000 [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840 [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0 [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10 [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000 [87. ---truncated--- 2026-01-31 not yet calculated CVE-2025-71183 https://git.kernel.org/stable/c/c7f0207db68d5a1b4af23acbef1a8e8ddc431ebb
https://git.kernel.org/stable/c/a63998cd6687c14b160dccb0bbcf281b2eb0dab3
https://git.kernel.org/stable/c/0c2413c69129f6ce60157f7b53d9ba880260400b
https://git.kernel.org/stable/c/d52af58dd463821c5c516aebb031a58934f696ea
https://git.kernel.org/stable/c/7ba0b6461bc4edb3005ea6e00cdae189bcf908a5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id. But in btrfs_evict_inode() the root might be NULL, as implied in the next check that we do in btrfs_evict_inode(). Hence, we either should set the ->root_objectid to 0 in case the root is NULL, or we move tracing setup after checking that the root is not NULL. Setting the rootid to 0 at least gives us the possibility to trace this call even in the case when the root is NULL, so that's the solution taken here. 2026-01-31 not yet calculated CVE-2025-71184 https://git.kernel.org/stable/c/582ba48e4a4c06fef6bdcf4e57b7b9af660bbd0c
https://git.kernel.org/stable/c/99e057f3d3ef24b99a7b1d84e01dd1bd890098da
https://git.kernel.org/stable/c/f157dd661339fc6f5f2b574fe2429c43bd309534
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation Make sure to drop the reference taken when looking up the crossbar platform device during am335x route allocation. 2026-01-31 not yet calculated CVE-2025-71185 https://git.kernel.org/stable/c/6fdf168f57e331e148a1177a9b590a845c21b315
https://git.kernel.org/stable/c/f810132e825588fbad3cba940458c58bb7ec4d84
https://git.kernel.org/stable/c/30352277d8e09c972436f883a5efd1f1b763ac14
https://git.kernel.org/stable/c/4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: stm32: dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. 2026-01-31 not yet calculated CVE-2025-71186 https://git.kernel.org/stable/c/1a179ac01ff3993ab97e33cc77c316ed7415cda1
https://git.kernel.org/stable/c/2fb10259d4efb4367787b5ae9c94192e8a91c648
https://git.kernel.org/stable/c/3ef52d31cce8ba816739085a61efe07b63c6cf27
https://git.kernel.org/stable/c/dd6e4943889fb354efa3f700e42739da9bddb6ef
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: sh: rz-dmac: fix device leak on probe failure Make sure to drop the reference taken when looking up the ICU device during probe also on probe failures (e.g. probe deferral). 2026-01-31 not yet calculated CVE-2025-71187 https://git.kernel.org/stable/c/926d1666420c227eab50962a8622c1b8444720e8
https://git.kernel.org/stable/c/9fb490323997dcb6f749cd2660a17a39854600cd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: lpc18xx-dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. 2026-01-31 not yet calculated CVE-2025-71188 https://git.kernel.org/stable/c/9fba97baa520c9446df51a64708daf27c5a7ed32
https://git.kernel.org/stable/c/992eb8055a6e5dbb808672d20d68e60d5a89b12b
https://git.kernel.org/stable/c/1e47d80f6720f0224efd19bcf081d39637569c10
https://git.kernel.org/stable/c/d4d63059dee7e7cae0c4d9a532ed558bc90efb55
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw: dmamux: fix OF node leak on route allocation failure Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures. 2026-01-31 not yet calculated CVE-2025-71189 https://git.kernel.org/stable/c/db7c79c1bbfb1b0184e78a17ac2bd0f2bc3134d1
https://git.kernel.org/stable/c/8f7a391211381ed2f6802032c78c7820d166bc49
https://git.kernel.org/stable/c/eabe40f8a53c29f531e92778ea243e379f4f7978
https://git.kernel.org/stable/c/ec25e60f9f95464aa11411db31d0906b3fb7b9f2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: bcm-sba-raid: fix device leak on probe Make sure to drop the reference taken when looking up the mailbox device during probe on probe failures and on driver unbind. 2026-01-31 not yet calculated CVE-2025-71190 https://git.kernel.org/stable/c/c80ca7bdff158401440741bdcf9175bd8608580b
https://git.kernel.org/stable/c/db6f1d6d31711e73e6a214c73e6a8fb4cda0483d
https://git.kernel.org/stable/c/2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b
https://git.kernel.org/stable/c/7c3a46ebf15a9796b763a54272407fdbf945bed8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_hdmac: fix device leak on of_dma_xlate() Make sure to drop the reference taken when looking up the DMA platform device during of_dma_xlate() when releasing channel resources. Note that commit 3832b78b3ec2 ("dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()") fixed the leak in a couple of error paths but the reference is still leaking on successful allocation. 2026-01-31 not yet calculated CVE-2025-71191 https://git.kernel.org/stable/c/987c71671367f42460689b78244d7b894c50999a
https://git.kernel.org/stable/c/6a86cf2c09e149d5718a5b7090545f7566da9334
https://git.kernel.org/stable/c/f3c23b7e941349505c3d40de2cc0acd93d9ac057
https://git.kernel.org/stable/c/b9074b2d7a230b6e28caa23165e9d8bc0677d333
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler. 2026-01-28 not yet calculated CVE-2026-23014 https://git.kernel.org/stable/c/deee9dfb111ab00f9dfd46c0c7e36656b80f5235
https://git.kernel.org/stable/c/ff5860f5088e9076ebcccf05a6ca709d5935cfa9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths The reference obtained by calling usb_get_dev() is not released in the gpio_mpsse_probe() error paths. Fix that by using device managed helper functions. Also remove the usb_put_dev() call in the disconnect function since now it will be released automatically. 2026-01-31 not yet calculated CVE-2026-23015 https://git.kernel.org/stable/c/7ea26e6dcabc270433b6ded2a1aee85b215d1b28
https://git.kernel.org/stable/c/1e876e5a0875e71e34148c9feb2eedd3bf6b2b43
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: inet: frags: drop fraglist conntrack references Jakub added a warning in nf_conntrack_cleanup_net_list() to make debugging leaked skbs/conntrack references more obvious. syzbot reports this as triggering, and I can also reproduce this via ip_defrag.sh selftest: conntrack cleanup blocked for 60s WARNING: net/netfilter/nf_conntrack_core.c:2512 [..] conntrack clenups gets stuck because there are skbs with still hold nf_conn references via their frag_list. net.core.skb_defer_max=0 makes the hang disappear. Eric Dumazet points out that skb_release_head_state() doesn't follow the fraglist. ip_defrag.sh can only reproduce this problem since commit 6471658dc66c ("udp: use skb_attempt_defer_free()"), but AFAICS this problem could happen with TCP as well if pmtu discovery is off. The relevant problem path for udp is: 1. netns emits fragmented packets 2. nf_defrag_v6_hook reassembles them (in output hook) 3. reassembled skb is tracked (skb owns nf_conn reference) 4. ip6_output refragments 5. refragmented packets also own nf_conn reference (ip6_fragment calls ip6_copy_metadata()) 6. on input path, nf_defrag_v6_hook skips defragmentation: the fragments already have skb->nf_conn attached 7. skbs are reassembled via ipv6_frag_rcv() 8. skb_consume_udp -> skb_attempt_defer_free() -> skb ends up in pcpu freelist, but still has nf_conn reference. Possible solutions: 1 let defrag engine drop nf_conn entry, OR 2 export kick_defer_list_purge() and call it from the conntrack netns exit callback, OR 3 add skb_has_frag_list() check to skb_attempt_defer_free() 2 & 3 also solve ip_defrag.sh hang but share same drawback: Such reassembled skbs, queued to socket, can prevent conntrack module removal until userspace has consumed the packet. While both tcp and udp stack do call nf_reset_ct() before placing skb on socket queue, that function doesn't iterate frag_list skbs. Therefore drop nf_conn entries when they are placed in defrag queue. Keep the nf_conn entry of the first (offset 0) skb so that reassembled skb retains nf_conn entry for sake of TX path. Note that fixes tag is incorrect; it points to the commit introducing the 'ip_defrag.sh reproducible problem': no need to backport this patch to every stable kernel. 2026-01-31 not yet calculated CVE-2026-23016 https://git.kernel.org/stable/c/088ca99dbb039c444c3ff987c5412a73f4f0cbf8
https://git.kernel.org/stable/c/2ef02ac38d3c17f34a00c4b267d961a8d4b45d1a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: idpf: fix error handling in the init_task on load If the init_task fails during a driver load, we end up without vports and netdevs, effectively failing the entire process. In that state a subsequent reset will result in a crash as the service task attempts to access uninitialized resources. Following trace is from an error in the init_task where the CREATE_VPORT (op 501) is rejected by the FW: [40922.763136] idpf 0000:83:00.0: Device HW Reset initiated [40924.449797] idpf 0000:83:00.0: Transaction failed (op 501) [40958.148190] idpf 0000:83:00.0: HW reset detected [40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8 ... [40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf] [40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf] ... [40958.177932] Call Trace: [40958.178491] <TASK> [40958.179040] process_one_work+0x226/0x6d0 [40958.179609] worker_thread+0x19e/0x340 [40958.180158] ? __pfx_worker_thread+0x10/0x10 [40958.180702] kthread+0x10f/0x250 [40958.181238] ? __pfx_kthread+0x10/0x10 [40958.181774] ret_from_fork+0x251/0x2b0 [40958.182307] ? __pfx_kthread+0x10/0x10 [40958.182834] ret_from_fork_asm+0x1a/0x30 [40958.183370] </TASK> Fix the error handling in the init_task to make sure the service and mailbox tasks are disabled if the error happens during load. These are started in idpf_vc_core_init(), which spawns the init_task and has no way of knowing if it failed. If the error happens on reset, following successful driver load, the tasks can still run, as that will allow the netdevs to attempt recovery through another reset. Stop the PTP callbacks either way as those will be restarted by the call to idpf_vc_core_init() during a successful reset. 2026-01-31 not yet calculated CVE-2026-23017 https://git.kernel.org/stable/c/a514c374edcd33581cdcccf8faa7cc606a600319
https://git.kernel.org/stable/c/4d792219fe6f891b5b557a607ac8a0a14eda6e38
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before initializing extent tree in btrfs_read_locked_inode() In btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree() while holding a path with a read locked leaf from a subvolume tree, and btrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can trigger reclaim. This can create a circular lock dependency which lockdep warns about with the following splat: [6.1433] ====================================================== [6.1574] WARNING: possible circular locking dependency detected [6.1583] 6.18.0+ #4 Tainted: G U [6.1591] ------------------------------------------------------ [6.1599] kswapd0/117 is trying to acquire lock: [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1625] but task is already holding lock: [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60 [6.1646] which lock already depends on the new lock. [6.1657] the existing dependency chain (in reverse order) is: [6.1667] -> #2 (fs_reclaim){+.+.}-{0:0}: [6.1677] fs_reclaim_acquire+0x9d/0xd0 [6.1685] __kmalloc_cache_noprof+0x59/0x750 [6.1694] btrfs_init_file_extent_tree+0x90/0x100 [6.1702] btrfs_read_locked_inode+0xc3/0x6b0 [6.1710] btrfs_iget+0xbb/0xf0 [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0 [6.1724] btrfs_lookup+0x12/0x30 [6.1731] lookup_open.isra.0+0x1aa/0x6a0 [6.1739] path_openat+0x5f7/0xc60 [6.1746] do_filp_open+0xd6/0x180 [6.1753] do_sys_openat2+0x8b/0xe0 [6.1760] __x64_sys_openat+0x54/0xa0 [6.1768] do_syscall_64+0x97/0x3e0 [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1784] -> #1 (btrfs-tree-00){++++}-{3:3}: [6.1794] lock_release+0x127/0x2a0 [6.1801] up_read+0x1b/0x30 [6.1808] btrfs_search_slot+0x8e0/0xff0 [6.1817] btrfs_lookup_inode+0x52/0xd0 [6.1825] __btrfs_update_delayed_inode+0x73/0x520 [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120 [6.1842] btrfs_log_inode+0x608/0x1aa0 [6.1849] btrfs_log_inode_parent+0x249/0xf80 [6.1857] btrfs_log_dentry_safe+0x3e/0x60 [6.1865] btrfs_sync_file+0x431/0x690 [6.1872] do_fsync+0x39/0x80 [6.1879] __x64_sys_fsync+0x13/0x20 [6.1887] do_syscall_64+0x97/0x3e0 [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1903] -> #0 (&delayed_node->mutex){+.+.}-{3:3}: [6.1913] __lock_acquire+0x15e9/0x2820 [6.1920] lock_acquire+0xc9/0x2d0 [6.1927] __mutex_lock+0xcc/0x10a0 [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1944] btrfs_evict_inode+0x20b/0x4b0 [6.1952] evict+0x15a/0x2f0 [6.1958] prune_icache_sb+0x91/0xd0 [6.1966] super_cache_scan+0x150/0x1d0 [6.1974] do_shrink_slab+0x155/0x6f0 [6.1981] shrink_slab+0x48e/0x890 [6.1988] shrink_one+0x11a/0x1f0 [6.1995] shrink_node+0xbfd/0x1320 [6.1002] balance_pgdat+0x67f/0xc60 [6.1321] kswapd+0x1dc/0x3e0 [6.1643] kthread+0xff/0x240 [6.1965] ret_from_fork+0x223/0x280 [6.1287] ret_from_fork_asm+0x1a/0x30 [6.1616] other info that might help us debug this: [6.1561] Chain exists of: &delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim [6.1503] Possible unsafe locking scenario: [6.1110] CPU0 CPU1 [6.1411] ---- ---- [6.1707] lock(fs_reclaim); [6.1998] lock(btrfs-tree-00); [6.1291] lock(fs_reclaim); [6.1581] lock(&del ---truncated--- 2026-01-31 not yet calculated CVE-2026-23018 https://git.kernel.org/stable/c/92a5590851144f034adc51fee55e6878ccac716e
https://git.kernel.org/stable/c/8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix NULL dereference on devlink_alloc() failure devlink_alloc() may return NULL on allocation failure, but prestera_devlink_alloc() unconditionally calls devlink_priv() on the returned pointer. This leads to a NULL pointer dereference if devlink allocation fails. Add a check for a NULL devlink pointer and return NULL early to avoid the crash. 2026-01-31 not yet calculated CVE-2026-23019 https://git.kernel.org/stable/c/8a4333b2818f0d853b43e139936c20659366e4a0
https://git.kernel.org/stable/c/325aea74be7e192b5c947c782da23b0d19a5fda2
https://git.kernel.org/stable/c/94e070cd50790317fba7787ae6006934b7edcb6f
https://git.kernel.org/stable/c/3950054c9512add0cc79ab7e72b6d2f9f675e25b
https://git.kernel.org/stable/c/326a4b7e61d01db3507f71c8bb5e85362f607064
https://git.kernel.org/stable/c/a428e0da1248c353557970848994f35fd3f005e2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: 3com: 3c59x: fix possible null dereference in vortex_probe1() pdev can be null and free_ring: can be called in 1297 with a null pdev. 2026-01-31 not yet calculated CVE-2026-23020 https://git.kernel.org/stable/c/053ac9e37eee435e999277c0f1ef890dad6064bf
https://git.kernel.org/stable/c/6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d
https://git.kernel.org/stable/c/606872c8e8bf96066730f6a2317502c5633c37f1
https://git.kernel.org/stable/c/28b2a805609699be7b90020ae7dccfb234be1ceb
https://git.kernel.org/stable/c/2f05f7737e16d9a40038cc1c38a96a3f7964898b
https://git.kernel.org/stable/c/d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7
https://git.kernel.org/stable/c/a4e305ed60f7c41bbf9aabc16dd75267194e0de3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: fix memory leak in update_eth_regs_async() When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release allocated to this point resources. 2026-01-31 not yet calculated CVE-2026-23021 https://git.kernel.org/stable/c/5397ea6d21c35a17707e201a60761bdee00bcc4e
https://git.kernel.org/stable/c/a40af9a2904a1ab8ce61866ebe2a894ef30754ba
https://git.kernel.org/stable/c/ac5d92d2826dec51e5d4c6854865bc5817277452
https://git.kernel.org/stable/c/93f18eaa190374e0f2d253e3b1a65cee19a7abe6
https://git.kernel.org/stable/c/471dfb97599eec74e0476046b3ef8e7037f27b34
https://git.kernel.org/stable/c/ce6eef731aba23a988decea1df3b08cf978f7b01
https://git.kernel.org/stable/c/afa27621a28af317523e0836dad430bec551eb54
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak in idpf_vc_core_deinit() Make sure to free hw->lan_regs. Reported by kmemleak during reset: unreferenced object 0xff1b913d02a936c0 (size 96): comm "kworker/u258:14", pid 2174, jiffies 4294958305 hex dump (first 32 bytes): 00 00 00 c0 a8 ba 2d ff 00 00 00 00 00 00 00 00 ......-......... 00 00 40 08 00 00 00 00 00 00 25 b3 a8 ba 2d ff ..@.......%...-. backtrace (crc 36063c4f): __kmalloc_noprof+0x48f/0x890 idpf_vc_core_init+0x6ce/0x9b0 [idpf] idpf_vc_event_task+0x1fb/0x350 [idpf] process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x251/0x2b0 ret_from_fork_asm+0x1a/0x30 2026-01-31 not yet calculated CVE-2026-23022 https://git.kernel.org/stable/c/23391db8a00c23854915b8b72ec1aa10080aa540
https://git.kernel.org/stable/c/e111cbc4adf9f9974eed040aeece7e17460f6bff
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak in idpf_vport_rel() Free vport->rx_ptype_lkup in idpf_vport_rel() to avoid leaking memory during a reset. Reported by kmemleak: unreferenced object 0xff450acac838a000 (size 4096): comm "kworker/u258:5", pid 7732, jiffies 4296830044 hex dump (first 32 bytes): 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 ................ backtrace (crc 3da81902): __kmalloc_cache_noprof+0x469/0x7a0 idpf_send_get_rx_ptype_msg+0x90/0x570 [idpf] idpf_init_task+0x1ec/0x8d0 [idpf] process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x251/0x2b0 ret_from_fork_asm+0x1a/0x30 2026-01-31 not yet calculated CVE-2026-23023 https://git.kernel.org/stable/c/a4212d6732e3f674c6cc7d0b642f276d827e8f94
https://git.kernel.org/stable/c/ec602a2a4071eb956d656ba968c58fee09f0622d
https://git.kernel.org/stable/c/f6242b354605faff263ca45882b148200915a3f6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak of flow steer list on rmmod The flow steering list maintains entries that are added and removed as ethtool creates and deletes flow steering rules. Module removal with active entries causes memory leak as the list is not properly cleaned up. Prevent this by iterating through the remaining entries in the list and freeing the associated memory during module removal. Add a spinlock (flow_steer_list_lock) to protect the list access from multiple threads. 2026-01-31 not yet calculated CVE-2026-23024 https://git.kernel.org/stable/c/1aedff70a5e97628eaaf17b169774cb6a45a1dc5
https://git.kernel.org/stable/c/f9841bd28b600526ca4f6713b0ca49bf7bb98452
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: prevent pcp corruption with SMP=n The kernel test robot has reported: BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28 lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0 CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470 Call Trace: <IRQ> __dump_stack (lib/dump_stack.c:95) dump_stack_lvl (lib/dump_stack.c:123) dump_stack (lib/dump_stack.c:130) spin_dump (kernel/locking/spinlock_debug.c:71) do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?) _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138) __free_frozen_pages (mm/page_alloc.c:2973) ___free_pages (mm/page_alloc.c:5295) __free_pages (mm/page_alloc.c:5334) tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290) ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289) ? rcu_core (kernel/rcu/tree.c:?) rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861) rcu_core_si (kernel/rcu/tree.c:2879) handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623) __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725) irq_exit_rcu (kernel/softirq.c:741) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052) </IRQ> <TASK> RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) free_pcppages_bulk (mm/page_alloc.c:1494) drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632) __drain_all_pages (mm/page_alloc.c:2731) drain_all_pages (mm/page_alloc.c:2747) kcompactd (mm/compaction.c:3115) kthread (kernel/kthread.c:465) ? __cfi_kcompactd (mm/compaction.c:3166) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork (arch/x86/kernel/process.c:164) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork_asm (arch/x86/entry/entry_64.S:255) </TASK> Matthew has analyzed the report and identified that in drain_page_zone() we are in a section protected by spin_lock(&pcp->lock) and then get an interrupt that attempts spin_trylock() on the same lock. The code is designed to work this way without disabling IRQs and occasionally fail the trylock with a fallback. However, the SMP=n spinlock implementation assumes spin_trylock() will always succeed, and thus it's normally a no-op. Here the enabled lock debugging catches the problem, but otherwise it could cause a corruption of the pcp structure. The problem has been introduced by commit 574907741599 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme recognizes the need for disabling IRQs to prevent nesting spin_trylock() sections on SMP=n, but the need to prevent the nesting in spin_lock() has not been recognized. Fix it by introducing local wrappers that change the spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places that do spin_lock(&pcp->lock). [vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven] 2026-01-31 not yet calculated CVE-2026-23025 https://git.kernel.org/stable/c/4a04ff9cd816e7346fcc8126f00ed80481f6569d
https://git.kernel.org/stable/c/df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6
https://git.kernel.org/stable/c/3098f8f7c7b0686c74827aec42a2c45e69801ff8
https://git.kernel.org/stable/c/038a102535eb49e10e93eafac54352fcc5d78847
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Fix a memory leak in gpi_peripheral_config() where the original memory pointed to by gchan->config could be lost if krealloc() fails. The issue occurs when: 1. gchan->config points to previously allocated memory 2. krealloc() fails and returns NULL 3. The function directly assigns NULL to gchan->config, losing the reference to the original memory 4. The original memory becomes unreachable and cannot be freed Fix this by using a temporary variable to hold the krealloc() result and only updating gchan->config when the allocation succeeds. Found via static analysis and code review. 2026-01-31 not yet calculated CVE-2026-23026 https://git.kernel.org/stable/c/6bf4ef078fd11910988889a6c0b3698d2e0c89af
https://git.kernel.org/stable/c/01b1d781394fc9b83015e3a3cd46b17bda842bd8
https://git.kernel.org/stable/c/55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85
https://git.kernel.org/stable/c/3f747004bbd641131d9396d87b5d2d3d1e182728
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_pch_pic_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. 2026-01-31 not yet calculated CVE-2026-23027 https://git.kernel.org/stable/c/fc53a66227af08d868face4b33fa8b2e1ba187ed
https://git.kernel.org/stable/c/1cf342a7c3adc5877837b53bbceb5cc9eff60bbf
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_ipi_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. 2026-01-31 not yet calculated CVE-2026-23028 https://git.kernel.org/stable/c/5defcc2f9c22e6e09b5be68234ad10f4ba0292b7
https://git.kernel.org/stable/c/0bf58cb7288a4d3de6d8ecbb3a65928a9362bf21
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_eiointc_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. 2026-01-31 not yet calculated CVE-2026-23029 https://git.kernel.org/stable/c/e94ec9661c5820d157d2cc4b6cf4a6ab656a7b4d
https://git.kernel.org/stable/c/7d8553fc75aefa7ec936af0cf8443ff90b51732e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() The for_each_available_child_of_node() calls of_node_put() to release child_np in each success loop. After breaking from the loop with the child_np has been released, the code will jump to the put_child label and will call the of_node_put() again if the devm_request_threaded_irq() fails. These cause a double free bug. Fix by returning directly to avoid the duplicate of_node_put(). 2026-01-31 not yet calculated CVE-2026-23030 https://git.kernel.org/stable/c/ebae26dd15140b840cf65be5e1c0daee949ba70b
https://git.kernel.org/stable/c/027d42b97e6eb827c3438ebc09bab7efaee9270d
https://git.kernel.org/stable/c/efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5
https://git.kernel.org/stable/c/e07dea3de508cd6950c937cec42de7603190e1ca
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak In gs_can_open(), the URBs for USB-in transfers are allocated, added to the parent->rx_submitted anchor and submitted. In the complete callback gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In gs_can_close() the URBs are freed by calling usb_kill_anchored_urbs(parent->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in gs_can_close(). Fix the memory leak by anchoring the URB in the gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor. 2026-01-31 not yet calculated CVE-2026-23031 https://git.kernel.org/stable/c/f905bcfa971edb89e398c98957838d8c6381c0c7
https://git.kernel.org/stable/c/08624b7206ddb9148eeffc2384ebda2c47b6d1e9
https://git.kernel.org/stable/c/9f669a38ca70839229b7ba0f851820850a2fe1f7
https://git.kernel.org/stable/c/7352e1d5932a0e777e39fa4b619801191f57e603
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: null_blk: fix kmemleak by releasing references to fault configfs items When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk driver sets up fault injection support by creating the timeout_inject, requeue_inject, and init_hctx_fault_inject configfs items as children of the top-level nullbX configfs group. However, when the nullbX device is removed, the references taken to these fault-config configfs items are not released. As a result, kmemleak reports a memory leak, for example: unreferenced object 0xc00000021ff25c40 (size 32): comm "mkdir", pid 10665, jiffies 4322121578 hex dump (first 32 bytes): 69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_ 69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject.......... backtrace (crc 1a018c86): __kmalloc_node_track_caller_noprof+0x494/0xbd8 kvasprintf+0x74/0xf4 config_item_set_name+0xf0/0x104 config_group_init_type_name+0x48/0xfc fault_config_init+0x48/0xf0 0xc0080000180559e4 configfs_mkdir+0x304/0x814 vfs_mkdir+0x49c/0x604 do_mkdirat+0x314/0x3d0 sys_mkdir+0xa0/0xd8 system_call_exception+0x1b0/0x4f0 system_call_vectored_common+0x15c/0x2ec Fix this by explicitly releasing the references to the fault-config configfs items when dropping the reference to the top-level nullbX configfs group. 2026-01-31 not yet calculated CVE-2026-23032 https://git.kernel.org/stable/c/1a3286edf4d48ce37f8982ff3c3b65159a5ecbb2
https://git.kernel.org/stable/c/d59ba448ccd595d5d65e197216cf781a87db2b28
https://git.kernel.org/stable/c/f1718da051282698aa8fa150bebb9724f6389fda
https://git.kernel.org/stable/c/40b94ec7edbbb867c4e26a1a43d2b898f04b93c5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: omap-dma: fix dma_pool resource leak in error paths The dma_pool created by dma_pool_create() is not destroyed when dma_async_device_register() or of_dma_controller_register() fails, causing a resource leak in the probe error paths. Add dma_pool_destroy() in both error paths to properly release the allocated dma_pool resource. 2026-01-31 not yet calculated CVE-2026-23033 https://git.kernel.org/stable/c/88a9483f093bbb9263dcf21bc7fdb5132e5de88d
https://git.kernel.org/stable/c/4b93712e96be17029bd22787f2e39feb0e73272c
https://git.kernel.org/stable/c/829b00481734dd54e72f755fd6584bce6fbffbb0
https://git.kernel.org/stable/c/2e1136acf8a8887c29f52e35a77b537309af321f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference. When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence reference. Because of the missing dma_fence_put(), the last fence object can stay alive when the driver unloads. This leaves an allocated object in the amdgpu_userq_fence slab cache and triggers This is visible during driver unload as: BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects Call Trace: kmem_cache_destroy amdgpu_userq_fence_slab_fini amdgpu_exit __do_sys_delete_module Fix this by putting userq->last_fence and clearing the pointer during amdgpu_userq_fence_driver_free(). This makes sure the fence reference is released and the slab cache is empty when the module exits. v2: Update to only release userq->last_fence with dma_fence_put() (Christian) (cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb) 2026-01-31 not yet calculated CVE-2026-23034 https://git.kernel.org/stable/c/e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175
https://git.kernel.org/stable/c/b2426a211dba6432e32a2e70e9183c6e134475c6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails. Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a valid netdev. On mlx5e_remove: Check validity of priv->profile, before attempting to cleanup any resources that might be not there. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000370 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100 RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286 RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0 RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10 R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0 R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400 FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_remove+0x57/0x110 device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140 2026-01-31 not yet calculated CVE-2026-23035 https://git.kernel.org/stable/c/a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02
https://git.kernel.org/stable/c/66a25f6b7c0bfd84e6d27b536f5d24116dbd52da
https://git.kernel.org/stable/c/4ef8512e1427111f7ba92b4a847d181ff0aeec42
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before iget_failed() in btrfs_read_locked_inode() In btrfs_read_locked_inode() if we fail to lookup the inode, we jump to the 'out' label with a path that has a read locked leaf and then we call iget_failed(). This can result in a ABBA deadlock, since iget_failed() triggers inode eviction and that causes the release of the delayed inode, which must lock the delayed inode's mutex, and a task updating a delayed inode starts by taking the node's mutex and then modifying the inode's subvolume btree. Syzbot reported the following lockdep splat for this: ====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Not tainted ------------------------------------------------------ btrfs-cleaner/8725 is trying to acquire lock: ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 but task is already holding lock: ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{4:4}: __lock_release kernel/locking/lockdep.c:5574 [inline] lock_release+0x198/0x39c kernel/locking/lockdep.c:5889 up_read+0x24/0x3c kernel/locking/rwsem.c:1632 btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169 btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline] btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133 btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395 __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline] __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141 __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176 btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219 flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828 do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158 btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226 process_one_work+0x7e8/0x155c kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3427 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 -> #0 (&delayed_node->mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237 lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868 __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598 __mutex_lock kernel/locking/mutex.c:760 [inline] mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812 __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline] btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326 btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587 evict+0x414/0x928 fs/inode.c:810 iput_final fs/inode.c:1914 [inline] iput+0x95c/0xad4 fs/inode.c:1966 iget_failed+0xec/0x134 fs/bad_inode.c:248 btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101 btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837 btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline] btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf ---truncated--- 2026-01-31 not yet calculated CVE-2026-23036 https://git.kernel.org/stable/c/65241e3ddda60b53a4ee3ae12721fc9ee21d5827
https://git.kernel.org/stable/c/1e1f2055ad5a7a5d548789b334a4473a7665c418
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: allow partial RX URB allocation to succeed When es58x_alloc_rx_urbs() fails to allocate the requested number of URBs but succeeds in allocating some, it returns an error code. This causes es58x_open() to return early, skipping the cleanup label 'free_urbs', which leads to the anchored URBs being leaked. As pointed out by maintainer Vincent Mailhol, the driver is designed to handle partial URB allocation gracefully. Therefore, partial allocation should not be treated as a fatal error. Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been allocated, restoring the intended behavior and preventing the leak in es58x_open(). 2026-01-31 not yet calculated CVE-2026-23037 https://git.kernel.org/stable/c/611e839d2d552416b498ed5593e10670f61fcd4d
https://git.kernel.org/stable/c/ba45e3d6b02c97dbb4578fbae7027fd66f3caa10
https://git.kernel.org/stable/c/6c5124a60989051799037834f0a1a4b428718157
https://git.kernel.org/stable/c/b1979778e98569c1e78c2c7f16bb24d76541ab00
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, the function jumps to the out_scratch label without freeing the already allocated dsaddrs list, leading to a memory leak. Fix this by jumping to the out_err_drain_dsaddrs label, which properly frees the dsaddrs list before cleaning up other resources. 2026-01-31 not yet calculated CVE-2026-23038 https://git.kernel.org/stable/c/869862056e100973e76ce9f5f1b01837771b7722
https://git.kernel.org/stable/c/86da7efd12295a7e2b4abde5e5984c821edd938f
https://git.kernel.org/stable/c/ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb
https://git.kernel.org/stable/c/0c728083654f0066f5e10a1d2b0bd0907af19a58
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/gud: fix NULL fb and crtc dereferences on USB disconnect On disconnect drm_atomic_helper_disable_all() is called which sets both the fb and crtc for a plane to NULL before invoking a commit. This causes a kernel oops on every display disconnect. Add guards for those dereferences. 2026-01-31 not yet calculated CVE-2026-23039 https://git.kernel.org/stable/c/a255ec07f91d4c73a361a28b7a3d82f5710245f1
https://git.kernel.org/stable/c/dc2d5ddb193e363187bae2ad358245642d2721fb
 
liuyueyi--quick-media Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java. This issue affects quick-media: before v1.0. 2026-01-27 not yet calculated CVE-2026-24806 https://github.com/liuyueyi/quick-media/pull/122
 
liuyueyi--quick-media Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java. This issue affects quick-media: before v1.0. 2026-01-27 not yet calculated CVE-2026-24807 https://github.com/liuyueyi/quick-media/pull/123
 
LiveHelperChat--LiveHelperChat Stored Cross-Site Scripting (XSS) vulnerability in the PDF file upload functionality of Live Helper Chat, versions prior to 4.72. An attacker can upload a malicious PDF file containing an XSS payload, which will be executed in the user's context when they download and open the file via the link generated by the application. The vulnerability allows arbitrary JavaScript code to be executed in the user's local context. 2026-01-28 not yet calculated CVE-2026-0483 https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-vulnerability-livehelperchat
 
lobehub--lobe-chat LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file. By manipulating the size value provided in the client upload request, it is possible to bypass the monthly upload quota enforced by the server and continuously upload files beyond the intended storage and traffic limits. This abuse can result in a discrepancy between actual resource consumption and billing calculations, causing direct financial impact to the service operator. Additionally, exhaustion of storage or related resources may lead to degraded service availability, including failed uploads, delayed content delivery, or temporary suspension of upload functionality for legitimate users. A single malicious user can also negatively affect other users or projects sharing the same subscription plan, effectively causing an indirect denial of service (DoS). Furthermore, excessive and unaccounted-for uploads can distort monitoring metrics and overload downstream systems such as backup processes, malware scanning, and media processing pipelines, ultimately undermining overall operational stability and service reliability. Version 1.143.3 contains a patch for the issue. 2026-01-30 not yet calculated CVE-2026-23835 https://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5
 
Meta--react-server-dom-webpack Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components. 2026-01-26 not yet calculated CVE-2026-23864 https://www.facebook.com/security/advisories/cve-2026-23864
 
Micron Technology, Inc.--Crucial Storage Executive Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs using an uncontrolled search path, which can cause a malicious DLL placed alongside the installer to be loaded instead of the intended system library. A local attacker who can convince a victim to run the installer from a directory containing the attacker-supplied DLL can achieve arbitrary code execution with administrator privileges. 2026-01-26 not yet calculated CVE-2025-71178 https://eu.crucial.com/support/storage-executive
https://www.vulncheck.com/advisories/crucial-storage-executive-installer-dll-preloading-lpe
 
Mintplex-Labs--anything-llm AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue. 2026-01-26 not yet calculated CVE-2026-24477 https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf
 
monkey--monkey An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server. 2026-01-29 not yet calculated CVE-2025-63649 https://github.com/monkey/monkey/issues/426
https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md
 
monkey--monkey An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. 2026-01-29 not yet calculated CVE-2025-63650 https://github.com/monkey/monkey/issues/426
https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md
 
monkey--monkey A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. 2026-01-29 not yet calculated CVE-2025-63651 https://github.com/monkey/monkey/issues/426
https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md
 
monkey--monkey A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. 2026-01-29 not yet calculated CVE-2025-63652 https://github.com/monkey/monkey/issues/426
https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md
 
monkey--monkey An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. 2026-01-29 not yet calculated CVE-2025-63653 https://github.com/monkey/monkey/issues/426
https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md
 
monkey--monkey A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. 2026-01-29 not yet calculated CVE-2025-63655 https://github.com/monkey/monkey/issues/427
https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md
 
monkey--monkey An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. 2026-01-29 not yet calculated CVE-2025-63656 https://github.com/monkey/monkey/issues/426
https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md
 
monkey--monkey An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. 2026-01-29 not yet calculated CVE-2025-63657 https://github.com/monkey/monkey/issues/426
https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md
 
monkey--monkey A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. 2026-01-29 not yet calculated CVE-2025-63658 https://github.com/monkey/monkey/issues/427
https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md
 
Mozilla--Firefox Mitigation bypass in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 147.0.2. 2026-01-27 not yet calculated CVE-2026-24868 https://bugzilla.mozilla.org/show_bug.cgi?id=2007302
https://www.mozilla.org/security/advisories/mfsa2026-06/
 
Mozilla--Firefox Use-after-free in the Layout: Scrolling and Overflow component. This vulnerability affects Firefox < 147.0.2. 2026-01-27 not yet calculated CVE-2026-24869 https://bugzilla.mozilla.org/show_bug.cgi?id=2008698
https://www.mozilla.org/security/advisories/mfsa2026-06/
 
Mozilla--Thunderbird When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability affects Thunderbird < 147.0.1 and Thunderbird < 140.7.1. 2026-01-28 not yet calculated CVE-2026-0818 https://bugzilla.mozilla.org/show_bug.cgi?id=1881530
https://www.mozilla.org/security/advisories/mfsa2026-07/
https://www.mozilla.org/security/advisories/mfsa2026-08/
 
MuntashirAkon--AppManager Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java. This issue affects AppManager: before 4.0.4. 2026-01-27 not yet calculated CVE-2026-1464 https://github.com/MuntashirAkon/AppManager/pull/1598
 
N3uron--N3uron An issue in N3uron Web User Interface v.1.21.7-240207.1047 allows a remote attacker to escalate privileges via the password hashing on the client side using the MD5 algorithm over a predictable string format 2026-01-29 not yet calculated CVE-2025-69929 http://n3uron.com
https://www.linkedin.com/in/joselabreu
https://gist.github.com/JoseAbreu28/67f5d8bfc7ba1def526efeda5771a244
 
NAVER--billboard.js billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding. 2026-01-28 not yet calculated CVE-2026-1513 https://cve.naver.com/detail/cve-2026-1513.html
 
neka-nat--cupoch Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules). This vulnerability is associated with program files tjbench.C. This issue affects cupoch. 2026-01-27 not yet calculated CVE-2026-24797 https://github.com/neka-nat/cupoch/pull/138
 
NETGEAR--NETGEAR products Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box. 2026-01-30 not yet calculated CVE-2026-24714 https://www.netgear.com/about/eos/
https://jvn.jp/en/jp/JVN46722282/
 
nocodb--nocodb NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB's login flow due to missing validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a user-controlled redirect value and conditionally performs client-side navigation without enforcing any restrictions on the destination's origin, domain or protocol. This allows attackers to redirect authenticated users to arbitrary external websites after login. This vulnerability enables phishing attacks by leveraging user trust in the legitimate NocoDB login flow. While it does not directly expose credentials or bypass authentication, it increases the likelihood of credential theft through social engineering. The issue does not allow arbitrary code execution or privilege escalation, but it undermines authentication integrity. Version 0.301.0 fixes the issue. 2026-01-28 not yet calculated CVE-2026-24768 https://github.com/nocodb/nocodb/security/advisories/GHSA-3hmw-8mw3-rmpj
 
nocodb--nocodb NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB's attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application's origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue. 2026-01-28 not yet calculated CVE-2026-24769 https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr
 
Node.js--Node.js The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. 2026-01-28 not yet calculated CVE-2025-57283 https://www.npmjs.com
https://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1
 
nvm-sh--nvm A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'. 2026-01-29 not yet calculated CVE-2026-1665 Fix commit
Release v0.40.4
nvm GitHub repository
https://github.com/nvm-sh/nvm/pull/3380
 
OctoPrint--OctoPrint OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character. The vulnerability is patched in version 1.11.6. The likelihood of this attack actually working is highly dependent on the network's latency, noise and similar parameters. An actual proof of concept was not achieved so far. Still, as always administrators are advised to not expose their OctoPrint instance on hostile networks, especially not on the public Internet. 2026-01-27 not yet calculated CVE-2026-23892 https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xg4x-w2j3-57h6
https://github.com/OctoPrint/OctoPrint/commit/249fd80ab01bc4b7dabedff768230a0fb5d01a8c
https://github.com/OctoPrint/OctoPrint/releases/tag/1.11.6
 
OneFlow--OneFlow A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes. 2026-01-28 not yet calculated CVE-2025-65886 https://github.com/Daisy2ang
http://oneflow.com
https://github.com/Oneflow-Inc/oneflow
https://github.com/Oneflow-Inc/oneflow/issues/10666
 
OneFlow--OneFlow A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero. 2026-01-28 not yet calculated CVE-2025-65887 https://github.com/Daisy2ang
http://oneflow.com
https://github.com/Oneflow-Inc/oneflow
https://github.com/Oneflow-Inc/oneflow/issues/10665
 
OneFlow--OneFlow A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value. 2026-01-28 not yet calculated CVE-2025-65888 https://github.com/Daisy2ang
http://oneflow.com
https://github.com/Oneflow-Inc/oneflow
https://github.com/Oneflow-Inc/oneflow/issues/10664
 
OneFlow--OneFlow A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-28 not yet calculated CVE-2025-65889 https://github.com/Daisy2ang
http://oneflow.com
https://github.com/Oneflow-Inc/oneflow
https://github.com/Oneflow-Inc/oneflow/issues/10663
 
OneFlow--OneFlow A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index. 2026-01-28 not yet calculated CVE-2025-65890 https://github.com/Daisy2ang
http://oneflow.com
https://github.com/Oneflow-Inc/oneflow
https://github.com/Oneflow-Inc/oneflow/issues/10662
 
OneFlow--OneFlow A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by invoking flow.cuda.get_device_properties() with an invalid or negative device index. 2026-01-28 not yet calculated CVE-2025-65891 https://github.com/Daisy2ang
http://oneflow.com
https://github.com/Oneflow-Inc/oneflow
https://github.com/Oneflow-Inc/oneflow/issues/10661
 
OneFlow--OneFlow A GPU device-ID validation flaw in the flow.cuda.get_device_capability() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted device ID. 2026-01-28 not yet calculated CVE-2025-70999 https://github.com/Daisy2ang
http://oneflow.com
https://github.com/Oneflow-Inc/oneflow/issues/10660
 
OneFlow--OneFlow An issue in the flow.cuda.BoolTensor component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-28 not yet calculated CVE-2025-71000 https://github.com/Daisy2ang
http://oneflow.com
https://github.com/Oneflow-Inc/oneflow/issues/10659
 
OneFlow--OneFlow A segmentation violation in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-28 not yet calculated CVE-2025-71001 https://github.com/Daisy2ang
http://oneflow.com
https://github.com/Oneflow-Inc/oneflow/issues/10658
 
OneFlow--OneFlow A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-28 not yet calculated CVE-2025-71002 https://github.com/Daisy2ang
https://github.com/Oneflow-Inc/oneflow/issues/10657
 
OneFlow--OneFlow An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-28 not yet calculated CVE-2025-71003 https://github.com/Daisy2ang
https://github.com/Oneflow-Inc/oneflow/issues/10656
 
OneFlow--OneFlow A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-28 not yet calculated CVE-2025-71004 https://github.com/Daisy2ang
https://github.com/Oneflow-Inc/oneflow/issues/10655
 
OneFlow--OneFlow A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-28 not yet calculated CVE-2025-71005 https://github.com/Daisy2ang
https://github.com/Oneflow-Inc/oneflow/issues/10654
 
OneFlow--OneFlow A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-28 not yet calculated CVE-2025-71006 https://github.com/Daisy2ang
https://github.com/Oneflow-Inc/oneflow/issues/10653
 
OneFlow--OneFlow An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-28 not yet calculated CVE-2025-71007 https://github.com/Daisy2ang
https://github.com/Oneflow-Inc/oneflow/issues/10652
 
OneFlow--OneFlow A segmentation violation in the oneflow._oneflow_internal.autograd.Function.FunctionCtx.mark_non_differentiable component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-29 not yet calculated CVE-2025-71008 https://github.com/Daisy2ang
https://github.com/Oneflow-Inc/oneflow/issues/10651
 
OneFlow--OneFlow An input validation vulnerability in the flow.scatter/flow.scatter_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted indices. 2026-01-29 not yet calculated CVE-2025-71009 https://github.com/Daisy2ang
https://github.com/Oneflow-Inc/oneflow/issues/10649
 
OneFlow--OneFlow An input validation vulnerability in the flow.Tensor.new_empty/flow.Tensor.new_ones/flow.Tensor.new_zeros component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-29 not yet calculated CVE-2025-71011 https://github.com/Daisy2ang
https://github.com/Oneflow-Inc/oneflow/issues/10648
 
openemr--openemr OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. Contents of Clinical Notes and Care Plan, where an encounter has Sensitivity=high, can be viewed and changed by users who do not have Sensitivities=high privilege. Version 7.0.4 fixes the issue. 2026-01-27 not yet calculated CVE-2025-54373 https://github.com/openemr/openemr/security/advisories/GHSA-739g-6m63-p7fr
https://github.com/openemr/openemr/commit/aef3d1c85d9ff2f28d3d361d2818aee79b6dcd33
 
OpenSSL--OpenSSL Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12. 2026-01-27 not yet calculated CVE-2025-11187 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
3.4.4 git commit
 
OpenSSL--OpenSSL Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. 2026-01-27 not yet calculated CVE-2025-15467 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
3.4.4 git commit
3.3.6 git commit
3.0.19 git commit
 
OpenSSL--OpenSSL Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. 2026-01-27 not yet calculated CVE-2025-15468 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
3.4.4 git commit
3.3.6 git commit
 
OpenSSL--OpenSSL Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue. 2026-01-27 not yet calculated CVE-2025-15469 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
 
OpenSSL--OpenSSL Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. 2026-01-27 not yet calculated CVE-2025-66199 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
3.4.4 git commit
3.3.6 git commit
 
OpenSSL--OpenSSL Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. 2026-01-27 not yet calculated CVE-2025-68160 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
3.4.4 git commit
3.3.6 git commit
3.0.19 git commit
 
OpenSSL--OpenSSL Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue. 2026-01-27 not yet calculated CVE-2025-69418 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
3.4.4 git commit
3.3.6 git commit
3.0.19 git commit
 
OpenSSL--OpenSSL Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. 2026-01-27 not yet calculated CVE-2025-69419 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
3.4.4 git commit
3.3.6 git commit
3.0.19 git commit
 
OpenSSL--OpenSSL Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. 2026-01-27 not yet calculated CVE-2025-69420 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
3.4.4 git commit
3.3.6 git commit
3.0.19 git commit
 
OpenSSL--OpenSSL Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. 2026-01-27 not yet calculated CVE-2025-69421 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
3.4.4 git commit
3.3.6 git commit
3.0.19 git commit
 
OpenSSL--OpenSSL Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. 2026-01-27 not yet calculated CVE-2026-22795 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
3.4.4 git commit
3.3.6 git commit
3.0.19 git commit
 
OpenSSL--OpenSSL Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. 2026-01-27 not yet calculated CVE-2026-22796 OpenSSL Advisory
3.6.1 git commit
3.5.5 git commit
3.4.4 git commit
3.3.6 git commit
3.0.19 git commit
 
OpenText--Vertica Cleartext Storage of Sensitive Information vulnerability in OpenTextâ„¢ Vertica allows Retrieve Embedded Sensitive Data.   The vulnerability could read Vertica agent plaintext apikey. This issue affects Vertica versions: 23.X, 24.X, 25.X. 2026-01-30 not yet calculated CVE-2024-9432 https://portal.microfocus.com/s/article/KM000044937?language=en_US
 
OpenVPN--OpenVPN Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of service 2026-01-30 not yet calculated CVE-2025-15497 https://community.openvpn.net/Security%20Announcements/CVE-2025-15497
https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00156.html
 
opf--openproject OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject's repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `rev=--output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6. 2026-01-28 not yet calculated CVE-2026-24685 https://github.com/opf/openproject/security/advisories/GHSA-74p5-9pr3-r6pw
 
orval-labs--orval Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix. 2026-01-30 not yet calculated CVE-2026-25141 https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q
https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv
https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227
https://github.com/orval-labs/orval/releases/tag/v7.21.0
https://github.com/orval-labs/orval/releases/tag/v8.2.0
 
Phala-Network--dcap-qvl dcap-qvl implements the quote verification logic for DCAP (Data Center Attestation Primitives). A vulnerability present in versions prior to 0.3.9 involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral (including qe_identity, qe_identity_signature, and qe_identity_issuer_chain) from the PCCS. However, it skips to verify the QE Identity signature against its certificate chain and does not enforce policy constraints on the QE Report. An attacker can forge the QE Identity data to whitelist a malicious or non-Intel Quoting Enclave. This allows the attacker to forge the QE and sign untrusted quotes that the verifier will accept as valid. Effectively, this bypasses the entire remote attestation security model, as the verifier can no longer trust the entity responsible for signing the quotes. All deployments utilizing the dcap-qvl library for SGX or TDX quote verification are affected. The vulnerability has been patched in dcap-qvl version 0.3.9. The fix implements the missing cryptographic verification for the QE Identity signature and enforces the required checks for MRSIGNER, ISVPRODID, and ISVSVN against the QE Report. Users of the `@phala/dcap-qvl-node` and `@phala/dcap-qvl-web` packages should switch to the pure JavaScript implementation, `@phala/dcap-qvl`. There are no known workarounds for this vulnerability. Users must upgrade to the patched version to ensure that QE Identity collateral is properly verified. 2026-01-26 not yet calculated CVE-2026-22696 https://github.com/Phala-Network/dcap-qvl/security/advisories/GHSA-796p-j2gh-9m2q
 
pilgrimage233--Minecraft-Rcon-Manage Improper Control of Generation of Code ('Code Injection') vulnerability in pilgrimage233 Minecraft-Rcon-Manage. This issue affects Minecraft-Rcon-Manage: before 3.0. 2026-01-27 not yet calculated CVE-2026-24871 https://github.com/pilgrimage233/Minecraft-Rcon-Manage/pull/13
 
Pix-Link--LV-WR21Q Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. 2026-01-27 not yet calculated CVE-2025-12386 https://cert.pl/en/posts/2026/01/CVE-2025-12386
https://www.pix-link.com/lv-wr21q
https://github.com/wcyb/security_research
 
Pix-Link--LV-WR21Q A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service (DoS) by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes administrator panel to not work, resulting in DoS until the language settings is reverted to a correct value. The Denial of Service affects only the administrator panel and does not affect other router functionalities. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. 2026-01-27 not yet calculated CVE-2025-12387 https://cert.pl/en/posts/2026/01/CVE-2025-12386
https://www.pix-link.com/lv-wr21q
https://github.com/wcyb/security_research
 
pnpm--pnpm pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch. 2026-01-26 not yet calculated CVE-2026-24056 https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw
https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f
https://github.com/pnpm/pnpm/releases/tag/v10.28.2
 
pnpm--pnpm pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch. 2026-01-26 not yet calculated CVE-2026-24131 https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq
https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943
https://github.com/pnpm/pnpm/releases/tag/v10.28.2
 
PodcastGenerator--PodcastGenerator A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' and 'LONG DESCRIPTION' parameters. The saved payload gets executed on 'View All Live Items' and 'Live Stream' pages. 2026-01-28 not yet calculated CVE-2025-70336 https://github.com/PodcastGenerator/PodcastGenerator
https://github.com/aryasahil96-manu/CVE-Disclosures/blob/main/CVE-2025-70336
 
podman-desktop--podman-desktop Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gain unauthorized access to all authentication sessions. The `isAccessAllowed()` function unconditionally returns `true`, enabling malicious extensions to impersonate any user, hijack authentication sessions, and access sensitive resources without authorization. This vulnerability affects all versions of Podman Desktop. Version 1.25.1 contains a patch for the issue. 2026-01-28 not yet calculated CVE-2026-24835 https://github.com/podman-desktop/podman-desktop/security/advisories/GHSA-v3fx-qg34-6g9m
https://drive.google.com/file/d/1ib4RG34mGHDlXeyib8L2j9L5rEDxuDM5/view?usp=sharing
 
praydog--REFramework An issue from the component luaG_runerror in dependencies/lua/src/ldebug.c in praydog/REFramework version before 1.5.5 leads to a heap-buffer overflow when a recursive error occurs. 2026-01-27 not yet calculated CVE-2026-24809 https://github.com/praydog/REFramework/pull/1320
 
praydog--UEVR Out-of-bounds Write vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files ldebug.C, lvm.C. This issue affects UEVR: before 1.05. 2026-01-27 not yet calculated CVE-2026-24817 https://github.com/praydog/UEVR/pull/336
 
praydog--UEVR Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files lparser.C. This issue affects UEVR: before 1.05. 2026-01-27 not yet calculated CVE-2026-24818 https://github.com/praydog/UEVR/pull/337
 
Progress Software--Chef Inspec Chef InSpec up to version 5.23 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption. This issue affects Chef Inspec: through 5.23. 2026-01-30 not yet calculated CVE-2025-6723 https://docs.chef.io/inspec/
 
pwncollege--dojo pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e554f66e2141d6683b0a patches the issue. 2026-01-29 not yet calculated CVE-2026-25117 https://github.com/pwncollege/dojo/security/advisories/GHSA-wvcf-9xm8-7mrg
https://github.com/pwncollege/dojo/commit/e33da14449a5abcff507e554f66e2141d6683b0a
 
py-pdf--pypdf pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually. 2026-01-27 not yet calculated CVE-2026-24688 https://github.com/py-pdf/pypdf/security/advisories/GHSA-2q4j-m29v-hq73
https://github.com/py-pdf/pypdf/pull/3610
https://github.com/py-pdf/pypdf/commit/b1282f8dcdc1a7b41ceab6740ffddfdf31b1fec1
https://github.com/py-pdf/pypdf/releases/tag/6.6.2
 
qgis--QGIS QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it used the `pull_request_target` trigger and then checked out and executed untrusted pull request code in a privileged context. Workflows triggered by `pull_request_target` ran with the base repository's credentials and access to secrets. If these workflows then checked out and executed code from the head of an external pull request (which could have been attacker controlled), the attacker could have executed arbitrary commands with elevated privileges. This insecure pattern has been documented as a security risk by GitHub and security researchers. Commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 removed the vulnerable code. 2026-01-27 not yet calculated CVE-2026-24480 https://github.com/qgis/QGIS/security/advisories/GHSA-7h99-4f97-h6rw
https://github.com/qgis/QGIS/commit/76a693cd91650f9b4e83edac525e5e4f90d954e9
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'txAny' in '/evaluacion_competencias_autoeval_list.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1472 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_competencias_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1473 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion' en '/evaluacion_inicio.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1474 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_acciones_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1475 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_acciones_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1476 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion' in '/evaluacion_competencias_evalua_old.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1477 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion' in '/evaluacion_hca_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1478 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameters 'Id_usuario' and 'Id_evaluacion' in '/evaluacion_hca_ver_auto.asp', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1479 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1480 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1481 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_evaluacion' in '/evaluacion_objetivos_evalua_definido.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1482 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Quatuor--Evaluacin de Desempeo (EDD) An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. 2026-01-27 not yet calculated CVE-2026-1483 https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation
 
Rails--activestorage # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this! 2026-01-30 not yet calculated CVE-2025-24293 https://github.com/advisories/GHSA-r4mg-4433-c7g3
 
Ralim--IronOS Vulnerability in Ralim IronOS (source/Core/BSP/Pinecilv2/bl_mcu_sdk/components/ble/ble_stack/common/tinycrypt/source modules). This vulnerability is associated with program files ecc_dsa.C. This issue affects IronOS: before v2.23-rc3. 2026-01-27 not yet calculated CVE-2026-24801 https://github.com/Ralim/IronOS/pull/2087
 
RawTherapee--RawTherapee Integer Overflow or Wraparound vulnerability in RawTherapee (rtengine modules). This vulnerability is associated with program files dcraw.Cc. This issue affects RawTherapee: through 5.11. 2026-01-27 not yet calculated CVE-2026-24808 https://github.com/RawTherapee/RawTherapee/pull/7359
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection. 2026-01-26 not yet calculated CVE-2025-9615 https://access.redhat.com/security/cve/CVE-2025-9615
RHBZ#2391503
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2327
 
rethinkdb--rethinkdb Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in rethinkdb (src/cjson modules). This vulnerability is associated with program files cJSON.Cc. This issue affects rethinkdb: through v2.4.4. 2026-01-27 not yet calculated CVE-2026-24810 https://github.com/rethinkdb/rethinkdb/pull/7163
 
RLE NOVA--PlanManager Stored Cross-Site Scripting (XSS) in RLE NOVA's PlanManager. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting malicious payload through the 'comment' and 'brand' parameters in '/index.php'. The payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. 2026-01-29 not yet calculated CVE-2026-1469 https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-rle-novas-planmanager
 
root-project--root Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inffast.C. This issue affects root. 2026-01-27 not yet calculated CVE-2026-24811 https://github.com/root-project/root/pull/18526
 
root-project--root Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C. This issue affects root: through 6.36.00-rc1. 2026-01-27 not yet calculated CVE-2026-24812 https://github.com/root-project/root/pull/18527
 
Schneider Electric--EcoStruxure Process Expert CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart. 2026-01-29 not yet calculated CVE-2025-13905 https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-02.pdf
 
shaarli--Shaarli Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue. 2026-01-26 not yet calculated CVE-2026-24476 https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg
https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063
 
sharpred--deepHas deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8. 2026-01-29 not yet calculated CVE-2026-25047 https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27
https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465
 
Shenzhen Tenda Technology Co., Ltd.--W30E V2 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges. 2026-01-26 not yet calculated CVE-2026-24428 https://www.tendacn.com/product/W30E
https://www.vulncheck.com/advisories/tenda-w30e-v2-incorrect-authorization-allows-administrator-password-change
 
Shenzhen Tenda Technology Co., Ltd.--W30E V2 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated access to the management interface. 2026-01-26 not yet calculated CVE-2026-24429 https://www.tendacn.com/product/W30E
https://www.vulncheck.com/advisories/tenda-w30e-v2-hardcoded-default-password-for-built-in-account
 
Shenzhen Tenda Technology Co., Ltd.--W30E V2 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception. 2026-01-26 not yet calculated CVE-2026-24430 https://www.tendacn.com/product/W30E
https://www.vulncheck.com/advisories/tenda-w30e-v2-http-responses-expose-plaintext-credentials
 
Shenzhen Tenda Technology Co., Ltd.--W30E V2 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials. 2026-01-26 not yet calculated CVE-2026-24431 https://www.tendacn.com/product/W30E
https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions
 
Shenzhen Tenda Technology Co., Ltd.--W30E V2 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered by an authenticated user's browser, modify administrative passwords and other configuration settings. 2026-01-26 not yet calculated CVE-2026-24432 https://www.tendacn.com/product/W30E
https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions
 
Shenzhen Tenda Technology Co., Ltd.--W30E V2 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users access the affected management pages. 2026-01-26 not yet calculated CVE-2026-24433 https://www.tendacn.com/product/W30E
https://www.vulncheck.com/advisories/tenda-w30e-v2-stored-xss-via-user-name-field
 
Shenzhen Tenda Technology Co., Ltd.--W30E V2 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in combination with Access-Control-Allow-Credentials: true, allowing attacker-controlled origins to issue credentialed cross-origin requests. 2026-01-26 not yet calculated CVE-2026-24435 https://www.tendacn.com/product/W30E
https://www.vulncheck.com/advisories/tenda-w30e-v2-permissive-cors-allows-cross-origin-data-access
 
Shenzhen Tenda Technology Co., Ltd.--W30E V2 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials. 2026-01-26 not yet calculated CVE-2026-24436 https://www.tendacn.com/product/W30E
https://www.vulncheck.com/advisories/tenda-w30e-v2-lacks-rate-limiting-on-authentication
 
Shenzhen Tenda Technology Co., Ltd.--W30E V2 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access. 2026-01-26 not yet calculated CVE-2026-24437 https://www.tendacn.com/product/W30E
https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-cache-controls-for-credential-bearing-pages
 
Shenzhen Tenda Technology Co., Ltd.--W30E V2 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable script. 2026-01-26 not yet calculated CVE-2026-24439 https://www.tendacn.com/product/W30E
https://www.vulncheck.com/advisories/tenda-w30e-v2-lacks-x-content-type-options-header
 
Shenzhen Tenda Technology Co., Ltd.--W30E V2 Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) allow account passwords to be changed through the maintenance interface without requiring verification of the existing password. This enables unauthorized password changes when access to the affected endpoint is obtained. 2026-01-26 not yet calculated CVE-2026-24440 https://www.tendacn.com/product/W30E
https://www.vulncheck.com/advisories/tenda-w30e-v2-allows-password-change-without-verifying-current-password
 
Significant-Gravitas--AutoGPT AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix. 2026-01-29 not yet calculated CVE-2026-24780 https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r277-3xc5-c79v
https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/external/v1/routes.py#L79-L93
https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L1408-L1424
https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L355-L395
https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/blocks/block.py#L15-L78
https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/data/block.py#L459
 
sigstore--sigstore-python sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue. 2026-01-26 not yet calculated CVE-2026-24408 https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr
https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa
https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0
 
silabs.com--Silicon Labs Zigbee Stack After receiving a malformed 802.15.4 MAC Data Request the Zigbee Coordinator sends a 'network leave' request to Zigbee router resulting in the Zigbee Router getting stuck in a non-rejoinable state. If a suitable parent is not available, the end devices will be unable to rejoin. A manual recommissioning is required to recover the Zigbee Router. 2026-01-30 not yet calculated CVE-2025-7964 https://community.silabs.com/068Vm00000dspiL
 
simsong--bulk_extractor `bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`'s embedded unrar code has a heap buffer overflow in the RAR PPM LZ decoding path. A crafted RAR inside a disk image causes an out of bounds write in `Unpack::CopyString`, leading to a crash under ASAN (and likely a crash or memory corruption in production builds). There's potential for using this for RCE. As of time of publication, no known patches are available. 2026-01-28 not yet calculated CVE-2026-24857 https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q
 
simsong--tcpflow tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available. 2026-01-29 not yet calculated CVE-2026-25061 https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6
 
SmarterTools--SmarterMail SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication. 2026-01-29 not yet calculated CVE-2026-25067 https://www.smartertools.com/smartermail/release-notes/current
https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-background-of-the-day-path-coercion
 
SpringBlade--SpringBlade Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data. 2026-01-26 not yet calculated CVE-2025-70982 https://github.com/chillzhuang/SpringBlade
https://github.com/chillzhuang/SpringBlade/issues/34
https://gist.github.com/old6ma/ea60151aa40ddc1cfb51fbaa0c173117
 
SunFounder--Pironman Dashboard (pm_dashboard) SunFounder Pironman Dashboard (pm_dashboard) version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can disclose sensitive information and delete critical system files, resulting in data loss and potential system compromise or denial of service. 2026-01-31 not yet calculated CVE-2026-25069 https://github.com/sunfounder/pm_dashboard
https://github.com/sunfounder/pm_dashboard/blob/main/pm_dashboard/pm_dashboard.py#L62
https://github.com/sunfounder/pm_dashboard/blob/main/pm_dashboard/pm_dashboard.py#L440
https://www.vulncheck.com/advisories/sunfounder-pironman-dashboard-path-traversal-arbitrary-file-read-deletion
https://gist.github.com/chapochapo/5db8702ede862af5c59a28b5d5a0aba3
 
SuperDuper!--Super-Duper! An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls. 2026-01-29 not yet calculated CVE-2025-69604 http://shirt.com
https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html
https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_v312_now_available
 
swoole--swoole-src Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C. This issue affects swoole-src: before 6.0.2. 2026-01-27 not yet calculated CVE-2026-24814 https://github.com/swoole/swoole-src/pull/5698
 
tale--tale Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code. 2026-01-29 not yet calculated CVE-2025-69749 https://github.com/otale/tale
https://github.com/milantgh/otalexss
 
The Wikimedia Foundation--Mediawiki - DiscussionTools Extension Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup. This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43. 2026-01-30 not yet calculated CVE-2025-11175 https://phabricator.wikimedia.org/T396248
https://gerrit.wikimedia.org/r/q/I563219f3298a8740e158d130492bf3d2897784d7
https://phabricator.wikimedia.org/T364910
https://gerrit.wikimedia.org/r/q/I126203ab1d3ec8c1719cbb5460a887e4d0c2cc6d
 
tildearrow--furnace Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in tildearrow furnace (extern/zlib modules). This vulnerability is associated with program files inflate.C. 2026-01-27 not yet calculated CVE-2026-24800 https://github.com/tildearrow/furnace/pull/2471
 
TOTOLINK--X6000R Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection. This issue affects X6000R: through V9.4.0cu.1498_B20250826. 2026-01-30 not yet calculated CVE-2026-1723 https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html
https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2026-0001/PANW-2026-0001.md
 
TP-Link Systems Inc.--Archer MR600 v5.0 Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise. 2026-01-26 not yet calculated CVE-2025-14756 https://www.tp-link.com/jp/support/download/archer-mr600/#Firmware
https://www.tp-link.com/en/support/download/archer-mr600/#Firmware
https://www.tp-link.com/us/support/faq/4916/
https://jvn.jp/en/vu/JVNVU94651499/
https://jvn.jp/vu/JVNVU94651499/
 
TP-Link Systems Inc.--Archer RE605X The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When such a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. Successful exploitation allows the attacker to gain root-level command execution, compromising confidentiality, integrity and availability. 2026-01-29 not yet calculated CVE-2025-15545 https://www.tp-link.com/en/support/download/re605x/v3/#Firmware
https://www.tp-link.com/us/support/download/re605x/v3/#Firmware
https://www.tp-link.com/us/support/faq/4929/
https://nico-security.com/posts/cve-2025-15545
 
TP-Link Systems Inc.--Omada Controller An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. 2026-01-26 not yet calculated CVE-2025-9520 https://support.omadanetworks.com/us/document/115200/
https://support.omadanetworks.com/us/download/software/omada-controller/
 
TP-Link Systems Inc.--Omada Controller Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user's password without proper confirmation, leading to weakened account security. 2026-01-26 not yet calculated CVE-2025-9521 https://support.omadanetworks.com/us/document/115200/
https://support.omadanetworks.com/us/download/software/omada-controller/
 
TP-Link Systems Inc.--Omada Controller Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information. 2026-01-26 not yet calculated CVE-2025-9522 https://support.omadanetworks.com/us/document/115200/
https://https://support.omadanetworks.com/us/download/software/omada-controller/
 
TP-Link Systems Inc.--Tapo C220 v1 The Tapo C220 v1 and C520WS v2 cameras' HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable. 2026-01-27 not yet calculated CVE-2026-0918 https://www.tp-link.com/us/support/download/tapo-c220/v1.60/
https://www.tp-link.com/en/support/download/tapo-c220/v1/
https://www.tp-link.com/us/support/download/tapo-c520ws/v2/
https://www.tp-link.com/en/support/download/tapo-c520ws/v2/
https://www.tp-link.com/us/support/faq/4923/
 
TP-Link Systems Inc.--Tapo C220 v1 The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service. 2026-01-27 not yet calculated CVE-2026-0919 https://www.tp-link.com/us/support/download/tapo-c220/v1.60/
https://www.tp-link.com/en/support/download/tapo-c220/v1/
https://www.tp-link.com/us/support/download/tapo-c520ws/v2/
https://www.tp-link.com/en/support/download/tapo-c520ws/v2/
https://www.tp-link.com/us/support/faq/4923/
 
TP-Link Systems Inc.--Tapo C220 v1 By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation. 2026-01-27 not yet calculated CVE-2026-1315 https://www.tp-link.com/us/support/download/tapo-c220/v1.60/
https://www.tp-link.com/en/support/download/tapo-c220/v1/
https://www.tp-link.com/us/support/download/tapo-c520ws/v2/
https://www.tp-link.com/en/support/download/tapo-c520ws/v2/
https://www.tp-link.com/us/support/faq/4923/
 
TP-Link Systems Inc.--VIGI C485 V1 An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges. 2026-01-29 not yet calculated CVE-2026-1457 https://www.tp-link.com/en/support/download/vigi-c385/v1/#Firmware
https://www.tp-link.com/kr/support/download/vigi-c385/v1/#Firmware
https://www.tp-link.com/us/support/faq/4931/
 
TP-Link Systems Inc.--VX800v v1.0 A weakness in the web interface's application layer encryption in VX800v v1.0 allows an adjacent attacker to brute force the weak AES key and decrypt intercepted traffic. Successful exploitation requires network proximity but no authentication, and may result in high impact to confidentiality, integrity, and availability of transmitted data. 2026-01-29 not yet calculated CVE-2025-13399 https://www.tp-link.com/de/support/download/vx800v/#Firmware
https://www.tp-link.com/us/support/faq/4930/
 
TP-Link Systems Inc.--VX800v v1.0 Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limited integrity risk. 2026-01-29 not yet calculated CVE-2025-15541 https://www.tp-link.com/de/support/download/vx800v/#Firmware
https://www.tp-link.com/us/support/faq/4930/
 
TP-Link Systems Inc.--VX800v v1.0 Improper handling of exceptional conditions in VX800v v1.0 in SIP processing allows an attacker to flood the device with crafted INVITE messages, blocking all voice lines and causing a denial of service on incoming calls. 2026-01-29 not yet calculated CVE-2025-15542 https://www.tp-link.com/de/support/download/vx800v/#Firmware
https://www.tp-link.com/us/support/faq/4930/
 
TP-Link Systems Inc.--VX800v v1.0 Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read only access to system files. 2026-01-29 not yet calculated CVE-2025-15543 https://www.tp-link.com/de/support/download/vx800v/#Firmware
https://www.tp-link.com/us/support/faq/4930/
 
TP-Link Systems Inc.--VX800v v1.0 Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality. 2026-01-29 not yet calculated CVE-2025-15548 https://www.tp-link.com/de/support/download/vx800v/#Firmware
https://www.tp-link.com/us/support/faq/4930/
 
ttttupup--wxhelper Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in ttttupup wxhelper (src modules). This vulnerability is associated with program files mongoose.C. This issue affects wxhelper: through 3.9.10.19-v1. 2026-01-27 not yet calculated CVE-2026-24822 https://github.com/ttttupup/wxhelper/pull/515
 
turanszkij--WickedEngine Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files ldebug.C. This issue affects WickedEngine: before 0.71.705. 2026-01-27 not yet calculated CVE-2026-24820 https://github.com/turanszkij/WickedEngine/pull/1054
 
turanszkij--WickedEngine Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files lparser.C. This issue affects WickedEngine: through 0.71.727. 2026-01-27 not yet calculated CVE-2026-24821 https://github.com/turanszkij/WickedEngine/pull/1095
 
umbraco--Umbraco.Forms.Issues Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren't affected. This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1. If upgrading is not immediately possible, users can mitigate this vulnerability by configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..\`) in the `fileName` parameter of the export endpoint, restricting network access to the Umbraco backoffice to trusted IP ranges, and/or blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required. However, upgrading to the patched version is strongly recommended. 2026-01-29 not yet calculated CVE-2026-24687 https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-hm5p-82g6-m3xh
 
vendurehq--vendure Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue. 2026-01-30 not yet calculated CVE-2026-25050 https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch
https://github.com/vendurehq/vendure/releases/tag/v3.5.3
 
visualfc--liteide NULL Pointer Dereference vulnerability in visualfc liteide (liteidex/src/3rdparty/libvterm/src modules). This vulnerability is associated with program files screen.C, state.C, vterm.C. This issue affects liteide: before x38.4. 2026-01-27 not yet calculated CVE-2026-24805 https://github.com/visualfc/liteide/pull/1326
 
WatchGuard--Fireware OS An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server through an exposed authentication or management web interface. This vulnerability may also allow a remote attacker to authenticate as an LDAP user with a partial identifier if they additionally have that user's valid passphrase. This issue affects Fireware OS: from 12.0 through 12.11.6, from 12.5 through 12.5.15, from 2025.1 through 2026.0. 2026-01-30 not yet calculated CVE-2026-1498 https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00001
 
Western Digital--WD Discovery DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's search path. 2026-01-26 not yet calculated CVE-2025-30248 https://www.westerndigital.com/support/product-security/wdc-25008-wd-discovery-desktop-app-version-5-3
 
WordPress--Custom Login Page Customizer The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account 2026-01-29 not yet calculated CVE-2025-14975 https://wpscan.com/vulnerability/a1403186-51aa-4eae-a3fe-0c559570eb93/
 
WordPress--Recipe Card Blocks Lite The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. 2026-01-26 not yet calculated CVE-2025-14973 https://wpscan.com/vulnerability/76f7d5d4-ba45-4bfd-bda9-ab0769e81107/
 
WordPress--User Activity Log The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) 2026-01-28 not yet calculated CVE-2025-13471 https://wpscan.com/vulnerability/cc8743f5-b1b9-4f88-b440-db044034bbfc/
 
Worklenz--Worklenz Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. 2026-01-26 not yet calculated CVE-2025-70368 https://github.com/Worklenz/worklenz
https://github.com/Stolichnayer/CVE-2025-70368
 
Xen--Xen Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing. 2026-01-28 not yet calculated CVE-2025-58150 https://xenbits.xenproject.org/xsa/advisory-477.html
 
Xen--Xen In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB. 2026-01-28 not yet calculated CVE-2026-23553 https://xenbits.xenproject.org/xsa/advisory-479.html
 
yacy--yacy_search_server Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java. This issue affects yacy_search_server. 2026-01-27 not yet calculated CVE-2026-24824 https://github.com/yacy/yacy_search_server/pull/722
 
ydb-platform--ydb Missing Release of Memory after Effective Lifetime vulnerability in ydb-platform ydb (contrib/libs/yajl modules). This vulnerability is associated with program files yail_tree.C. This issue affects ydb: through 24.4.4.2. 2026-01-27 not yet calculated CVE-2026-24825 https://github.com/ydb-platform/ydb/pull/17570
 
zhblue--hustoj HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue. 2026-01-27 not yet calculated CVE-2026-24479 https://github.com/zhblue/hustoj/security/advisories/GHSA-xmgg-2rw4-7fxj
https://github.com/zhblue/hustoj/commit/902bd09e6d0011fe89cd84d4236899314b33101f
 

Back to top

Vulnerability Summary for the Week of January 19, 2026
Posted on Monday January 26, 2026

High Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
Agatasoft--AgataSoft PingMaster Pro AgataSoft PingMaster Pro 2.1 contains a denial of service vulnerability in the Trace Route feature that allows attackers to crash the application by overflowing the host name input field. Attackers can generate a 10,000-character buffer and paste it into the host name field to trigger an application crash and potential system instability. 2026-01-23 7.5 CVE-2021-47893 ExploitDB-49567
Vendor Homepage
VulnCheck Advisory: AgataSoft PingMaster Pro 2.1 - Denial of Service
 
Aida Computer Information Technology Inc.--Hotel Guest Hotspot Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection. This issue affects Hotel Guest Hotspot: through 22012026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-22 8 CVE-2025-4764 https://www.usom.gov.tr/bildirim/tr-26-0001
 
Altium--AES AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries. 2026-01-22 8.6 CVE-2025-27378 https://www.altium.com/platform/security-compliance/security-advisories
 
Altium--AES HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim's browser via crafted HTML content. 2026-01-22 7.6 CVE-2025-27380 https://www.altium.com/platform/security-compliance/security-advisories
 
Altium--Altium 365 Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments. 2026-01-19 9 CVE-2026-1181 https://www.altium.com/platform/security-compliance/security-advisories
 
AMASTAR Technology--MeetingHub MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. 2026-01-22 9.8 CVE-2026-1331 https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html
https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html
 
appsmithorg--appsmith Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication. 2026-01-22 9.4 CVE-2026-24042 https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883
 
Autodesk--Fusion A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. 2026-01-22 7.1 CVE-2026-0533 https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe
https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001
 
Autodesk--Fusion A maliciously crafted HTML payload, stored in a part's attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. 2026-01-22 7.1 CVE-2026-0534 https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe
https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001
 
Autodesk--Fusion A maliciously crafted HTML payload, stored in a component's description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. 2026-01-22 7.1 CVE-2026-0535 https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe
https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001
 
Autonomy--OpenPLC OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse shell code that establishes a network connection to a specified IP and port, enabling remote command execution. 2026-01-21 8.8 CVE-2021-47770 ExploitDB-49803
OpenPLC Project Official Homepage
OpenPLC v3 GitHub Repository
VulnCheck Advisory: OpenPLC 3 - Remote Code Execution
 
B&R Industrial Automation GmbH--B&R Automation Studio An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges. 2026-01-19 7.4 CVE-2025-11043 https://www.br-automation.com/fileadmin/SA25P004-4f45197f.pdf
 
backstage--backstage Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access. 2026-01-21 7.1 CVE-2026-24046 https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
 
baptisteArno--typebot.io Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue. 2026-01-22 7.4 CVE-2025-65098 https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47
 
Birebirsoft Software and Technology Solutions--Sufirmam Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Authentication Bypass, Password Recovery Exploitation. This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-23 10 CVE-2025-4320 https://www.usom.gov.tr/bildirim/tr-26-0005
 
Birebirsoft Software and Technology Solutions--Sufirmam Improper Restriction of Excessive Authentication Attempts, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Brute Force, Password Recovery Exploitation. This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-23 9.4 CVE-2025-4319 https://www.usom.gov.tr/bildirim/tr-26-0005
 
Brother Industries, Ltd.--BRAdmin Professional Brother BRAdmin Professional 3.75 contains an unquoted service path vulnerability in the BRA_Scheduler service that allows local users to potentially execute arbitrary code. Attackers can place a malicious executable named 'BRAdmin' in the C:\Program Files (x86)\Brother\ directory to gain local system privileges. 2026-01-21 7.8 CVE-2021-47869 ExploitDB-49671
Brother Global Homepage
Brother Software Download Page
Vulnerability Technical Details
VulnCheck Advisory: BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path
 
BROWAN COMMUNICATIONS--PrismX MX100 AP controller PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware. 2026-01-20 9.8 CVE-2026-1221 https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html
https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html
 
BROWAN COMMUNICATIONS--PrismX MX100 AP controller PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. 2026-01-20 7.2 CVE-2026-1222 https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html
https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html
 
buddypress--BuddyPress The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. 2026-01-23 7.3 CVE-2024-11976 https://www.wordfence.com/threat-intel/vulnerabilities/id/34c627c1-7838-468e-acb7-eb84ad1b4949?source=cve
https://plugins.trac.wordpress.org/browser/buddypress/tags/14.3.1/bp-templates/bp-nouveau/includes/messages/ajax.php#L232
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3259392%40buddypress%2Ftrunk&old=3199645%40buddypress%2Ftrunk&sfp_email=&sfph_mail=
 
chattermate--chattermate.chat ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <iframe> payload containing a javascript: URI can be processed and executed in the browser context. This allows access to sensitive client-side data such as localStorage tokens and cookies, resulting in client-side injection. This issue has been fixed in version 1.0.9. 2026-01-24 9.3 CVE-2026-24399 https://github.com/chattermate/chattermate.chat/security/advisories/GHSA-72p3-w95w-q3j4
https://github.com/chattermate/chattermate.chat/commit/ff3398031abb97ae28546eaf993fed3619eaffdd
https://github.com/chattermate/chattermate.chat/releases/tag/v1.0.9
 
choijun--LA-Studio Element Kit for Elementor The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site. 2026-01-22 9.8 CVE-2026-0920 https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=cve
https://plugins.trac.wordpress.org/browser/lastudio-element-kit/tags/1.5.6.3/includes/integrations/override.php#L301
https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit
 
Cisco--Cisco Unified Communications Manager A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker&nbsp;to execute arbitrary commands on the underlying operating system of an affected device.&nbsp; This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root. 2026-01-21 8.2 CVE-2026-20045 cisco-sa-voice-rce-mORhqY4b
 
CRMEB--CRMEB A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-20 7.3 CVE-2026-1202 VDB-341788 | CRMEB LoginController.php appleLogin improper authentication
VDB-341788 | CTI Indicators (IOB, IOC, IOA)
Submit #734711 | Zhongbang CRMEB v5.6.3 Improper Authentication
https://github.com/foeCat/CVE/blob/main/CRMEB/apple_login_auth_bypass.md
 
Data Device Corporation--dataSIMS Avionics ARINC dataSIMS Avionics ARINC 664-1 version 4.5.3 contains a local buffer overflow vulnerability that allows attackers to overwrite memory by manipulating the milstd1553result.txt file. Attackers can craft a malicious file with carefully constructed payload and alignment sections to potentially execute arbitrary code on the Windows system. 2026-01-23 8.4 CVE-2021-47881 ExploitDB-49577
Vendor Homepage
Software Product Page
VulnCheck Advisory: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow
 
Deepinstinct--Deep Instinct Windows Agent Deep Instinct Windows Agent 1.2.24.0 contains an unquoted service path vulnerability in the DeepNetworkService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure Sense\DeepNetworkService.exe to inject malicious code that would execute with LocalSystem permissions during service startup. 2026-01-25 7.8 CVE-2020-36934 ExploitDB-49020
Deep Instinct Official Homepage
HP Collaboration Announcement
VulnCheck Advisory: Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path
 
Dell--ObjectScale Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. 2026-01-23 8.8 CVE-2026-22273 https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities
 
Dell--ObjectScale Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. 2026-01-23 7.5 CVE-2026-22271 https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities
 
Dell--PowerScale OneFS Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper restriction of excessive authentication attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. 2026-01-22 8.1 CVE-2026-22278 https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities
 
Dell--Unisphere for PowerMax Dell Unisphere for PowerMax, version(s) 10.2.0.x, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. 2026-01-22 8.8 CVE-2025-36588 https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities
 
docling-project--docling-core Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version 2.48.4, specifically only if the application uses pyyaml prior to version 5.4 and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. The vulnerability has been patched in docling-core version 2.48.4. The fix mitigates the issue by switching `PyYAML` deserialization from `yaml.FullLoader` to `yaml.SafeLoader`, ensuring that untrusted data cannot trigger code execution. Users who cannot immediately upgrade docling-core can alternatively ensure that the installed version of PyYAML is 5.4 or greater. 2026-01-22 8.1 CVE-2026-24009 https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc
https://github.com/docling-project/docling-core/issues/482
https://github.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c
https://github.com/advisories/GHSA-8q59-q68h-6hv4
https://github.com/docling-project/docling-core/releases/tag/v2.48.4
 
dokaninc--Dokan: AI Powered WooCommerce Multivendor Marketplace Solution Build Your Own Amazon, eBay, Etsy The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts. 2026-01-20 8.1 CVE-2025-14977 https://www.wordfence.com/threat-intel/vulnerabilities/id/4ab9d7e9-9a81-48f8-bc37-ad6de43a566f?source=cve
https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L131
https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L152
https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L109
https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L85
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432750%40dokan-lite%2Ftrunk&old=3427612%40dokan-lite%2Ftrunk&sfp_email=&sfph_mail=#file7
 
embeDD GmbH--DD-WRT DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEARCH packets with oversized UUID payloads to trigger buffer overflow conditions on the target device. 2026-01-21 9.8 CVE-2021-47854 ExploitDB-49730
DD-WRT Official Vendor Homepage
DD-WRT Software Download Repository
SSD Security Advisory for DD-WRT UPNP Buffer Overflow
VulnCheck Advisory: DD-WRT 45723 - UPNP Buffer Overflow
 
Epiphany--Epiphany A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior. 2026-01-23 8 CVE-2025-3839 https://access.redhat.com/security/cve/CVE-2025-3839
RHBZ#2361430
 
Epson America, Inc.--Epson USB Display Epson USB Display 1.6.0.0 contains an unquoted service path vulnerability in the EMP_UDSA service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in intermediate directories to gain elevated system access. 2026-01-23 7.8 CVE-2021-47898 ExploitDB-49548
Epson Official Homepage
VulnCheck Advisory: Epson USB Display 1.6.0.0 Unquoted Service Path Vulnerability
 
EVerest--everest-core EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. The remaining length to read is computed using the current length subtracted by the header length which results in a negative value. This value is then interpreted as `SIZE_MAX` (or slightly less) because the expected type of the argument is `size_t`. Depending on whether the server is plain TCP or TLS, this leads to either an infinite loop or a stack buffer overflow. Version 2025.10.0 fixes the issue. 2026-01-21 8.4 CVE-2025-68137 https://github.com/EVerest/everest-core/security/advisories/GHSA-7qq4-q9r8-wc7w
 
EVerest--everest-core EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-2 communication. This is possible because a new thread is started for each incoming plain TCP or TLS socket connection before any verification occurs, and the verification performed is too permissive. The EVerest processes and all its modules shut down, affecting all EVSE functionality. This issue is fixed in version 2025.10.0. 2026-01-21 7.4 CVE-2025-68133 https://github.com/EVerest/everest-core/security/advisories/GHSA-mv3w-pp85-5h7c
https://github.com/EVerest/everest-core/commit/8127b8c54b296c4dd01b356ac26763f81f76a8fd
https://github.com/EVerest/everest-core/commit/de504f0c11069010d26767b0952739e9a400cef3
 
EVerest--everest-core EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors frequently causes the module to crash. This is particularly critical because the manager shuts down all other modules and exits when any one of them terminates, leading to a denial of service. In a context where a manager handles multiple EVSE, this would also impact other users. Version 2025.10.0 fixes the issue. 2026-01-21 7.4 CVE-2025-68134 https://github.com/EVerest/everest-core/security/advisories/GHSA-cxc5-rrj5-8pf3
 
EVerest--everest-core EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, without closing and destroying the previous ones. Previous `Session` is not saved and the usage of an `unique_ptr` is lost, destroying connection data. Latter, if the used socket and therefore file descriptor is not the last one, it will lead to a null pointer dereference. Version 2025.10.0 fixes the issue. 2026-01-21 7.4 CVE-2025-68136 https://github.com/EVerest/everest-core/security/advisories/GHSA-4h8h-x5cp-g22r
 
EVerest--everest-core EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed out of bounds. This occurs in the method `template <> void convert(const struct iso20_dc_DetailedTaxType& in, datatypes::DetailedTax& out)` which leads to a null pointer dereference and causes the module to terminate. The EVerest processes and all its modules shut down, affecting all EVSE. Version 2025.10.0 fixes the issue. 2026-01-21 7.4 CVE-2025-68141 https://github.com/EVerest/everest-core/security/advisories/GHSA-ph4w-r9q8-vm9h
 
EVMAPA--EVMAPA This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system. 2026-01-22 9.4 CVE-2025-54816 https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json
 
EVMAPA--EVMAPA This vulnerability arises because there are no limitations on the number of authentication attempts a user can make. An attacker can exploit this weakness by continuously sending authentication requests, leading to a denial-of-service (DoS) condition. This can overwhelm the authentication system, rendering it unavailable to legitimate users and potentially causing service disruption. This can also allow attackers to conduct brute-force attacks to gain unauthorized access. 2026-01-22 7.5 CVE-2025-53968 https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json
 
EVMAPA--EVMAPA This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. The lack of proper session management and expiration control allows attackers to exploit this weakness by reusing valid charging station IDs to establish multiple sessions concurrently. 2026-01-22 7.3 CVE-2025-55705 https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json
 
EXERT Computer Technologies Software Ltd. Co.--Education Management System Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection. This issue affects Education Management System: through 23.09.2025. 2026-01-22 7.5 CVE-2025-10024 https://www.usom.gov.tr/bildirim/tr-26-0002
 
fastify--fastify-express The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue. 2026-01-19 8.4 CVE-2026-22037 https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m
https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40
 
fastify--middie @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue. 2026-01-19 8.4 CVE-2026-22031 https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
https://github.com/fastify/middie/pull/245
https://github.com/fastify/middie/commit/d44cd56eb724490babf7b452fdbbdd37ea2effba
https://github.com/fastify/middie/releases/tag/v9.1.0
 
FOGProject--fogproject FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1754 and below contain an unauthenticated SSRF vulnerability in getversion.php which can be triggered by providing a user-controlled url parameter. It can be used to fetch both internal websites and files on the machine running FOG. This appears to be reachable without an authenticated web session when the request includes newService=1. The issue does not have a fixed release version at the time of publication. 2026-01-23 7.5 CVE-2026-24138 https://github.com/FOGProject/fogproject/security/advisories/GHSA-79xw-c2qx-g7xj
 
franklioxygen--MyTube MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie (making req.user undefined), a request is incorrectly passed through to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This flaw allows an attacker to access and modify application settings via /api/settings, change administrative and visitor passwords, and access other protected routes that rely on this specific middleware. The problem is patched in v1.7.66. MyTube maintainers recommend all users upgrade to at least version v1.7.64 immediately to secure their instances. The fix ensures that the middleware explicitly blocks requests if a user is not authenticated, rather than defaulting to next(). Those who cannot upgrade immediately can mitigate risk by restricting network access by usi a firewall or reverse proxy (like Nginx) to restrict access to the /api/ endpoints to trusted IP addresses only or, if they are comfortable editing the source code, manually patch by locating roleBasedAuthMiddleware and ensuring that the logic defaults to an error (401 Unauthorized) when req.user is undefined, instead of calling next(). 2026-01-19 9.8 CVE-2026-23837 https://github.com/franklioxygen/MyTube/security/advisories/GHSA-cmvj-g69f-8664
https://github.com/franklioxygen/MyTube/commit/f85ae9b0d6e4a6480c6af5b675a99069d08d496e
 
FreeLAN--FreeLAN FreeLAN 2.2 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup. 2026-01-21 7.8 CVE-2021-47882 ExploitDB-49630
FreeLAN GitHub Repository
VulnCheck Advisory: FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path
 
frustratedProton--http-server C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication. 2026-01-24 7.5 CVE-2026-24469 https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff
 
FSPro Labs--Event Log Explorer Event Log Explorer 4.9.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations that will be executed with LocalSystem account privileges during service startup. 2026-01-21 7.8 CVE-2021-47861 ExploitDB-49704
Vendor Homepage
VulnCheck Advisory: Event Log Explorer 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path
 
Fyrolabs LLC.--Pingzapper Pingzapper 2.3.1 contains an unquoted service path vulnerability in the PingzapperSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Pingzapper\PZService.exe' to inject malicious executables and escalate privileges. 2026-01-21 7.8 CVE-2021-47886 ExploitDB-49626
Vendor Homepage
Software Download Page
VulnCheck Advisory: Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path
 
Genexis--Platinum-4410 Genexis Platinum-4410 P4410-V2-1.31A contains a stored cross-site scripting vulnerability in the 'start_addr' parameter of the Security Management interface. Attackers can inject malicious scripts through the start source address field that will persist and trigger for privileged users when they access the security management page. 2026-01-21 7.2 CVE-2021-47858 ExploitDB-49709
Genexis Product Page
VulnCheck Advisory: Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting
 
GeoGebra--CAS Calculator GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a payload with 8000 repeated characters and paste it into the calculator's input field to trigger an application crash. 2026-01-21 9.8 CVE-2021-47875 ExploitDB-49655
GeoGebra Official Homepage
VulnCheck Advisory: GeoGebra CAS Calculator 6.0.631.0 - Denial of Service
 
GeoGebra--GeoGebra Classic GeoGebra Classic 5.0.631.0-d contains a denial of service vulnerability in the input field that allows attackers to crash the application by sending oversized buffer content. Attackers can generate a large buffer of 800,000 repeated characters and paste it into the 'Entrada:' input field to trigger an application crash. 2026-01-21 7.5 CVE-2021-47876 ExploitDB-49654
Official Vendor Homepage
VulnCheck Advisory: GeoGebra Classic 5.0.631.0-d - Denial of Service
 
GeoGebra--GeoGebra Graphing Calculator GeoGebra Graphing Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer. Attackers can generate a payload of 8000 repeated characters to overwhelm the input field and cause the application to become unresponsive. 2026-01-21 7.5 CVE-2021-47877 ExploitDB-49653
GeoGebra Official Homepage
VulnCheck Advisory: GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service
 
getwpfunnels--Creator LMS The LMS for Creators, Coaches, and Trainers The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options. 2026-01-20 8.8 CVE-2025-15347 https://www.wordfence.com/threat-intel/vulnerabilities/id/4bddaefc-9ddc-4798-acb6-7b87f7c924a1?source=cve
https://plugins.trac.wordpress.org/changeset/3433193/creatorlms/tags/1.1.13/includes/Rest/V1/SettingsController.php
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data. 2026-01-22 7.5 CVE-2025-13927 GitLab Issue #582737
HackerOne Bug Bounty Report #3439683
https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints. 2026-01-22 7.5 CVE-2025-13928 GitLab Issue #582736
HackerOne Bug Bounty Report #3439441
https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses. 2026-01-22 7.4 CVE-2026-0723 GitLab Issue #585333
HackerOne Bug Bounty Report #3476052
https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/
 
GNU--Inetutils telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. 2026-01-21 9.8 CVE-2026-24061 https://www.openwall.com/lists/oss-security/2026/01/20/2
https://www.openwall.com/lists/oss-security/2026/01/20/8
https://www.gnu.org/software/inetutils/
 
gristlabs--grist-core Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`. 2026-01-22 9.1 CVE-2026-24002 https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g
https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents
 
gunthercox--ChatterBot ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue. 2026-01-19 7.5 CVE-2026-23842 https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-v4w8-49pv-mf72
https://github.com/gunthercox/ChatterBot/pull/2432
https://github.com/gunthercox/ChatterBot/commit/de89fe648139f8eeacc998ad4524fab291a378cf
https://github.com/gunthercox/ChatterBot/releases/tag/1.2.11
https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f
 
h2o--quicly Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue. 2026-01-19 7.5 CVE-2025-61684 https://github.com/h2o/quicly/security/advisories/GHSA-wr3c-345m-43v9
https://github.com/h2o/quicly/commit/d9d3df6a8530a102b57d840e39b0311ce5c9e14e
 
HackUCF--OnboardLite OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue. 2026-01-19 7.3 CVE-2026-23880 https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g
https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f
 
HAMASTAR Technology--MeetingHub MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. 2026-01-22 7.5 CVE-2026-1330 https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html
https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html
 
Hasura--GraphQL Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality. 2026-01-21 9.8 CVE-2021-47748 ExploitDB-49802
Hasura GraphQL Engine GitHub Repository
VulnCheck Advisory: Hasura GraphQL 1.3.3 - Remote Code Execution
 
Hestia Control Panel--Hestia Control Panel Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server. 2026-01-21 8.8 CVE-2021-47871 ExploitDB-49667
Hestia Control Panel Official Homepage
Hestia Control Panel GitHub Repository
VulnCheck Advisory: Hestia Control Panel 1.3.2 - Arbitrary File Write
 
HI-REZ STUDIOS--HiPatchService Hi-Rez Studios 5.1.6.3 contains an unquoted service path vulnerability in the HiPatchService that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. 2026-01-21 7.8 CVE-2021-47862 ExploitDB-49701
Hi-Rez Studios Official Homepage
VulnCheck Advisory: Hi-Rez Studios 5.1.6.3 - 'HiPatchService' Unquoted Service Path
 
Hibernate--Hibernate A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service. 2026-01-23 8.3 CVE-2026-0603 https://access.redhat.com/security/cve/CVE-2026-0603
RHBZ#2427147
 
HID Global--ActivIdentity ActivIdentity 8.2 contains an unquoted service path vulnerability in the ac.sharedstore service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:\Program Files\Common Files\ActivIdentity\ to inject malicious executables and escalate privileges. 2026-01-21 7.8 CVE-2021-47859 ExploitDB-49703
HID Global Official Website
VulnCheck Advisory: ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path
 
Honeywell--WIN-PACK PRO WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the GuardTourService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files <x86>\WINPAKPRO\WP GuardTour Service.exe to inject malicious code that would execute during service startup. 2026-01-21 7.8 CVE-2021-47866 ExploitDB-49690
Honeywell Product Webpage
VulnCheck Advisory: WIN-PACK PRO 4.8 - 'GuardTourService' Unquoted Service Path
 
Honeywell--WIN-PACK PRO WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the WPCommandFileService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files <x86>\WINPAKPRO\WPCommandFileService Service.exe to inject malicious code that would execute with LocalSystem permissions. 2026-01-21 7.8 CVE-2021-47868 ExploitDB-49692
Honeywell Product Webpage
VulnCheck Advisory: WIN-PACK PRO 4.8 - 'WPCommandFileService' Unquoted Service Path
 
horilla-opensource--horilla Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0. 2026-01-22 8.1 CVE-2026-24038 https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf
https://github.com/horilla-opensource/horilla/releases/tag/1.5.0
 
HTC--IPTInstaller HTC IPTInstaller 4.0.9 contains an unquoted service path vulnerability in the PassThru Service configuration. Attackers can exploit the unquoted binary path to inject and execute malicious code with elevated LocalSystem privileges. 2026-01-25 7.8 CVE-2020-36933 ExploitDB-49006
HTC Official Latin America Homepage
VulnCheck Advisory: IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path
 
hwk-fr--Advanced Custom Fields: Extended The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field. 2026-01-20 9.8 CVE-2025-14533 https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356
 
I Want Source Codes--Digital Crime Report Management System Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending crafted SQL injection payloads in email and password parameters across police, incharge, user, and HQ login endpoints. 2026-01-21 8.2 CVE-2021-47846 ExploitDB-49761
Vendor Homepage
Software Download Link
VulnCheck Advisory: Digital Crime Report Management System 1.0 - SQL Injection
 
ibericode--koko-analytics Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue. 2026-01-19 8.4 CVE-2026-22850 https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q
https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119
https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing
 
IBM--ApplinX IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate their privileges. 2026-01-20 7.3 CVE-2025-36418 https://www.ibm.com/support/pages/node/7257446
 
IBM--Concert IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. 2026-01-20 8.8 CVE-2025-33015 https://www.ibm.com/support/pages/node/7257006
 
IBM--IBM Licensing Operator IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image. 2026-01-20 8.4 CVE-2025-12985 https://www.ibm.com/support/pages/license-service-privilege-escalation-vulnerability
 
IBM--Sterling Connect:Direct for UNIX Container IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM® Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. 2026-01-20 8.4 CVE-2025-14115 https://www.ibm.com/support/pages/node/7257143
 
ImageMagick--ImageMagick ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue. 2026-01-20 8.1 CVE-2026-23876 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8
https://github.com/ImageMagick/ImageMagick/commit/2fae24192b78fdfdd27d766fd21d90aeac6ea8b8
 
InternationalColorConsortium--iccDEV iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccMpeCalculator::Read(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. 2026-01-24 8.8 CVE-2026-24405 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2r5c-5w66-47vv
https://github.com/InternationalColorConsortium/iccDEV/issues/479
https://github.com/InternationalColorConsortium/iccDEV/commit/d22fc174866e2521f8a5f9393fab5be306329f62
 
InternationalColorConsortium--iccDEV iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. 2026-01-24 8.8 CVE-2026-24406 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h9h3-45cm-j95f
https://github.com/InternationalColorConsortium/iccDEV/issues/480
https://github.com/InternationalColorConsortium/iccDEV/commit/90c71cba2c563b1f5dc84197f827540d1baaea67
 
InternationalColorConsortium--iccDEV iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have aHeap Buffer Overflow vulnerability in the CIccTagXmlSegmentedCurve::ToXml() function. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. 2026-01-24 8.8 CVE-2026-24412 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6rf4-63j2-cfrf
https://github.com/InternationalColorConsortium/iccDEV/issues/518
https://github.com/InternationalColorConsortium/iccDEV/commit/2be3b125933a57fe8b6624e9dfd69d8e5360bf70
 
InternationalColorConsortium--iccDEV iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, an integer overflow vulnerability exists in icValidateStatus CIccProfile::CheckHeader() when user-controllable input is incorporated into profile data unsafely. Tampering with tag tables, offsets, or size fields can trigger parsing errors, memory corruption, or DoS, potentially enabling arbitrary Code Execution or bypassing application logic. This issue has been fixed in version 2.3.1.2. 2026-01-24 7.1 CVE-2026-24403 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-ph33-qp8j-5q34
https://github.com/InternationalColorConsortium/iccDEV/issues/505
https://github.com/InternationalColorConsortium/iccDEV/commits/d993997005449a0a6958e65b057bd25e17dff89
 
InternationalColorConsortium--iccDEV iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. 2026-01-24 7.1 CVE-2026-24404 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hqfg-45jp-hp9f
https://github.com/InternationalColorConsortium/iccDEV/issues/488
https://github.com/InternationalColorConsortium/iccDEV/commit/cd637eb33f0c8055fa54d8776e00555d3d39ef0c
 
InternationalColorConsortium--iccDEV iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. 2026-01-24 7.1 CVE-2026-24407 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-m6gx-93cp-4855
https://github.com/InternationalColorConsortium/iccDEV/issues/481
https://github.com/InternationalColorConsortium/iccDEV/commit/881802931a71c4b0dfc28bc80ee55b2cb84dab90
 
InternationalColorConsortium--iccDEV iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. 2026-01-24 7.1 CVE-2026-24409 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398v-jvcg-p8f3
https://github.com/InternationalColorConsortium/iccDEV/issues/484
https://github.com/InternationalColorConsortium/iccDEV/commit/9f134c44895edd2edca4bcb97e15c0ba9aa77382
 
InternationalColorConsortium--iccDEV iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. 2026-01-24 7.1 CVE-2026-24410 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398q-4rpv-3v9r
https://github.com/InternationalColorConsortium/iccDEV/issues/507
https://github.com/InternationalColorConsortium/iccDEV/commit/3cf522b13832692b107322cd51c4ae5c3a21f366
 
InternationalColorConsortium--iccDEV iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in CIccTagXmlSegmentedCurve::ToXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. 2026-01-24 7.1 CVE-2026-24411 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x53f-7h27-9fc8
https://github.com/InternationalColorConsortium/iccDEV/issues/499
https://github.com/InternationalColorConsortium/iccDEV/commit/d6d6f51a999d4266ec09347cac7e0930d6e02eec
 
irisideatechsolutions--Kalrav AI Agent The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. 2026-01-24 9.8 CVE-2025-13374 https://www.wordfence.com/threat-intel/vulnerabilities/id/5dc8feae-fc89-4152-b9b2-2b70e6ccb30b?source=cve
https://plugins.trac.wordpress.org/browser/kalrav-ai-agent/trunk/kalrav-ai-agent.php#L967
https://plugins.trac.wordpress.org/browser/kalrav-ai-agent/tags/2.3.3/kalrav-ai-agent.php#L967
https://github.com/d0n601/CVE-2025-13374
https://ryankozak.com/posts/cve-2025-13374
 
isaacs--node-tar node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue. 2026-01-20 8.8 CVE-2026-23950 https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6
 
ISC--BIND 9 Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1. 2026-01-21 7.5 CVE-2025-13878 CVE-2025-13878
https://downloads.isc.org/isc/bind9/9.18.44
https://downloads.isc.org/isc/bind9/9.20.18
https://downloads.isc.org/isc/bind9/9.21.17
 
itsourcecode--Online Frozen Foods Ordering System A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This issue affects some unknown processing of the file /order_online.php. Executing a manipulation of the argument product_name can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-19 7.3 CVE-2026-1159 VDB-341753 | itsourcecode Online Frozen Foods Ordering System order_online.php sql injection
VDB-341753 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736332 | itsourcecode Online Frozen Foods Ordering System V1.0 SQL Injection
https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/1
https://itsourcecode.com/
 
itsourcecode--School Management System A security flaw has been discovered in itsourcecode School Management System 1.0. Affected is an unknown function of the file /subject/index.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. 2026-01-19 7.3 CVE-2026-1176 VDB-341770 | itsourcecode School Management System index.php sql injection
VDB-341770 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736477 | itsourcecode School Management System V1.0 SQL Injection
https://github.com/ltranquility/CVE/issues/32
https://itsourcecode.com/
 
jaraco--jaraco.context jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue. 2026-01-20 8.6 CVE-2026-23949 https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2
https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9
https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91
https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76
 
JNC--IAQS IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end. 2026-01-23 9.8 CVE-2026-1363 https://www.twcert.org.tw/tw/cp-132-10652-4cdca-1.html
https://www.twcert.org.tw/en/cp-139-10653-117a1-2.html
 
JNC--IAQS IAQS and I6 developed by JNC has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly operate system administrative functionalities. 2026-01-23 9.8 CVE-2026-1364 https://www.twcert.org.tw/tw/cp-132-10652-4cdca-1.html
https://www.twcert.org.tw/en/cp-139-10653-117a1-2.html
 
JuneAndGreen--sm-crypto sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. Version 0.3.14 patches the issue. 2026-01-22 9.1 CVE-2026-23966 https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-pgx9-497m-6c4v
https://github.com/JuneAndGreen/sm-crypto/commit/b1c824e58fdf1eaa73692c124a095819a8c45707
 
JuneAndGreen--sm-crypto sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue. 2026-01-22 7.5 CVE-2026-23965 https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-hpwg-xg7m-3p6m
https://github.com/JuneAndGreen/sm-crypto/commit/85295a859d0766222d12ce2be3e6fce7b438b510
 
JuneAndGreen--sm-crypto sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previously signed message from an existing signature. Version 0.3.14 patches the issue. 2026-01-22 7.5 CVE-2026-23967 https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-qv7w-v773-3xqm
 
KMSpico--Service KMSELDI KMSpico 17.1.0.0 contains an unquoted service path vulnerability in the Service KMSELDI configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:\Program Files\KMSpico\Service_KMS.exe to inject malicious executables and escalate privileges. 2026-01-25 7.8 CVE-2020-36935 ExploitDB-49003
Official KMSpico Homepage
VulnCheck Advisory: KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path
 
kodezen--Academy LMS WordPress LMS Plugin for Complete eLearning Solution The Academy LMS - WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account. 2026-01-21 9.8 CVE-2025-15521 https://www.wordfence.com/threat-intel/vulnerabilities/id/6687ebbe-fdf4-4ecb-bf59-034bb4b0104c?source=cve
https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581
 
kohler--hotcrp HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2. 2026-01-19 10 CVE-2026-23836 https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h
https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9
https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834
 
Kozea--WeasyPrint WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. Version 68.0 contains a patch for the issue. 2026-01-19 7.5 CVE-2025-68616 https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565
 
laravel--reverb Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP's unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node). 2026-01-21 9.8 CVE-2026-23524 https://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4
https://github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1a
https://cwe.mitre.org/data/definitions/502.html
https://github.com/laravel/reverb/releases/tag/v1.7.0
https://laravel.com/docs/12.x/reverb#scaling
 
leepeuker--movary Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue. 2026-01-19 9.3 CVE-2026-23839 https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq
https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237
https://github.com/leepeuker/movary/releases/tag/0.70.0
 
leepeuker--movary Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue. 2026-01-19 9.3 CVE-2026-23840 https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57
https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204
https://github.com/leepeuker/movary/releases/tag/0.70.0
 
leepeuker--movary Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue. 2026-01-19 9.3 CVE-2026-23841 https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v
https://github.com/leepeuker/movary/releases/tag/0.70.0
 
LiteSpeed Technologies Inc--LiteSpeed Web Server Enterprise LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the server configuration, allowing remote code execution via path traversal and bash command injection. 2026-01-23 8.8 CVE-2021-47903 ExploitDB-49523
LiteSpeed Technologies Official Homepage
LiteSpeed Web Server Product Page
VulnCheck Advisory: LiteSpeed Web Server Enterprise 5.4.11 - Command Injection
 
LiteSpeed Technologies--OpenLiteSpeed Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an administrator clicks on the Default Icon. 2026-01-21 7.2 CVE-2021-47855 ExploitDB-49727
OpenLiteSpeed Vendor Homepage
VulnCheck Advisory: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting
 
Luidia--eBeam Education Suite eBeam Education Suite 2.5.0.9 contains an unquoted service path vulnerability in the eBeam Device Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem privileges during service startup. 2026-01-21 7.8 CVE-2021-47878 ExploitDB-49647
Software Download Page
VulnCheck Advisory: eBeam Education Suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path
 
Luidia--eBeam Interactive Suite eBeam Interactive Suite 3.6 contains an unquoted service path vulnerability in the eBeam Stylus Driver service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Luidia\eBeam Stylus Driver\ to inject malicious executables that would run with LocalSystem permissions. 2026-01-21 7.8 CVE-2021-47879 ExploitDB-49648
Software Download Page
VulnCheck Advisory: eBeam Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path
 
lxc--incus Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the 'incus' group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container's lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. 2026-01-22 8.7 CVE-2026-23953 https://github.com/lxc/incus/security/advisories/GHSA-x6jc-phwx-hp32
https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L1081
https://github.com/user-attachments/files/24473682/environment_newline_injection.sh
https://github.com/user-attachments/files/24473685/environment_newline_injection.patch
 
lxc--incus Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the 'incus' group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. 2026-01-22 8.7 CVE-2026-23954 https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7
https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215
https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294
https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh
https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch
 
lxsmnsyc--seroval seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1. 2026-01-21 7.3 CVE-2026-23736 https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4
https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
 
lxsmnsyc--seroval seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0. 2026-01-21 7.5 CVE-2026-23737 https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw
https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
 
lxsmnsyc--seroval seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1. 2026-01-22 7.5 CVE-2026-23956 https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr
https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
 
lxsmnsyc--seroval seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1. 2026-01-22 7.5 CVE-2026-23957 https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6
https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
 
lxsmnsyc--seroval Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached. 2026-01-22 7.5 CVE-2026-24006 https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx
https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
 
MacPaw Way Ltd.--Encrypto MacPaw Encrypto 1.0.1 contains an unquoted service path vulnerability in its Encrypto Service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\Encrypto\ to inject malicious executables and escalate privileges on Windows systems. 2026-01-21 7.8 CVE-2021-47863 ExploitDB-49694
MacPaw Encrypto Official Homepage
VulnCheck Advisory: MacPaw Encrypto 1.0.1 - 'Encrypto Service' Unquoted Service Path
 
Magic Utilities--Magic Mouse 2 utilities Magic Mouse 2 Utilities 2.20 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to inject malicious executables and gain elevated system privileges by placing a malicious file in the service path. 2026-01-25 7.8 CVE-2020-36936 ExploitDB-49017
Magic Utilities Vendor Homepage
VulnCheck Advisory: Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path
 
mastodon--mastodon Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. 2026-01-22 7.5 CVE-2026-23962 https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g
https://github.com/mastodon/mastodon/releases/tag/v4.3.18
https://github.com/mastodon/mastodon/releases/tag/v4.4.12
https://github.com/mastodon/mastodon/releases/tag/v4.5.5
 
MedDream--MedDream PACS Premium An arbitrary file read vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted HTTP request can lead to an arbitrary file read. An attacker can send http request to trigger this vulnerability. 2026-01-20 9.6 CVE-2025-53912 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2273
 
melapress--Melapress Role Editor The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator. 2026-01-23 8.8 CVE-2025-14866 https://www.wordfence.com/threat-intel/vulnerabilities/id/0509aaf1-8aae-42e5-84d3-ea9b431703f3?source=cve
https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/ajax/class-admin-ajax.php
https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/additional-form-fields/class-user-profile.php#L103
https://plugins.trac.wordpress.org/changeset/3439348/
 
Microsoft--Azure Data Explorer Exposure of sensitive information to an unauthorized actor in Azure Data Explorer allows an unauthorized attacker to disclose information over a network. 2026-01-22 7.4 CVE-2026-21524 Azure Data Explorer Information Disclosure Vulnerability
 
Microsoft--Azure Front Door Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network. 2026-01-22 9.8 CVE-2026-24306 Azure Front Door Elevation of Privilege Vulnerability
 
Microsoft--Azure Logic Apps Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network. 2026-01-22 8.2 CVE-2026-21227 Azure Logic Apps Elevation of Privilege Vulnerability
 
Microsoft--Azure Resource Manager Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network. 2026-01-23 9.9 CVE-2026-24304 Azure Resource Manager Elevation of Privilege Vulnerability
 
Microsoft--Microsoft 365 Copilot Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network. 2026-01-22 9.3 CVE-2026-24307 M365 Copilot Information Disclosure Vulnerability
 
Microsoft--Microsoft 365 Word Copilot Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network. 2026-01-22 7.4 CVE-2026-21521 Word Copilot Information Disclosure Vulnerability
 
Microsoft--Microsoft Account Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network. 2026-01-22 9.3 CVE-2026-21264 Microsoft Account Spoofing Vulnerability
 
Microsoft--Microsoft Copilot Studio Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector 2026-01-22 7.5 CVE-2026-21520 Copilot Studio Information Disclosure Vulnerability
 
Microsoft--Microsoft Entra Azure Entra ID Elevation of Privilege Vulnerability 2026-01-22 9.3 CVE-2026-24305 Azure Entra ID Elevation of Privilege Vulnerability
 
Microvirt--MEMU PLAY Microvirt MEMU Play 3.7.0 contains an unquoted service path vulnerability in the MEmusvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with elevated LocalSystem privileges. 2026-01-25 7.8 CVE-2020-36937 ExploitDB-49016
Official MEMU Play Product Homepage
VulnCheck Advisory: MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path
 
Moodle--Moodle A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application. 2026-01-23 8.8 CVE-2025-67847 https://access.redhat.com/security/cve/CVE-2025-67847
 
Moodle--Moodle Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event. 2026-01-21 7.2 CVE-2021-47857 ExploitDB-49714
Official Moodle Project Homepage
VulnCheck Advisory: Moodle 3.10.3 - 'label' Persistent Cross Site Scripting
 
nanbingxyz--5ire 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an `<img onerror=...>` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue. 2026-01-21 9.7 CVE-2026-22792 https://github.com/nanbingxyz/5ire/security/advisories/GHSA-p5fm-wm8g-rffx
https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3
 
nanbingxyz--5ire 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron's electron.mcp) are exposed, resulting in full compromise of the host system. Version 0.15.3 patches the issue. 2026-01-21 9.7 CVE-2026-22793 https://github.com/nanbingxyz/5ire/security/advisories/GHSA-wg3x-7c26-97wj
https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3
 
NodeBB--NodeBB Plugin Emoji NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by manipulating the file path parameter. 2026-01-21 7.5 CVE-2021-47746 ExploitDB-49813
Official NodeBB Homepage
NodeBB Emoji Plugin GitHub Repository
VulnCheck Advisory: NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write
 
Northwest Performance Software, Inc.--Managed Switch Port Mapping Tool Managed Switch Port Mapping Tool 2.85.2 contains a denial of service vulnerability that allows attackers to crash the application by creating an oversized buffer. Attackers can generate a 10,000-character buffer and paste it into the IP Address and SNMP Community Name fields to trigger the application crash. 2026-01-23 7.5 CVE-2021-47894 ExploitDB-49566
Vendor Homepage
Software Download Page
VulnCheck Advisory: Managed Switch Port Mapping Tool 2.85.2 - Denial of Service
 
Nsauditor--Nsauditor Nsauditor 3.2.2.0 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the Event Description field with a large buffer. Attackers can generate a 10,000-character 'U' buffer and paste it into the Event Description field to trigger an application crash. 2026-01-23 7.5 CVE-2021-47895 ExploitDB-49568
Official Vendor Homepage
VulnCheck Advisory: Nsauditor 3.2.2.0 - 'Event Description' Denial of Service
 
NVIDIA--CUDA Toolkit NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. 2026-01-20 7.3 CVE-2025-33228 https://nvd.nist.gov/vuln/detail/CVE-2025-33228
https://www.cve.org/CVERecord?id=CVE-2025-33228
https://nvidia.custhelp.com/app/answers/detail/a_id/5755
 
NVIDIA--CUDA Toolkit NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. A successful exploit of this vulnerability may lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure. 2026-01-20 7.3 CVE-2025-33229 https://nvd.nist.gov/vuln/detail/CVE-2025-33229
https://www.cve.org/CVERecord?id=CVE-2025-33229
https://nvidia.custhelp.com/app/answers/detail/a_id/5755
 
NVIDIA--CUDA Toolkit NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. A successful exploit of this vulnerability might lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure. 2026-01-20 7.3 CVE-2025-33230 https://nvd.nist.gov/vuln/detail/CVE-2025-33230
https://www.cve.org/CVERecord?id=CVE-2025-33230
https://nvidia.custhelp.com/app/answers/detail/a_id/5755
 
NVIDIA--Merlin Transformers4Rec NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. 2026-01-20 7.8 CVE-2025-33233 https://nvd.nist.gov/vuln/detail/CVE-2025-33233
https://www.cve.org/CVERecord?id=CVE-2025-33233
https://nvidia.custhelp.com/app/answers/detail/a_id/5761
 
OKI--Configuration Tool OKI Configuration Tool 1.6.53 contains an unquoted service path vulnerability in the OKI Local Port Manager service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe' to inject malicious executables and escalate privileges. 2026-01-21 7.8 CVE-2021-47884 ExploitDB-49624
Archived OKI Product Webpage
VulnCheck Advisory: Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path
 
OKI--Print Job Accounting OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Print Job Accounting\' to inject malicious executables and escalate privileges. 2026-01-21 7.8 CVE-2021-47887 ExploitDB-49623
Archived OKI Product Webpage
VulnCheck Advisory: Print Job Accounting 4.4.10 - 'OkiJaSvc' Unquoted Service Path
 
OpenStack--keystonemiddleware An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected. 2026-01-19 9.9 CVE-2026-22797 https://launchpad.net/bugs/2129018
https://www.openwall.com/lists/oss-security/2026/01/16/9
 
opf--openproject OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject's roadmap view renders the "Related work packages" list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server. 2026-01-19 8.7 CVE-2026-23625 https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx
https://github.com/opf/openproject/releases/tag/v16.6.5
https://github.com/opf/openproject/releases/tag/v17.0.0
 
Oracle Corporation--Oracle Agile PLM Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 2026-01-20 7.5 CVE-2026-21940 Oracle Advisory
 
Oracle Corporation--Oracle Agile Product Lifecycle Management for Process Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 2026-01-20 9.8 CVE-2026-21969 Oracle Advisory
 
Oracle Corporation--Oracle Business Intelligence Enterprise Edition Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). 2026-01-20 7.1 CVE-2026-21976 Oracle Advisory
 
Oracle Corporation--Oracle Database Server Vulnerability in the SQLcl component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where SQLcl executes to compromise SQLcl. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of SQLcl. CVSS 3.1 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). 2026-01-20 7 CVE-2026-21939 Oracle Advisory
 
Oracle Corporation--Oracle FLEXCUBE Investor Servicing Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System). Supported versions that are affected are 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). 2026-01-20 8.1 CVE-2026-21973 Oracle Advisory
 
Oracle Corporation--Oracle Hospitality OPERA 5 Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). 2026-01-20 8.6 CVE-2026-21967 Oracle Advisory
 
Oracle Corporation--Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). 2026-01-20 10 CVE-2026-21962 Oracle Advisory
 
Oracle Corporation--Oracle Java SE Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). 2026-01-20 7.4 CVE-2026-21932 Oracle Advisory
 
Oracle Corporation--Oracle Java SE Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 7.5 CVE-2026-21945 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). 2026-01-20 8.2 CVE-2026-21955 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). 2026-01-20 8.2 CVE-2026-21956 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). 2026-01-20 8.2 CVE-2026-21987 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). 2026-01-20 8.2 CVE-2026-21988 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L). 2026-01-20 8.1 CVE-2026-21989 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). 2026-01-20 8.2 CVE-2026-21990 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). 2026-01-20 7.5 CVE-2026-21957 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). 2026-01-20 7.5 CVE-2026-21982 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). 2026-01-20 7.5 CVE-2026-21983 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). 2026-01-20 7.5 CVE-2026-21984 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). 2026-01-20 7.1 CVE-2026-21986 Oracle Advisory
 
Oracle Corporation--Siebel CRM Deployment Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure). Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 7.5 CVE-2026-21926 Oracle Advisory
 
OSAS--OSAS Traverse Extension OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject and execute malicious code by placing executable files in the service's path, potentially gaining elevated system access. 2026-01-21 7.8 CVE-2021-47864 ExploitDB-49698
Archived Vendor Homepage
VulnCheck Advisory: OSAS Traverse Extension 11 - 'travextensionhostsvc' Unquoted Service Path
 
pbatard--rufus Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA. 2026-01-22 7.3 CVE-2026-23988 https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9
https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873
https://github.com/pbatard/rufus/releases/tag/v4.12_BETA
 
PDF Complete, Inc.--PDFCOMPLETE Corporate Edition PDF Complete Corporate Edition 4.1.45 contains an unquoted service path vulnerability in the pdfcDispatcher service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service binary location to inject malicious executables that will be run with elevated LocalSystem privileges. 2026-01-23 7.8 CVE-2021-47896 ExploitDB-49558
Vendor Homepage
Software Download Page
VulnCheck Advisory: PDFCOMPLETE Corporate Edition 4.1.45 - 'pdfcDispatcher' Unquoted Service Path
 
PEEL eCommerce--PEEL Shopping PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution. 2026-01-23 7.2 CVE-2021-47892 ExploitDB-49574
Archived Vendor Homepage
VulnCheck Advisory: PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting
 
PEEL eCommerce--PEEL Shopping PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads that execute when users interact with the address text box, potentially enabling client-side script execution. 2026-01-23 7.2 CVE-2021-47897 ExploitDB-49553
Archived Vendor Homepage
VulnCheck Advisory: PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting
 
PHPGurukul--Directory Management System A security vulnerability has been detected in PHPGurukul Directory Management System 1.0. Impacted is an unknown function of the file /index.php of the component Search. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. 2026-01-19 7.3 CVE-2026-1160 VDB-341754 | PHPGurukul Directory Management System Search index.php sql injection
VDB-341754 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736333 | itsourcecode Directory Management System V1.0 SQL Injection
https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/2
https://phpgurukul.com/
 
phppgadmin--phpPgAdmin phpPgAdmin 7.13.0 contains a remote command execution vulnerability that allows authenticated attackers to execute arbitrary system commands through SQL query manipulation. Attackers can create a custom table, upload a malicious .txt file, and use the COPY FROM PROGRAM command to execute operating system commands with the application's privileges. 2026-01-21 8.8 CVE-2021-47853 ExploitDB-49736
phpPgAdmin Official Release Page
VulnCheck Advisory: phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution
 
Phreesoft--PhreeBooks PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. 2026-01-23 8.8 CVE-2021-47904 ExploitDB-49524
Official Vendor Homepage
ExploitDB-46645
Web Shell Payload Gist
VulnCheck Advisory: PhreeBooks 5.2.3 - Remote Code Execution
 
posimyththemes--Nexter Extension Site Enhancements Toolkit The Nexter Extension - Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. 2026-01-20 8.1 CVE-2026-0726 https://www.wordfence.com/threat-intel/vulnerabilities/id/02de9287-68e4-46ce-a491-3f6cbb7fc0ed?source=cve
https://plugins.trac.wordpress.org/changeset?old_path=/nexter-extension/tags/4.4.6/include/panel-settings/extensions/nexter-ext-replace-url.php&new_path=/nexter-extension/tags/4.4.7/include/panel-settings/extensions/nexter-ext-replace-url.php
 
ProFTPD--ProFTPD ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access. 2026-01-21 7.5 CVE-2021-47865 ExploitDB-49697
ProFTPD Official Website
ProFTPD GitHub Repository
VulnCheck Advisory: ProFTPD 1.3.7a - Remote Denial of Service
 
pypa--wheel wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. 2026-01-22 7.1 CVE-2026-24049 https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx
https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef
https://github.com/pypa/wheel/releases/tag/0.46.2
 
Quenary--tugtainer Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue. 2026-01-19 8.1 CVE-2026-23846 https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p
https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52
 
Realtek Semiconductor Corp.--Realtek Wireless LAN Utility Realtek Wireless LAN Utility 700.1631 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path by inserting malicious code in the system root path that would execute during application startup or system reboot. 2026-01-21 7.8 CVE-2021-47880 ExploitDB-49646
Realtek Official Homepage
VulnCheck Advisory: Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path
 
Rockstar Games--Rockstar Games Launcher Rockstar Games Launcher 1.0.37.349 contains a privilege escalation vulnerability that allows authenticated users to modify the service executable with weak permissions. Attackers can replace the RockstarService.exe with a malicious binary to create a new administrator user and gain elevated system access. 2026-01-21 8.8 CVE-2021-47852 ExploitDB-49739
Rockstar Games Launcher Official Site
VulnCheck Advisory: Rockstar Service - Insecure File Permissions
 
runtipi--runtipi Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0. 2026-01-22 8.1 CVE-2026-24129 https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9
https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a
https://github.com/runtipi/runtipi/releases/tag/v4.7.0
 
Sandboxie-Plus--Sandboxie Plus Sandboxie Plus 0.7.2 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup. 2026-01-21 7.8 CVE-2021-47883 ExploitDB-49631
Vendor Homepage
VulnCheck Advisory: Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path
 
Sangfor--Operation and Maintenance Management System A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.12. Affected by this issue is the function SessionController of the file /isomp-protocol/protocol/session of the component SSH Protocol Handler. The manipulation of the argument keypassword leads to os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-22 8.8 CVE-2026-1324 VDB-342300 | Sangfor Operation and Maintenance Management System SSH Protocol session SessionController os command injection
VDB-342300 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735716 | Sangfor Operation and Maintenance Management System (OSM / 运维安全管理系统) 3.0.8 OS Command Injection
https://github.com/LX-LX88/cve/issues/20
 
satndy--Aplikasi-Biro-Travel Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative access. 2026-01-21 8.2 CVE-2021-47848 ExploitDB-49759
Aplikasi Biro Travel GitHub Repository
VulnCheck Advisory: Blitar Tourism 1.0 - Authentication Bypass SQLi
 
Security--Winpakpro WIN-PACK PRO4.8 contains an unquoted service path vulnerability in the ScheduleService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in 'C:\Program Files <x86>\WINPAKPRO\ScheduleService Service.exe' to inject malicious code that would execute during service startup. 2026-01-21 7.8 CVE-2021-47867 ExploitDB-49691
Honeywell Product Webpage
VulnCheck Advisory: WIN-PACK PRO 4.8 - 'ScheduleService' Unquoted Service Path
 
SEO Panel--SEO Panel SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. Attackers can use sqlmap to exploit the vulnerability and extract database information by injecting malicious SQL code into the order column parameter. 2026-01-21 7.1 CVE-2021-47872 ExploitDB-49666
Official SEO Panel Homepage
SEO Panel 4.9.0 Release
GitHub Issue #209
VulnCheck Advisory: SEO Panel < 4.9.0 - 'order_col' Blind SQL Injection
 
shazdeh--Administrative Shortcodes The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' attribute of the 'get_template' shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. 2026-01-24 7.5 CVE-2026-1257 https://www.wordfence.com/threat-intel/vulnerabilities/id/119fe499-88c4-413f-a44a-2b3acfdbdeb5?source=cve
https://plugins.trac.wordpress.org/browser/administrative-shortcodes/trunk/administrative-shortcodes.php#L144
https://wordpress.org/plugins/administrative-shortcodes
https://plugins.trac.wordpress.org/browser/administrative-shortcodes/tags/0.3.4/administrative-shortcodes.php#L144
 
Shenzhen Tenda Technology Co.,Ltd.--Tenda D151 & D301 Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without authentication. 2026-01-21 7.5 CVE-2021-47802 ExploitDB-49782
Tenda Official Vendor Homepage
VulnCheck Advisory: Tenda D151 & D301 - Configuration Download
 
sibercii6-crypto--teklifolustur_app teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality. Authenticated users can manipulate the offer_id parameter to access offers belonging to other users. The issue is caused by missing authorization checks ensuring that the requested offer belonged to the currently authenticated user. Commit dd082a134a225b8dcd401b6224eead4fb183ea1c contains a patch. 2026-01-19 7.1 CVE-2026-23843 https://github.com/sibercii6-crypto/teklifolustur_app/security/advisories/GHSA-6h9r-mmg3-cg7m
https://github.com/sibercii6-crypto/teklifolustur_app/commit/dd082a134a225b8dcd401b6224eead4fb183ea1c
 
SIPp--SIPp A flaw was found in SIPp. A remote attacker could exploit this by sending specially crafted Session Initiation Protocol (SIP) messages during an active call. This vulnerability, a NULL pointer dereference, can cause the application to crash, leading to a denial of service. Under specific conditions, it may also allow an attacker to execute unauthorized code, compromising the system's integrity and availability. 2026-01-23 8.4 CVE-2026-0710 https://access.redhat.com/security/cve/CVE-2026-0710
RHBZ#2427788
 
Softros Systems--LAN Messenger Softros LAN Messenger 9.6.4 contains an unquoted service path vulnerability in the SoftrosSpellChecker service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\' to inject malicious executables and escalate privileges. 2026-01-23 7.8 CVE-2021-47889 ExploitDB-49588
Vendor Homepage
VulnCheck Advisory: Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path
 
Softros Systems--LogonExpert LogonExpert 8.1 contains an unquoted service path vulnerability in the LogonExpertSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to place malicious executables in intermediate directories, potentially gaining elevated system access during service startup. 2026-01-23 7.8 CVE-2021-47890 ExploitDB-49586
Vendor Homepage
Software Download Link
VulnCheck Advisory: LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path
 
Solvera Software Services Trade Inc.--Teknoera Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection. This issue affects Teknoera: through 01102025. 2026-01-22 8.1 CVE-2025-10856 https://www.usom.gov.tr/bildirim/tr-26-0003
 
Solvera Software Services Trade Inc.--Teknoera Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers. This issue affects Teknoera: through 01102025. 2026-01-22 7.5 CVE-2025-10855 https://www.usom.gov.tr/bildirim/tr-26-0003
 
specialk--User Submitted Posts Enable Users to Submit Posts from the Front End The User Submitted Posts - Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom fields in all versions up to, and including, 20251210 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-24 7.2 CVE-2026-0800 https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec907bc-bd10-4dc5-be35-4f2aaf5ef444?source=cve
https://plugins.trac.wordpress.org/changeset/3436859/user-submitted-posts
 
Tenda--AX1803 A flaw has been found in Tenda AX1803 1.0.0.1. The affected element is the function fromGetWifiGuestBasic of the file /goform/WifiGuestSet. Executing a manipulation of the argument guestWrlPwd/guestEn/guestSsid/hideSsid/guestSecurity can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. 2026-01-22 8.8 CVE-2026-1329 VDB-342305 | Tenda AX1803 WifiGuestSet fromGetWifiGuestBasic stack-based overflow
VDB-342305 | CTI Indicators (IOB, IOC, IOA)
Submit #736063 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow
Submit #736064 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate)
Submit #736065 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate)
Submit #736066 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate)
Submit #736067 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate)
https://river-brow-763.notion.site/Tenda-AX1803-Buffer-Overflow-in-fromGetWifiGusetBasic-2e3a595a7aef80a78225db34317daa40#2e3a595a7aef801ab517e4af5631227a
https://www.tenda.com.cn/
 
The Textpattern Development Team--Textpattern Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through a specific URL parameter. 2026-01-23 8.8 CVE-2021-47888 ExploitDB-49620
Official Vendor Homepage
Textpattern Software Download Page
VulnCheck Advisory: Textpattern 4.8.3 - Remote code execution
 
Tosei--Online Store Management System A vulnerability was determined in Tosei Online Store Management System ネット店舗管理システム 1.01. The affected element is an unknown function of the file /cgi-bin/imode_alldata.php. Executing a manipulation of the argument DevId can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 7.3 CVE-2026-1192 VDB-341777 | Tosei Online Store Management System ネット店舗管理システム imode_alldata.php command injection
VDB-341777 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734205 | Tosei Tosei Online Store Management System ネット店舗管理システム 1.01 Command Injection
https://www.yuque.com/yuqueyonghuexlgkz/zepczx/keenhf9u2bnw5o6g
 
TOTOLINK--A3700R A weakness has been identified in TOTOLINK A3700R 9.1.2u.5822_B20200513. This affects the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument ssid can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-19 8.8 CVE-2026-1143 VDB-341735 | TOTOLINK A3700R cstecgi.cgi setWiFiEasyGuestCfg buffer overflow
VDB-341735 | CTI Indicators (IOB, IOC, IOA)
Submit #735502 | TOTOLINK A3700R V9.1.2u.5822_B20200513 Buffer Overflow
https://lavender-bicycle-a5a.notion.site/TOTOLINK-A3700R-setWiFiEasyGuestCfg-2e353a41781f8057a244ead07d5eaaff?source=copy_link
https://www.totolink.net/
 
Totolink--LR350 A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. Affected by this vulnerability is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. 2026-01-19 8.8 CVE-2026-1155 VDB-341749 | Totolink LR350 cstecgi.cgi setWiFiEasyGuestCfg buffer overflow
VDB-341749 | CTI Indicators (IOB, IOC, IOA)
Submit #735718 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow
https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyGuestCfg-2e453a41781f8034bae3d1a11066a8fb?source=copy_link
https://www.totolink.net/
 
Totolink--LR350 A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. 2026-01-19 8.8 CVE-2026-1156 VDB-341750 | Totolink LR350 cstecgi.cgi setWiFiBasicCfg buffer overflow
VDB-341750 | CTI Indicators (IOB, IOC, IOA)
Submit #735722 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow
https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiBasicCfg-2e453a41781f80a2ad43e85bf5d46659?source=copy_link
https://www.totolink.net/
 
Totolink--LR350 A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. 2026-01-19 8.8 CVE-2026-1157 VDB-341751 | Totolink LR350 cstecgi.cgi setWiFiEasyCfg buffer overflow
VDB-341751 | CTI Indicators (IOB, IOC, IOA)
Submit #735726 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow
https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyCfg-2e453a41781f80b7b53cef33c6a782aa?source=copy_link
https://www.totolink.net/
 
Totolink--LR350 A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. 2026-01-19 8.8 CVE-2026-1158 VDB-341752 | Totolink LR350 POST Request cstecgi.cgi setWizardCfg buffer overflow
VDB-341752 | CTI Indicators (IOB, IOC, IOA)
Submit #735728 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow
https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWizardCfg-2e453a41781f80ce89cfc1d25049e279?source=copy_link
https://www.totolink.net/
 
Totolink--NR1800X A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. Impacted is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. 2026-01-22 8.8 CVE-2026-1328 VDB-342304 | Totolink NR1800X POST Request cstecgi.cgi setWizardCfg buffer overflow
VDB-342304 | CTI Indicators (IOB, IOC, IOA)
Submit #735792 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Buffer Overflow
https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWizardCfg-2e453a41781f80568a54c9368082fbe9?source=copy_link
https://www.totolink.net/
 
Unified Intents AB--Unified Remote Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads. 2026-01-23 9.8 CVE-2021-47891 ExploitDB-49587
Unified Remote Official Homepage
Unified Remote Download Page
VulnCheck Advisory: Unified Remote 3.9.0.2463 - Remote Code Execution
 
UTT-- 520W A vulnerability was detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formWebAuthGlobalConfig. Performing a manipulation results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 8.8 CVE-2026-1137 VDB-341728 | UTT 进取 520W formWebAuthGlobalConfig strcpy buffer overflow
VDB-341728 | CTI Indicators (IOB, IOC, IOA)
Submit #735296 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/32.md
 
UTT-- 520W A flaw has been found in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/ConfigExceptQQ. Executing a manipulation can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 8.8 CVE-2026-1138 VDB-341729 | UTT 进取 520W ConfigExceptQQ strcpy buffer overflow
VDB-341729 | CTI Indicators (IOB, IOC, IOA)
Submit #735298 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/33.md
 
UTT-- 520W A vulnerability has been found in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/ConfigExceptMSN. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 8.8 CVE-2026-1139 VDB-341730 | UTT 进取 520W ConfigExceptMSN strcpy buffer overflow
VDB-341730 | CTI Indicators (IOB, IOC, IOA)
Submit #735299 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/34.md
 
UTT-- 520W A vulnerability was found in UTT 进取 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigExceptAli. The manipulation results in buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 8.8 CVE-2026-1140 VDB-341731 | UTT 进取 520W ConfigExceptAli strcpy buffer overflow
VDB-341731 | CTI Indicators (IOB, IOC, IOA)
Submit #735300 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/35.md
 
UTT--HiPER 810 A flaw has been found in UTT HiPER 810 1.7.4-141218. The impacted element is the function strcpy of the file /goform/setSysAdm. This manipulation of the argument passwd1 causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. 2026-01-19 9.8 CVE-2026-1162 VDB-341756 | UTT HiPER 810 setSysAdm strcpy buffer overflow
VDB-341756 | CTI Indicators (IOB, IOC, IOA)
Submit #736511 | UTT HiPER 810 / nv810v4 nv810v4v1.7.4-141218 Buffer Overflow
https://github.com/cha0yang1/UTT810/blob/main/1.md
https://github.com/cha0yang1/UTT810/blob/main/1.md#poc
 
VestaCP--VestaCP VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload. 2026-01-21 7.2 CVE-2021-47873 ExploitDB-49662
VestaCP Official Vendor Homepage
VestaCP Alternative Download Site
VulnCheck Advisory: VestaCP < 0.9.8-25 - Stored Cross-Site Scripting
 
Vfsforgit--VFS for Git VFS for Git 1.0.21014.1 contains an unquoted service path vulnerability in the GVFS.Service Windows service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem privileges during service startup or system reboot. 2026-01-21 7.8 CVE-2021-47874 ExploitDB-49661
Vendor Homepage
VulnCheck Advisory: VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path
 
vllm-project--vllm vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue. 2026-01-21 8.8 CVE-2026-22807 https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr
https://github.com/vllm-project/vllm/pull/32194
https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5
https://github.com/vllm-project/vllm/releases/tag/v0.14.0
 
wpdevteam--NotificationX FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site. 2026-01-20 7.2 CVE-2025-15380 https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0?source=cve
https://research.cleantalk.org/cve-2025-15380/
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail=
 
wpmessiah--Frontis Blocks Block Library for the Block Editor The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'template_proxy' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the '/template-proxy/' and '/proxy-image/' endpoint. 2026-01-24 7.2 CVE-2026-0807 https://www.wordfence.com/threat-intel/vulnerabilities/id/322e0a27-9119-4b46-a043-d3a68c4fcdc4?source=cve
https://plugins.trac.wordpress.org/browser/frontis-blocks/trunk/includes/Admin/Admin.php#L910
https://plugins.trac.wordpress.org/browser/frontis-blocks/tags/1.1.4/includes/Admin/Admin.php#L910
https://plugins.trac.wordpress.org/changeset/3444616/
 
wpmudev--Hustle Email Marketing, Lead Generation, Optins, Popups The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce. 2026-01-24 7.5 CVE-2026-0911 https://www.wordfence.com/threat-intel/vulnerabilities/id/22be5fb5-143e-4934-9f93-e17def18e883?source=cve
https://plugins.trac.wordpress.org/changeset/3440956/wordpress-popup
 
Yodinfo--Mini Mouse Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary commands through an unauthenticated HTTP endpoint. Attackers can leverage the /op=command endpoint to download and execute payloads by sending crafted JSON requests with malicious script commands. 2026-01-21 9.8 CVE-2021-47851 ExploitDB-49743
Mini Mouse Apple Store
VulnCheck Advisory: Mini Mouse 9.2.0 - Remote Code Execution
 
Yodinfo--Mini Mouse Mini Mouse 9.2.0 contains a path traversal vulnerability that allows remote attackers to access arbitrary system files and directories through crafted HTTP requests. Attackers can retrieve sensitive files like win.ini and list contents of system directories such as C:\Users\Public by manipulating file and path parameters. 2026-01-21 7.5 CVE-2021-47850 ExploitDB-49744
Mini Mouse Apple Store
VulnCheck Advisory: Mini Mouse 9.2.0 - Path Traversal
 
Yonyou--KSOA A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 7.3 CVE-2026-1129 VDB-341719 | Yonyou KSOA HTTP GET Parameter worksadd.jsp sql injection
VDB-341719 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734557 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/11
 
Yonyou--KSOA A flaw has been found in Yonyou KSOA 9.0. This issue affects some unknown processing of the file /worksheet/worksadd_plan.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 7.3 CVE-2026-1130 VDB-341720 | Yonyou KSOA HTTP GET Parameter worksadd_plan.jsp sql injection
VDB-341720 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734565 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/12
 
Yonyou--KSOA A vulnerability has been found in Yonyou KSOA 9.0. Impacted is an unknown function of the file /kmc/save_catalog.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument catalogid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 7.3 CVE-2026-1131 VDB-341721 | Yonyou KSOA HTTP GET Parameter save_catalog.jsp sql injection
VDB-341721 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734566 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/13
 
Yonyou--KSOA A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /kmf/edit_folder.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument folderid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 7.3 CVE-2026-1132 VDB-341722 | Yonyou KSOA HTTP GET Parameter edit_folder.jsp sql injection
VDB-341722 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734568 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/15
 
Yonyou--KSOA A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /kmf/folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 7.3 CVE-2026-1133 VDB-341723 | Yonyou KSOA HTTP GET Parameter folder.jsp sql injection
VDB-341723 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734576 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/16
 
Yonyou--KSOA A weakness has been identified in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /kmf/save_folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 7.3 CVE-2026-1177 VDB-341771 | Yonyou KSOA HTTP GET Parameter save_folder.jsp sql injection
VDB-341771 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734577 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/17
 
Yonyou--KSOA A security vulnerability has been detected in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /kmf/select.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 7.3 CVE-2026-1178 VDB-341772 | Yonyou KSOA HTTP GET Parameter select.jsp sql injection
VDB-341772 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734593 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/18
 
Yonyou--KSOA A vulnerability was detected in Yonyou KSOA 9.0. This affects an unknown part of the file /kmf/user_popedom.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 7.3 CVE-2026-1179 VDB-341773 | Yonyou KSOA HTTP GET Parameter user_popedom.jsp sql injection
VDB-341773 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734594 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/19
 
Zoom Communications Inc.--Zoom Node A Command Injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access. 2026-01-20 9.9 CVE-2026-22844 https://www.zoom.com/en/trust/security-bulletin/zsb-26001
 

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
10web--Photo Gallery by 10Web Mobile-Friendly Image Gallery The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin. 2026-01-21 5.3 CVE-2026-1036 https://www.wordfence.com/threat-intel/vulnerabilities/id/4eb2ae42-584d-4da8-9184-461b5a37b7b6?source=cve
https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.35/frontend/controllers/BWGControllerGalleryBox.php#L173
 
adzbierajewski--Alex User Counter The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2026-1070 https://www.wordfence.com/threat-intel/vulnerabilities/id/1a5ef5b3-2900-44f0-9e13-66fbdc937b38?source=cve
https://plugins.trac.wordpress.org/browser/user-counter/trunk/user-counter.php#L41
https://plugins.trac.wordpress.org/browser/user-counter/tags/6.0/user-counter.php#L41
 
Aida Computer Information Technology Inc.--Hotel Guest Hotspot Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS. This issue affects Hotel Guest Hotspot: through 22012026.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-22 5.5 CVE-2025-4763 https://www.usom.gov.tr/bildirim/tr-26-0001
 
aiktp--AIKTP The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator. 2026-01-24 5.4 CVE-2026-1103 https://www.wordfence.com/threat-intel/vulnerabilities/id/84846d95-792d-4569-b0eb-876d82d0beee?source=cve
https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L123
https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L143
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445248%40aiktp&new=3445248%40aiktp
 
AlchemyCMS--alchemy_cms Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing `eval()` with `send()`. 2026-01-19 6.4 CVE-2026-23885 https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979
https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26
https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7
https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12
https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3
 
Altium--AES A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content. 2026-01-22 6.8 CVE-2025-27379 https://www.altium.com/platform/security-compliance/security-advisories
 
Altium--Altium Designer Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle (MITM) attack could exploit this issue to intercept or manipulate network traffic, potentially exposing authentication credentials or sensitive design data. 2026-01-22 5.3 CVE-2025-27377 https://www.altium.com/platform/security-compliance/security-advisories
 
aminhashemy--GZSEO The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_code parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary content into any post on the site that will execute whenever a user accesses an injected page. 2026-01-24 6.4 CVE-2025-14941 https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a4d4d-5bfa-42fd-80b4-7a75ee79db19?source=cve
https://plugins.trac.wordpress.org/browser/gzseo/tags/2.0.11/includes/class-gzseo-video-update.php?marks=112,365,369,370,563#L112
 
andddd--WP-ClanWars The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-01-24 4.9 CVE-2026-0806 https://www.wordfence.com/threat-intel/vulnerabilities/id/65aa20e2-efc1-481a-8ed4-423d2420c3db?source=cve
https://plugins.trac.wordpress.org/browser/wp-clanwars/trunk/classes/teams.class.php#L92
https://plugins.trac.wordpress.org/browser/wp-clanwars/tags/2.0.1/classes/teams.class.php#L92
https://cwe.mitre.org/data/definitions/89.html
 
AutomationDirect--CLICK Programmable Logic Controller An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks. 2026-01-22 6.1 CVE-2025-25051 https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json
 
AutomationDirect--CLICK Programmable Logic Controller An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leaving sensitive information more vulnerable. 2026-01-22 6.1 CVE-2025-67652 https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json
 
avahi--avahi Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. 2026-01-24 6.5 CVE-2026-24401 https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3
https://github.com/avahi/avahi/issues/501
https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524
 
AWS--Firecracker A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above. 2026-01-23 6 CVE-2026-1386 https://aws.amazon.com/security/security-bulletins/2026-003-AWS/
https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.1
https://github.com/firecracker-microvm/firecracker/releases/tag/v1.13.2
https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-36j2-f825-qvgc
 
axllent--mailpit Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue. 2026-01-19 5.8 CVE-2026-23845 https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j
https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe
https://github.com/axllent/mailpit/releases/tag/v1.28.3
 
B&R Industrial Automation GmbH--Automation Runtime An Allocation of Resources Without Limits or Throttling vulnerability in the ANSL-Server component of B&R Automation Runtime versions prior to 6.5 and prior to R4.93 could be exploited by an unauthenti-cated attacker on the network to win a race condition, resulting in permanent denial-of-service (DoS) conditions on affected devices. 2026-01-19 6.8 CVE-2025-11044 https://www.br-automation.com/fileadmin/SA25P005-26597bd0.pdf
 
backstage--backstage Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users. 2026-01-21 6.3 CVE-2026-24047 https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9
https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692
 
Beckhoff Automation--TwinCAT.HMI.Server On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page. 2026-01-20 5.5 CVE-2025-41768 https://certvde.com/de/advisories/VDE-2025-106
 
birkir--prime A vulnerability was detected in birkir prime up to 0.4.0.beta.0. This issue affects some unknown processing of the file /graphql of the component GraphQL API. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-19 5.3 CVE-2026-1170 VDB-341764 | birkir prime GraphQL API graphql information disclosure
VDB-341764 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731100 | birkir prime <=0.4.0 Sensitive Information Disclosure
https://github.com/birkir/prime/issues/541
 
birkir--prime A flaw has been found in birkir prime up to 0.4.0.beta.0. Impacted is an unknown function of the file /graphql of the component GraphQL Field Handler. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-19 5.3 CVE-2026-1171 VDB-341765 | birkir prime GraphQL Field graphql denial of service
VDB-341765 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731101 | birkir prime <=0.4.0 GraphQL Field Duplication Vulnerability
https://github.com/birkir/prime/issues/542
 
birkir--prime A vulnerability has been found in birkir prime up to 0.4.0.beta.0. The affected element is an unknown function of the file /graphql of the component GraphQL Directive Handler. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-19 5.3 CVE-2026-1172 VDB-341766 | birkir prime GraphQL Directive graphql denial of service
VDB-341766 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731103 | birkir prime <=0.4.0 Graphql Directive Overloading Vulnerability
https://github.com/birkir/prime/issues/543
 
birkir--prime A vulnerability was found in birkir prime up to 0.4.0.beta.0. The impacted element is an unknown function of the file /graphql of the component GraphQL Array Based Query Batch Handler. The manipulation results in denial of service. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-19 5.3 CVE-2026-1173 VDB-341767 | birkir prime GraphQL Array Based Query Batch graphql denial of service
VDB-341767 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731104 | birkir prime <=0.4.0 Graphql Array Based Query Batching Vulnerability
https://github.com/birkir/prime/issues/544
 
birkir--prime A vulnerability was determined in birkir prime up to 0.4.0.beta.0. This affects an unknown function of the file /graphql of the component GraphQL Alias Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-19 5.3 CVE-2026-1174 VDB-341768 | birkir prime GraphQL Alias graphql resource consumption
VDB-341768 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731105 | birkir prime <=0.4.0 GraphQL Aliases Overloading Vulnerability
https://github.com/birkir/prime/issues/545
 
birkir--prime A vulnerability was identified in birkir prime up to 0.4.0.beta.0. This impacts an unknown function of the file /graphql of the component GraphQL Directive Handler. Such manipulation leads to information exposure through error message. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-19 5.3 CVE-2026-1175 VDB-341769 | birkir prime GraphQL Directive graphql information exposure
VDB-341769 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731106 | birkir prime <=0.4.0 GraphQL Directive Information Disclosure
https://github.com/birkir/prime/issues/546
 
birkir--prime A security vulnerability has been detected in birkir prime up to 0.4.0.beta.0. This vulnerability affects unknown code. Such manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-19 4.3 CVE-2026-1169 VDB-341763 | birkir prime cross-site request forgery
VDB-341763 | CTI Indicators (IOB, IOC)
Submit #731287 | birkir prime <=0.4.0 CSRF
https://github.com/birkir/prime/issues/547
 
Bjskzy--Zhiyou ERP A vulnerability was detected in Bjskzy Zhiyou ERP up to 11.0. Impacted is the function initRCForm of the file RichClientService.class of the component com.artery.richclient.RichClientService. Performing a manipulation results in xml external entity reference. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-20 6.3 CVE-2026-1218 VDB-341908 | Bjskzy Zhiyou ERP com.artery.richclient.RichClientService RichClientService.class initRCForm xml external entity reference
VDB-341908 | CTI Indicators (IOB, IOC, IOA)
Submit #735201 | Bjskzy Enterprise Resource Planning Software 11.0 XML External Entity Reference
https://github.com/dingpotian/cve-vul/blob/main/Shikong-Zhiyou-ERP/Shikong-Zhiyou-ERP-XXE-RichClientService-initRCForm.md
 
BloofoxCMS--BloofoxCMS BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users' cookies. 2026-01-23 6.4 CVE-2021-47906 ExploitDB-49492
Official Vendor Homepage
BloofoxCMS Software Releases
VulnCheck Advisory: BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting
 
Bosch--Infotainment system ECU The Infotainment ECU manufactured by Bosch which is installed in Nissan Leaf ZE1 - 2020 uses a Redbend service for over-the-air provisioning and updates. HTTPS is used for communication with the back-end server. Due to usage of the default configuration for the underlying SSL engine, the server root certificate is not verified. As a result, an attacker may be able to impersonate a Redbend backend server using a self-signed certificate. First identified on Nissan Leaf ZE1 manufactured in 2020. 2026-01-22 6.5 CVE-2025-32057 https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html
http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf
https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch
 
Bosch--Infotainment system ECU The anti-theft protection mechanism can be bypassed by attackers due to weak response generation algorithms for the head unit. It is possible to reveal all 32 corresponding responses by sniffing CAN traffic or by pre-calculating the values, which allow to bypass the protection. First identified on Nissan Leaf ZE1 manufactured in 2020. 2026-01-22 4 CVE-2025-32056 https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html
http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf
https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch
 
brainstormforce--Custom Fonts Host Your Fonts Locally The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file. 2026-01-20 5.3 CVE-2025-14351 https://www.wordfence.com/threat-intel/vulnerabilities/id/60e3a506-8811-4e7d-a16c-02f91c757705?source=cve
https://plugins.trac.wordpress.org/browser/custom-fonts/trunk/includes/class-bcf-google-fonts-compatibility.php#L88
https://plugins.trac.wordpress.org/changeset/3442237/custom-fonts
 
bramdnl--Star Review Manager The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2026-1076 https://www.wordfence.com/threat-intel/vulnerabilities/id/54b6a141-eb4c-4cf0-a078-5b3aeda25466?source=cve
https://plugins.trac.wordpress.org/browser/star-review-manager/trunk/admin/settings.php#L3
https://plugins.trac.wordpress.org/browser/star-review-manager/tags/1.2.2/admin/settings.php#L3
 
BROWAN COMMUNICATIONS--PrismX MX100 AP controller PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to allowing authenticated remote attackers to obtain SMTP plaintext passwords through the web frontend. 2026-01-20 4.9 CVE-2026-1223 https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html
https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html
 
cantothemes--Canto Testimonials The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fx' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-24 6.4 CVE-2026-1095 https://www.wordfence.com/threat-intel/vulnerabilities/id/6f2ef250-f951-4408-ac42-3272ddf46530?source=cve
https://plugins.trac.wordpress.org/browser/canto-testimonials/trunk/canto-testimonials.php#L132
https://plugins.trac.wordpress.org/browser/canto-testimonials/tags/1.0/canto-testimonials.php#L132
 
Cisco--Cisco Intersight Virtual Appliance A vulnerability in the read-only maintenance shell of Cisco Intersight Virtual Appliance could allow an authenticated, local attacker with administrative privileges to elevate privileges to root on the virtual appliance. This vulnerability is due to improper file permissions on configuration files for system accounts within the maintenance shell of the virtual appliance. An attacker could exploit this vulnerability by accessing the maintenance shell as a read-only administrator and manipulating system files to grant root privileges. A successful exploit could allow the attacker to elevate their privileges to&nbsp;root on the virtual appliance and gain full control of the appliance, giving them the ability to access sensitive information, modify workloads and configurations on the host system, and cause a denial of service (DoS). 2026-01-21 6 CVE-2026-20092 cisco-sa-intersight-privesc-p6tBm6jk
 
Cisco--Cisco Packaged Contact Center Enterprise Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.&nbsp; These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. 2026-01-21 4.8 CVE-2026-20055 cisco-sa-ucce-pcce-xss-2JVyg3uD
 
Cisco--Cisco Packaged Contact Center Enterprise Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.&nbsp; These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. 2026-01-21 4.8 CVE-2026-20109 cisco-sa-ucce-pcce-xss-2JVyg3uD
 
Cisco--Cisco Ultra-Reliable Wireless Backhaul A vulnerability in the SSH service of Cisco IEC6400 Wireless Backhaul Edge Compute Software could allow an unauthenticated, remote attacker to cause the SSH service to stop responding. This vulnerability exists because the SSH service lacks effective flood protection. An attacker could exploit this vulnerability by initiating a denial of service (DoS) attack against the SSH port. A successful exploit could allow the attacker to cause the SSH service to be unresponsive during the period of the DoS attack. All other operations remain stable during the attack. 2026-01-21 5.3 CVE-2026-20080 cisco-sa-iec6400-Pem5uQ7v
 
Click2Magic--Click2Magic Click2Magic 1.1.5 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts in the chat name input. Attackers can craft a malicious payload in the chat name to capture administrator cookies when the admin processes user requests. 2026-01-25 6.4 CVE-2020-36931 ExploitDB-49347
Vendor Homepage
Official Product Website
VulnCheck Advisory: Click2Magic 1.1.5 - Stored Cross-Site Scripting
 
codemacher--CM CSS Columns The CM CSS Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' shortcode attribute in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-24 6.4 CVE-2026-1098 https://www.wordfence.com/threat-intel/vulnerabilities/id/dabcc606-04ab-4fb0-bf3c-d3ad915b8904?source=cve
https://plugins.trac.wordpress.org/browser/cm-css-columns/trunk/includes/Shortcoder.php#L109
https://plugins.trac.wordpress.org/browser/cm-css-columns/tags/1.2.1/includes/Shortcoder.php#L109
 
controlplaneio-fluxcd--flux-operator The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. In order to be vulnerable, cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions. This can result in privilege escalation, data exposure, and/or information disclosure. Version 0.40.0 patches the issue. 2026-01-21 5.3 CVE-2026-23990 https://github.com/controlplaneio-fluxcd/flux-operator/security/advisories/GHSA-4xh5-jcj2-ch8q
https://github.com/controlplaneio-fluxcd/flux-operator/pull/610
https://github.com/controlplaneio-fluxcd/flux-operator/commit/084540424f6de8ba5d88fb1fd1e8472ba29afd7e
https://github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.40.0
 
CRMEB--CRMEB A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-20 5.6 CVE-2026-1203 VDB-341789 | CRMEB JSON Token LoginServices.php remoteRegister improper authentication
VDB-341789 | CTI Indicators (IOB, IOC, IOA)
Submit #735349 | Zhongbang CRMEB v5.6.3 Authentication Bypass by
https://github.com/foeCat/CVE/blob/main/CRMEB/jwt_auth_bypass/remote_register_jwt_bypass.md
 
cubewp1211--CubeWP Framework The CubeWP - All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. 2026-01-25 4.3 CVE-2025-6461 https://www.wordfence.com/threat-intel/vulnerabilities/id/0edb6b7c-8a78-44b9-a5d6-b4a563c92484?source=cve
https://plugins.trac.wordpress.org/changeset/3422640/cubewp-framework/trunk/cube/modules/search/class-cubewp-search-ajax-hooks.php
 
Dell--Data Protection Advisor Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. 2026-01-23 4.3 CVE-2025-46699 https://www.dell.com/support/kbdoc/en-us/000281732/dsa-2025-075-security-update-for-dell-data-protection-advisor-for-multiple-component-vulnerabilities
 
Dell--ObjectScale Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. 2026-01-23 6.5 CVE-2026-22274 https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities
 
Dell--ObjectScale Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. 2026-01-23 5.5 CVE-2026-22276 https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities
 
Dell--ObjectScale Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. 2026-01-23 4.4 CVE-2026-22275 https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities
 
Dell--PowerScale OneFS Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains an incorrect permission assignment for critical resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. 2026-01-22 5 CVE-2026-22280 https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities
 
Dell--PowerScale OneFS Dell PowerScale OneFS, versions prior 9.13.0.0, contains an insufficient logging vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information tampering. 2026-01-22 4.3 CVE-2026-22279 https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities
 
devsoftbaltic--SurveyJS: Drag & Drop Form Builder The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2025-13139 https://www.wordfence.com/threat-intel/vulnerabilities/id/0c06880e-06cc-4204-a031-355de4de3af2?source=cve
https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/add_survey.php#L12
 
devsoftbaltic--SurveyJS: Drag & Drop Form Builder The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2025-13194 https://www.wordfence.com/threat-intel/vulnerabilities/id/ab88f0cf-971f-43e1-b6b7-4eb55188ecc8?source=cve
https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/rename_survey.php#L12
 
devsoftbaltic--SurveyJS: Drag & Drop Form Builder The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2025-13205 https://www.wordfence.com/threat-intel/vulnerabilities/id/e1179303-fe7c-47f1-958c-2e4d2c574e4a?source=cve
https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/clone_survey.php#L8
 
Discord--WebSocket API service Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline." 2026-01-22 4.3 CVE-2026-24332 https://xmrcat.org/discord-invisibility-bypass
 
EVerest--everest-core EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. Thus, this leads to a denial of service as it is responsible of SDP and ISO15118-20 servers. Version 2025.10.0 fixes the issue. 2026-01-21 6.5 CVE-2025-68135 https://github.com/EVerest/everest-core/security/advisories/GHSA-g7mm-r6qp-96vh
 
EVerest--everest-core EVerest is an EV charging software stack, and EVerest libocpp is a C++ implementation of the Open Charge Point Protocol. In libocpp prior to version 0.30.1, pointers returned by the `strdup` calls are never freed. At each connection attempt, the newly allocated memory area will be leaked, potentially causing memory exhaustion and denial of service. Version 0.30.1 fixes the issue. 2026-01-21 4.7 CVE-2025-68138 https://github.com/EVerest/everest-core/security/advisories/GHSA-f8c2-44c3-7v55
https://github.com/EVerest/libocpp/blob/89c7b62ec899db637f43b54f19af2c4af30cfa66/lib/ocpp/common/websocket/websocket_libwebsockets.cpp
 
EVerest--everest-core EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the `terminate_connection_on_failed_response` setting to `true`. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value. 2026-01-21 4.3 CVE-2025-68139 https://github.com/EVerest/everest-core/security/advisories/GHSA-wqh4-pj54-6xv9
 
EVerest--everest-core EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has been registered, the default value is 0. Therefore, a message submitted with a session ID of 0 is accepted, as it matches the registered value. This could allow unauthorized and anonymous indirect emission of MQTT messages and communication with V2G messages handlers, updating a session context. Version 2025.9.0 fixes the issue. 2026-01-21 4.3 CVE-2025-68140 https://github.com/EVerest/everest-core/security/advisories/GHSA-w385-3jwp-x47x
 
EVerest--everest-core EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue. 2026-01-21 4.2 CVE-2026-23955 https://github.com/EVerest/everest-core/security/advisories/GHSA-px57-jx97-hrff
 
filebrowser--filebrowser File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue. 2026-01-19 5.3 CVE-2026-23849 https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc
https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889
 
flatboy--FlatPM Ad Manager, AdSense and Custom Code The FlatPM - Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rank_math_description' custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-20 6.4 CVE-2026-0690 https://www.wordfence.com/threat-intel/vulnerabilities/id/14b89618-8a30-4b8c-9490-f05e8fa8ca8a?source=cve
https://plugins.trac.wordpress.org/changeset/3434760/flatpm-wp
 
Foxit Software Inc.--na1.foxitesign.foxit.com URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. This issue affects na1.foxitesign.foxit.com: before 2026‑01‑16. 2026-01-20 6.1 CVE-2025-66523 https://www.foxit.com/support/security-bulletins.html
 
franklioxygen--MyTube MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue. 2026-01-19 6.5 CVE-2026-23848 https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h
https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b
 
freemp--JavaScript Notifier The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-24 4.4 CVE-2026-1191 https://www.wordfence.com/threat-intel/vulnerabilities/id/97696702-4d40-41dd-a25f-f2ee7681a2c9?source=cve
https://plugins.trac.wordpress.org/browser/javascript-notifier/trunk/javascript-notifier.php#L75
https://plugins.trac.wordpress.org/browser/javascript-notifier/tags/1.2.8/javascript-notifier.php#L75
 
GetSimple CMS--Custom JS Plugin GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page. 2026-01-21 5.3 CVE-2021-47860 ExploitDB-49816
Vendor Homepage
GetSimple CMS GitHub Repository
Researcher Disclosure
ExploitDB-49712
VulnCheck Advisory: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection. 2026-01-22 6.5 CVE-2025-13335 GitLab Issue #581060
HackerOne Bug Bounty Report #3418023
https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests. 2026-01-22 5.3 CVE-2026-1102 GitLab Issue #579746
https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/
 
hallsofmontezuma--Moderate Selected Posts The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2025-14907 https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc23291-1b73-4e92-83ba-0c7f455ac126?source=cve
https://plugins.trac.wordpress.org/browser/moderate-selected-posts/tags/1.4/inc/admin.php#L71
 
HAMASTAR Technology--MeetingHub MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific API functions and obtain meeting-related information. 2026-01-22 5.3 CVE-2026-1332 https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html
https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html
 
horilla-opensource--horilla Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue. 2026-01-22 5.4 CVE-2026-24034 https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p
https://github.com/horilla-opensource/horilla/releases/tag/1.5.0
 
horilla-opensource--horilla Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0. 2026-01-22 5.3 CVE-2026-24036 https://github.com/horilla-opensource/horilla/security/advisories/GHSA-q4xr-w96p-3vg7
https://github.com/horilla-opensource/horilla/commit/9a585a1588431499092a49d7e82cb77daa4d99ee
https://github.com/horilla-opensource/horilla/releases/tag/1.5.0
 
horilla-opensource--horilla Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue. 2026-01-22 4.3 CVE-2026-24035 https://github.com/horilla-opensource/horilla/security/advisories/GHSA-fm3f-xpgx-8xr3
https://drive.google.com/file/d/1i00-NnipvxH8bGY-SyqEjnDQfxIbVGRR/view?usp=sharing
https://github.com/horilla-opensource/horilla/releases/tag/1.5.0
 
horilla-opensource--horilla Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to redirect users to malicious domains, run external JavaScript, and steal CSRF tokens that can be used to craft CSRF attacks against admins. This issue has been fixed in version 1.5.0. 2026-01-22 4.8 CVE-2026-24037 https://github.com/horilla-opensource/horilla/security/advisories/GHSA-rqw5-fjm4-rgvm
https://github.com/horilla-opensource/horilla/releases/tag/1.5.0
 
horilla-opensource--horilla Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0. 2026-01-22 4.3 CVE-2026-24039 https://github.com/horilla-opensource/horilla/security/advisories/GHSA-99mq-mhwv-w9qx
https://github.com/horilla-opensource/horilla/releases/tag/1.5.0
 
IBM--Application Gateway IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. 2026-01-20 5.4 CVE-2025-36396 https://www.ibm.com/support/pages/node/7256857
 
IBM--Application Gateway IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. 2026-01-20 5.4 CVE-2025-36397 https://www.ibm.com/support/pages/node/7256857
 
IBM--ApplinX IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. 2026-01-20 6.4 CVE-2025-36408 https://www.ibm.com/support/pages/node/7257446
 
IBM--ApplinX IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. 2026-01-20 5.4 CVE-2025-36409 https://www.ibm.com/support/pages/node/7257446
 
IBM--ApplinX IBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system. 2026-01-20 5.3 CVE-2025-36419 https://www.ibm.com/support/pages/node/7257446
 
IBM--Aspera Console IBM Aspera Console 3.4.7 stores potentially sensitive information in log files that could be read by a local privileged user. 2026-01-20 4.9 CVE-2025-13925 https://www.ibm.com/support/pages/node/7256544
 
IBM--Business Automation Workflow containers IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map. 2026-01-20 5.5 CVE-2025-36058 https://www.ibm.com/support/pages/node/7256777
 
IBM--Business Automation Workflow containers IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls. 2026-01-20 4.7 CVE-2025-36059 https://www.ibm.com/support/pages/node/7256777
 
IBM--Concert IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. 2026-01-20 5.9 CVE-2025-1719 https://www.ibm.com/support/pages/node/7257006
 
IBM--Concert IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. 2026-01-20 5.9 CVE-2025-1722 https://www.ibm.com/support/pages/node/7257006
 
IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system. 2026-01-20 6.3 CVE-2025-36063 https://www.ibm.com/support/pages/node/7257244
 
IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system. 2026-01-20 6.3 CVE-2025-36065 https://www.ibm.com/support/pages/node/7257244
 
IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. 2026-01-20 6.1 CVE-2025-36066 https://www.ibm.com/support/pages/node/7257244
 
IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. 2026-01-20 6.3 CVE-2025-36115 https://www.ibm.com/support/pages/node/7257244
 
IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. 2026-01-20 5.4 CVE-2025-36113 https://www.ibm.com/support/pages/node/7257244
 
ImageMagick--ImageMagick ImageMagick is free and open-source software used for editing and manipulating digital images. The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails. Version 7.1.2-13 contains a patch for the issue. 2026-01-20 6.5 CVE-2026-22770 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-39h3-g67r-7g3c
https://github.com/ImageMagick/ImageMagick/commit/3e0330721020e0c5bb52e4b77c347527dd71658e
 
ImageMagick--ImageMagick ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2. 2026-01-22 6.5 CVE-2026-23952 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8
https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2
 
ImageMagick--ImageMagick ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-13 have a stack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. Version 7.1.2-13 fixes the issue. 2026-01-20 5.5 CVE-2026-23874 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844
 
iqonicdesign--KiviCare Clinic & Patient Management System (EHR) The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files. 2026-01-23 5.3 CVE-2026-0927 https://www.wordfence.com/threat-intel/vulnerabilities/id/489931ef-bac3-4de8-84ec-6f226d96f778?source=cve
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php#L1328
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/3.6.15/app/controllers/KCAppointmentController.php#L1328
https://plugins.trac.wordpress.org/changeset/3443088/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php
 
itsourcecode--Society Management System A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown function of the file /admin/expenses.php. The manipulation of the argument detail leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. 2026-01-19 4.3 CVE-2026-1134 VDB-341724 | itsourcecode Society Management System expenses.php cross site scripting
VDB-341724 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735156 | itsourcecode Society Management System V1.0 cross site scripting
https://github.com/TEhS411/cve/issues/7
https://itsourcecode.com/
 
itsourcecode--Society Management System A security flaw has been discovered in itsourcecode Society Management System 1.0. This impacts an unknown function of the file /admin/activity.php. The manipulation of the argument Title results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. 2026-01-19 4.3 CVE-2026-1135 VDB-341725 | itsourcecode Society Management System activity.php cross site scripting
VDB-341725 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735157 | itsourcecode Society Management System V1.0 cross site scripting
https://github.com/TEhS411/cve/issues/8
https://itsourcecode.com/
 
jamiesage123--MyBB Thread Redirect Plugin MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution. 2026-01-23 6.1 CVE-2018-25116 ExploitDB-49505
Thread Redirect Plugin GitHub Repository
VulnCheck Advisory: MyBB Thread Redirect Plugin 0.2.1 - Cross-Site Scripting
 
kohler--hotcrp HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0. 2026-01-19 6.5 CVE-2026-23878 https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx
https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508
https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0
 
kometschuh--Same Category Posts The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entities that WordPress intentionally encodes for safety. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-24 5.4 CVE-2025-14797 https://www.wordfence.com/threat-intel/vulnerabilities/id/70434876-4876-4da8-9af1-6f6ef5632f26?source=cve
https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L665
https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L639
https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L707
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444428%40same-category-posts&new=3444428%40same-category-posts&sfp_email=&sfph_mail=
 
leadbi--LeadBI Plugin for WordPress The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-24 6.4 CVE-2026-1189 https://www.wordfence.com/threat-intel/vulnerabilities/id/3a196eaa-64c7-447b-9384-b58fcba57ec0?source=cve
https://wordpress.org/plugins/leadbi/
https://plugins.trac.wordpress.org/browser/leadbi/trunk/includes/Plugin.php#L72
https://plugins.trac.wordpress.org/browser/leadbi/tags/1.7/includes/Plugin.php#L72
 
legalweb--WP DSGVO Tools (GDPR) The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lw_content_block' shortcode in all versions up to, and including, 3.1.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-23 6.4 CVE-2026-0914 https://www.wordfence.com/threat-intel/vulnerabilities/id/4474c79b-f93a-4725-8345-ad5c5260913c?source=cve
https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.35/public/shortcodes/content-block-shortcode.php#L17
https://plugins.trac.wordpress.org/changeset/3440083/
 
lovor--Cookie consent for developers The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-24 4.4 CVE-2026-1084 https://www.wordfence.com/threat-intel/vulnerabilities/id/c16918a9-7b73-418d-adbd-aa17cb1d8cf8?source=cve
https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/trunk/admin/class-ntg-cookie-consent-admin.php#L112
https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/trunk/admin/partials/ntg-cookie-consent-admin-display.php#L108
https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/tags/1.7.1/admin/class-ntg-cookie-consent-admin.php#L112
https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/tags/1.7.1/admin/partials/ntg-cookie-consent-admin-display.php#L108
 
magazine3--Schema & Structured Data for WP & AMP The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-23 6.4 CVE-2025-14069 https://www.wordfence.com/threat-intel/vulnerabilities/id/651a7036-d421-41b7-91db-102e60d8274e?source=cve
https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/admin_section/common-function.php#L1874
https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/admin_section/structure-admin.php#L2605
https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/output/function.php#L171
https://plugins.trac.wordpress.org/changeset/3441582/schema-and-structured-data-for-wp/trunk?contextall=1&old=3429983&old_path=%2Fschema-and-structured-data-for-wp%2Ftrunk#file0
 
mainichiweb--Friendly Functions for Welcart The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2026-1208 https://www.wordfence.com/threat-intel/vulnerabilities/id/6cc709e0-870b-4d12-9ac8-55da498768a1?source=cve
https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L53
https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L58
https://plugins.trac.wordpress.org/changeset/3445305/
 
marcinlawrowski--Wise Analytics The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the 'name' parameter granted they can send unauthenticated requests. 2026-01-24 5.3 CVE-2025-14609 https://www.wordfence.com/threat-intel/vulnerabilities/id/d92c80cb-080b-4774-8c66-1d5cf68e771f?source=cve
https://plugins.trac.wordpress.org/browser/wise-analytics/trunk/src/Endpoints/ReportsEndpoint.php#L43
https://plugins.trac.wordpress.org/browser/wise-analytics/tags/1.1.9/src/Endpoints/ReportsEndpoint.php#L43
 
mastodon--mastodon Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. 2026-01-22 6.5 CVE-2026-23964 https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4
https://github.com/mastodon/mastodon/releases/tag/v4.3.18
https://github.com/mastodon/mastodon/releases/tag/v4.4.12
https://github.com/mastodon/mastodon/releases/tag/v4.5.5
 
mastodon--mastodon Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. 2026-01-22 5.3 CVE-2026-23961 https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp
https://github.com/mastodon/mastodon/releases/tag/v4.3.18
https://github.com/mastodon/mastodon/releases/tag/v4.4.12
https://github.com/mastodon/mastodon/releases/tag/v4.5.5
 
mastodon--mastodon Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. 2026-01-22 4.3 CVE-2026-23963 https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3
https://github.com/mastodon/mastodon/releases/tag/v4.3.18
https://github.com/mastodon/mastodon/releases/tag/v4.4.12
https://github.com/mastodon/mastodon/releases/tag/v4.5.5
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-36556 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2272
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the sendOruReport functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-44000 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2270
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the fetchPriorStudies functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-46270 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2258
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the downloadZip functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-53516 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2254
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the modifyTranscript functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-53707 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2267
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7Route functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-53854 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2265
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-54157 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2256
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the emailfailedjob functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-54495 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2255
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the existingUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-54778 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2257
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the modifyAutopurgeFilter functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-54814 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2261
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the autoPurge functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a URL to a malicious website to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-54817 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2253
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the modifyAeTitle functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-54852 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2260
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the modifyUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-54853 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2268
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the modifyCoercion functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-54861 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2262
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the modifyAnonymize functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-55071 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2259
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the notifynewstudy functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-57786 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2269
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the modifyRoute functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-57787 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2266
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the modifyEmail functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-57881 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2263
 
MedDream--MedDream PACS Premium A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7App functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. 2026-01-20 6.1 CVE-2025-58080 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2264
 
MedDream--MedDream PACS Premium Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the status parameter. 2026-01-20 6.1 CVE-2025-58087 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271
 
MedDream--MedDream PACS Premium Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the archivedir parameter. 2026-01-20 6.1 CVE-2025-58088 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271
 
MedDream--MedDream PACS Premium Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the longtermdir parameter. 2026-01-20 6.1 CVE-2025-58089 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271
 
MedDream--MedDream PACS Premium Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the uploaddir parameter. 2026-01-20 6.1 CVE-2025-58090 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271
 
MedDream--MedDream PACS Premium Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the thumbnaildir parameter. 2026-01-20 6.1 CVE-2025-58091 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271
 
MedDream--MedDream PACS Premium Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the phpexe parameter. 2026-01-20 6.1 CVE-2025-58092 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271
 
MedDream--MedDream PACS Premium Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the phpdir parameter. 2026-01-20 6.1 CVE-2025-58093 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271
 
MedDream--MedDream PACS Premium Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the worklistsrc parameter. 2026-01-20 6.1 CVE-2025-58094 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271
 
MedDream--MedDream PACS Premium Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the imagedir parameter. 2026-01-20 6.1 CVE-2025-58095 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271
 
mehtevas--Responsive Header Plugin The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-24 4.4 CVE-2026-1300 https://www.wordfence.com/threat-intel/vulnerabilities/id/30821418-48c0-4bc6-8bf1-f558671bff24?source=cve
https://downloads.wordpress.org/plugin/responsive-header.1.0.zip
https://wordpress.org/plugins/responsive-header/
https://plugins.trac.wordpress.org/browser/responsive-header/trunk/rhp-settings.php#L103
https://plugins.trac.wordpress.org/browser/responsive-header/tags/1.0/rhp-settings.php#L103
 
Mfscripts--YetiShare File Hosting Script YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol. 2026-01-23 4 CVE-2021-47899 ExploitDB-49534
Vendor Homepage
Software Product Page
VulnCheck Advisory: YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability
 
MineAdmin--MineAdmin A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 6.3 CVE-2026-1193 VDB-341778 | MineAdmin View view improper authorization
VDB-341778 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734270 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Logical flaw and vulnerability
https://github.com/SourByte05/MineAdmin-Vulnerability/issues/6
 
MineAdmin--MineAdmin A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-19 5.3 CVE-2026-1194 VDB-341779 | MineAdmin Swagger information disclosure
VDB-341779 | CTI Indicators (IOB, IOC, TTP)
Submit #734271 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Swagger Information Leakage Vulnerability
https://github.com/SourByte05/MineAdmin-Vulnerability/issues/5
 
MineAdmin--MineAdmin A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-20 5 CVE-2026-1195 VDB-341780 | MineAdmin JWT Token refresh data authenticity
VDB-341780 | CTI Indicators (IOB, IOC, IOA)
Submit #734272 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Flaw Vulnerability
https://github.com/SourByte05/MineAdmin-Vulnerability/issues/4
 
neop--Postalicious The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-24 4.4 CVE-2026-1266 https://www.wordfence.com/threat-intel/vulnerabilities/id/512c9a2f-b023-4e28-8dd8-35795e68a8b3?source=cve
https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L316
https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L316
https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L533
https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L533
https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L541
https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L541
https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L548
https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L548
 
nhomcaodem--Viet contact The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-20 4.4 CVE-2026-1045 https://www.wordfence.com/threat-intel/vulnerabilities/id/131a6a35-e0d2-4613-8614-24bf11011098?source=cve
https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-admin.php#L34
https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-content.php#L11
 
norcross--WP Hello Bar The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-20 4.4 CVE-2026-1042 https://www.wordfence.com/threat-intel/vulnerabilities/id/73b55486-adb8-40c6-9113-c98618d9cb00?source=cve
https://downloads.wordpress.org/plugin/wp-hello-bar.1.02.zip
https://wordpress.org/plugins/wp-hello-bar/
https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L214
https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L222
https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L152
 
NVIDIA--CUDA Toolkit NVIDIA Nsight Systems for Windows contains a vulnerability in the application's DLL loading mechanism where an attacker could cause an uncontrolled search path element by exploiting insecure DLL search paths. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service and information disclosure. 2026-01-20 6.7 CVE-2025-33231 https://nvd.nist.gov/vuln/detail/CVE-2025-33231
https://www.cve.org/CVERecord?id=CVE-2025-33231
https://nvidia.custhelp.com/app/answers/detail/a_id/5755
 
opencryptoki--opencryptoki openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication. 2026-01-22 6.8 CVE-2026-23893 https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-j6c7-mvpx-jx5q
https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45
 
OpenEMR Foundation, Inc.--OpenEMR OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command execution on the vulnerable OpenEMR instance. 2026-01-21 5.4 CVE-2021-47817 ExploitDB-49784
OpenEMR Official Website
OpenEMR 5.0.2.1 Download
SonarSource Vulnerability Analysis
Vulnerability Demonstration Video
VulnCheck Advisory: OpenEMR 5.0.2.1 - Remote Code Execution
 
opf--openproject OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled. 2026-01-19 6.5 CVE-2026-23646 https://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vp
https://github.com/opf/openproject/releases/tag/v16.6.5
https://github.com/opf/openproject/releases/tag/v17.0.1
 
opf--openproject OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available. 2026-01-19 4.3 CVE-2026-23721 https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h
 
Oracle Corporation--JD Edwards EnterpriseOne Tools Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.26.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2026-01-20 6.1 CVE-2026-21946 Oracle Advisory
 
Oracle Corporation--MySQL Cluster Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 4.9 CVE-2026-21936 Oracle Advisory
 
Oracle Corporation--MySQL Server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 6.5 CVE-2026-21949 Oracle Advisory
 
Oracle Corporation--MySQL Server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 6.5 CVE-2026-21950 Oracle Advisory
 
Oracle Corporation--MySQL Server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 6.5 CVE-2026-21968 Oracle Advisory
 
Oracle Corporation--MySQL Server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 5.3 CVE-2026-21929 Oracle Advisory
 
Oracle Corporation--MySQL Server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 4.9 CVE-2026-21937 Oracle Advisory
 
Oracle Corporation--MySQL Server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 4.9 CVE-2026-21941 Oracle Advisory
 
Oracle Corporation--MySQL Server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 4.9 CVE-2026-21948 Oracle Advisory
 
Oracle Corporation--MySQL Server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 4.9 CVE-2026-21952 Oracle Advisory
 
Oracle Corporation--MySQL Server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2026-01-20 4.9 CVE-2026-21964 Oracle Advisory
 
Oracle Corporation--Oracle Agile Product Lifecycle Management for Process Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile Product Lifecycle Management for Process accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). 2026-01-20 6.5 CVE-2026-21944 Oracle Advisory
 
Oracle Corporation--Oracle APEX Sample Applications Vulnerability in the Oracle APEX Sample Applications product of Oracle APEX (component: Brookstrut Sample App). Supported versions that are affected are 23.2.0, 23.2.1, 24.1.0, 24.2.0 and 24.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle APEX Sample Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle APEX Sample Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle APEX Sample Applications accessible data as well as unauthorized read access to a subset of Oracle APEX Sample Applications accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). 2026-01-20 5.4 CVE-2026-21931 Oracle Advisory
 
Oracle Corporation--Oracle Applications DBA Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). 2026-01-20 6.5 CVE-2026-21960 Oracle Advisory
 
Oracle Corporation--Oracle Configurator Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). 2026-01-20 5.3 CVE-2026-21972 Oracle Advisory
 
Oracle Corporation--Oracle Database Server Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. Easily exploitable vulnerability allows high privileged attacker having Authenticated User privilege with network access via Oracle Net to compromise Java VM. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java VM. CVSS 3.1 Base Score 4.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H). 2026-01-20 4.5 CVE-2026-21975 Oracle Advisory
 
Oracle Corporation--Oracle FLEXCUBE Universal Banking Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Relationship Pricing). Supported versions that are affected are 14.0.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). 2026-01-20 6.5 CVE-2026-21978 Oracle Advisory
 
Oracle Corporation--Oracle Hospitality OPERA 5 Property Services Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2026-01-20 6.1 CVE-2026-21966 Oracle Advisory
 
Oracle Corporation--Oracle Java SE Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2026-01-20 6.1 CVE-2026-21933 Oracle Advisory
 
Oracle Corporation--Oracle Java SE Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). 2026-01-20 4.8 CVE-2026-21925 Oracle Advisory
 
Oracle Corporation--Oracle Life Sciences Central Coding Vulnerability in the Oracle Life Sciences Central Coding product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Coding. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Central Coding accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Central Coding accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). 2026-01-20 6.5 CVE-2026-21980 Oracle Advisory
 
Oracle Corporation--Oracle Life Sciences Central Designer Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Central Designer accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). 2026-01-20 6.5 CVE-2026-21923 Oracle Advisory
 
Oracle Corporation--Oracle Life Sciences Central Designer Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). 2026-01-20 6.5 CVE-2026-21970 Oracle Advisory
 
Oracle Corporation--Oracle Life Sciences Central Designer Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). 2026-01-20 5.3 CVE-2026-21974 Oracle Advisory
 
Oracle Corporation--Oracle Planning and Budgeting Cloud Service Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N). 2026-01-20 4.2 CVE-2026-21922 Oracle Advisory
 
Oracle Corporation--Oracle Planning and Budgeting Cloud Service Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N). 2026-01-20 4.2 CVE-2026-21979 Oracle Advisory
 
Oracle Corporation--Oracle Scripting Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: Scripting Admin). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Scripting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Scripting accessible data as well as unauthorized read access to a subset of Oracle Scripting accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2026-01-20 6.1 CVE-2026-21943 Oracle Advisory
 
Oracle Corporation--Oracle Solaris Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). 2026-01-20 5.8 CVE-2026-21927 Oracle Advisory
 
Oracle Corporation--Oracle Solaris Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). 2026-01-20 5.3 CVE-2026-21928 Oracle Advisory
 
Oracle Corporation--Oracle Solaris Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). 2026-01-20 5.8 CVE-2026-21935 Oracle Advisory
 
Oracle Corporation--Oracle Solaris Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystems). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H). 2026-01-20 5 CVE-2026-21942 Oracle Advisory
 
Oracle Corporation--Oracle Utilities Application Framework Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: General). Supported versions that are affected are 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 4.5.0.2.0, 25.4 and 25.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Utilities Application Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Utilities Application Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Utilities Application Framework accessible data as well as unauthorized read access to a subset of Oracle Utilities Application Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). 2026-01-20 5.4 CVE-2026-21924 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). 2026-01-20 6 CVE-2026-21963 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). 2026-01-20 6 CVE-2026-21985 Oracle Advisory
 
Oracle Corporation--Oracle VM VirtualBox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.6 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L). 2026-01-20 4.6 CVE-2026-21981 Oracle Advisory
 
Oracle Corporation--Oracle Workflow Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Workflow accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). 2026-01-20 4.9 CVE-2026-21959 Oracle Advisory
 
Oracle Corporation--PeopleSoft Enterprise HCM Human Resources Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Company Dir / Org Chart Viewer, Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2026-01-20 6.1 CVE-2026-21961 Oracle Advisory
 
Oracle Corporation--PeopleSoft Enterprise PeopleTools Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2026-01-20 6.1 CVE-2026-21938 Oracle Advisory
 
Oracle Corporation--PeopleSoft Enterprise PeopleTools Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Integration Broker). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2026-01-20 6.1 CVE-2026-21951 Oracle Advisory
 
Oracle Corporation--PeopleSoft Enterprise PeopleTools Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Push Notifications). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). 2026-01-20 5.4 CVE-2026-21934 Oracle Advisory
 
Oracle Corporation--PeopleSoft Enterprise SCM Purchasing Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM Purchasing accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). 2026-01-20 5.4 CVE-2026-21971 Oracle Advisory
 
ostin654--JustClick registration plugin The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-24 6.1 CVE-2025-13676 https://www.wordfence.com/threat-intel/vulnerabilities/id/f1420ec8-55e4-448d-8230-228d1e566b97?source=cve
https://plugins.trac.wordpress.org/browser/justclick-subscriber/trunk/justclick.php#L154
https://plugins.trac.wordpress.org/browser/justclick-subscriber/tags/0.1/justclick.php#L154
 
Palantir--com.palantir.aries:aries A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible client to view system logs and perform operations without valid credentials. No evidence of exploitation was identified during the vulnerability window. 2026-01-22 6.6 CVE-2025-68609 https://palantir.safebase.us/?tcuUid=955a313a-1735-48a6-9fb4-e10404f14eb5
 
pdfcrowd--Save as PDF Plugin by PDFCrowd The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'options' parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: Successful exploitation of this vulnerability requires that the PDFCrowd API key is blank (also known as "demo mode", which is the default configuration when the plugin is installed) or known. 2026-01-24 6.1 CVE-2026-0862 https://www.wordfence.com/threat-intel/vulnerabilities/id/74172fcb-7428-464a-89f1-f1f3af50e361?source=cve
https://plugins.trac.wordpress.org/changeset/3438577/save-as-pdf-by-pdfcrowd
 
peachpay--PeachPay Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders. 2026-01-20 5.3 CVE-2025-14978 https://www.wordfence.com/threat-intel/vulnerabilities/id/5480a151-3e3a-46ba-9712-6c61fba06812?source=cve
https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.119.5/core/payments/convesiopay/routes/class-peachpay-convesiopay-webhook.php#L33
 
PHPGurukul--News Portal A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used. 2026-01-19 6.3 CVE-2026-1141 VDB-341733 | PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization
VDB-341733 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735483 | PHPGurukul News Portal Project in PHP and MySql 1.0 Improper Access Controls
https://github.com/Asim-QAZi/BrokenAccessControl-News-Portal-Project-in-PHP-and-MySQL-in-PHPGurukul
https://phpgurukul.com/
 
PHPGurukul--News Portal A security flaw has been discovered in PHPGurukul News Portal 1.0. The impacted element is an unknown function. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. 2026-01-19 4.3 CVE-2026-1142 VDB-341734 | PHPGurukul News Portal cross-site request forgery
VDB-341734 | CTI Indicators (IOB, IOC)
Submit #735498 | PHPGurukul News Portal Project in PHP and MySql 1.0 Cross-Site Request Forgery
https://github.com/Asim-QAZi/CSRF-Add-Subadmin-in-News-Portal-Project-in-PHP-and-MySql-in-PHPGurukul
https://phpgurukul.com/
 
plugins360--All-in-One Video Gallery The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates. 2026-01-23 6.5 CVE-2025-14947 https://www.wordfence.com/threat-intel/vulnerabilities/id/bedfb712-faf6-4131-b254-e6d7c367f49f?source=cve
https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/includes/init.php#L373
https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L131
https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L285
https://plugins.trac.wordpress.org/changeset/3441541/
 
plugins360--All-in-One Video Gallery The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account. 2026-01-24 4.3 CVE-2025-15516 https://www.wordfence.com/threat-intel/vulnerabilities/id/218e4ed5-661b-49e1-8b23-457a93fd53fa?source=cve
https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.6.4/admin/admin.php#L1062
 
pytest--pytest pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges. 2026-01-22 6.8 CVE-2025-71176 https://github.com/pytest-dev/pytest/issues/13669
https://www.openwall.com/lists/oss-security/2026/01/21/5
 
quickjs-ng--quickjs A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue. 2026-01-19 6.3 CVE-2026-1144 VDB-341737 | quickjs-ng quickjs Atomics Ops quickjs.c use after free
VDB-341737 | CTI Indicators (IOB, IOC, IOA)
Submit #735537 | quickjs-ng quickjs v0.11.0 Use After Free
Submit #735538 | quickjs-ng quickjs v0.11.0 Use After Free (Duplicate)
https://github.com/quickjs-ng/quickjs/issues/1301
https://github.com/quickjs-ng/quickjs/pull/1303
https://github.com/quickjs-ng/quickjs/issues/1302
https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141
 
quickjs-ng--quickjs A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue. 2026-01-19 6.3 CVE-2026-1145 VDB-341738 | quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow
VDB-341738 | CTI Indicators (IOB, IOC, IOA)
Submit #735539 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow
https://github.com/quickjs-ng/quickjs/issues/1305
https://github.com/quickjs-ng/quickjs/pull/1306
https://github.com/quickjs-ng/quickjs/issues/1305#issue-3785444372
https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4
 
rebelcode--RSS Aggregator RSS Import, News Feeds, Feed to Post, and Autoblogging The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-23 6.4 CVE-2025-14745 https://www.wordfence.com/threat-intel/vulnerabilities/id/dd201949-d3a1-4fdb-bf98-252fbfd59380?source=cve
https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/src/Renderer.php#L209
https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator/trunk/core/src/Renderer.php
 
Red Hat--Red Hat Build of Keycloak A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow. 2026-01-21 6.5 CVE-2025-14559 https://access.redhat.com/security/cve/CVE-2025-14559
RHBZ#2421711
 
Red Hat--Red Hat Build of Keycloak A flaw was identified in Keycloak's OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk. 2026-01-20 5.8 CVE-2026-1180 https://access.redhat.com/security/cve/CVE-2026-1180
RHBZ#2430781
 
robiulawal40--Alpha Blocks The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alpha_block_css' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-24 6.4 CVE-2025-14985 https://www.wordfence.com/threat-intel/vulnerabilities/id/745dcc4c-1c52-4ac7-9ac6-033770282a3b?source=cve
https://plugins.trac.wordpress.org/browser/alpha-blocks/tags/1.5.0/class/block_inline_style.php#L175
 
rtowebsites--AdminQuickbar The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. This makes it possible for unauthenticated attackers to modify plugin settings and update post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2025-14630 https://www.wordfence.com/threat-intel/vulnerabilities/id/bb70ad52-b964-4c56-98a2-06be375a79af?source=cve
https://plugins.trac.wordpress.org/browser/adminquickbar/tags/1.9.3/Lib/AdminQuickbar.php#L88
https://plugins.trac.wordpress.org/browser/adminquickbar/tags/1.9.3/Lib/Sidebar.php#L386
https://plugins.trac.wordpress.org/browser/adminquickbar/trunk/Lib/AdminQuickbar.php#L88
https://plugins.trac.wordpress.org/browser/adminquickbar/trunk/Lib/Sidebar.php#L386
 
Sangfor--Operation and Maintenance Security Management System A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-22 5.3 CVE-2026-1325 VDB-342301 | Sangfor Operation and Maintenance Security Management System edit_pwd_mall password recovery
VDB-342301 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736208 | Sangfor Operation and Maintenance Security Management System (OSM / 运维安全管理系统) 3.0.12 Unauthenticated Arbitrary Password Reset
https://github.com/LX-LX88/cve/issues/21
 
satollo--Newsletter Send awesome emails from WordPress The Newsletter - Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link. 2026-01-20 4.3 CVE-2026-1051 https://www.wordfence.com/threat-intel/vulnerabilities/id/8de2156f-5087-4c16-8e5d-93b5c72ec536?source=cve
https://plugins.trac.wordpress.org/browser/newsletter/tags/9.1.0/unsubscription/unsubscription.php#L141
 
sauravrox--Set Bulk Post Categories The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2026-1081 https://www.wordfence.com/threat-intel/vulnerabilities/id/9503f908-ead2-4c34-89b9-1e2348b90f3c?source=cve
https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/trunk/set-bulk-categories.php#L36
https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/tags/1.1/set-bulk-categories.php#L36
 
Seacms--Seacms SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users' browsers when the page is loaded. 2026-01-25 6.4 CVE-2020-36932 ExploitDB-49251
Official Seacms Product Homepage
VulnCheck Advisory: Seacms 11.1 - 'checkuser' Stored XSS
 
shahinurislam--Meta-box GalleryMeta The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access and above, to create and publish galleries. 2026-01-24 4.3 CVE-2026-0687 https://www.wordfence.com/threat-intel/vulnerabilities/id/872c61aa-c95c-4b86-8e39-8112bb117a0b?source=cve
https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/include/posttype.php#L29
https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L375
 
shahinurislam--Meta-box GalleryMeta The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-24 4.4 CVE-2026-1302 https://www.wordfence.com/threat-intel/vulnerabilities/id/bb9ae252-7e5f-4dc0-a162-100493b81980?source=cve
https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/templates/single-mb_gallery.php#L31
https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/templates/single-mb_gallery.php#L33
https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L119
https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L314
 
shazdeh--Administrative Shortcodes The Administrative Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'login' and 'logout' shortcode attributes in all versions up to, and including, 0.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-24 6.4 CVE-2026-1099 https://www.wordfence.com/threat-intel/vulnerabilities/id/de931a65-c898-4b1d-99ce-20dd646bcbb0?source=cve
https://plugins.trac.wordpress.org/browser/administrative-shortcodes/trunk/administrative-shortcodes.php#L196
https://plugins.trac.wordpress.org/browser/administrative-shortcodes/tags/0.3.4/administrative-shortcodes.php#L196
 
sigstore--rekor Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0. 2026-01-22 5.3 CVE-2026-23831 https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833
https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd
https://github.com/sigstore/rekor/releases/tag/v1.5.0
 
sigstore--rekor Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false. 2026-01-22 5.3 CVE-2026-24117 https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j
https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f
https://github.com/sigstore/rekor/releases/tag/v1.5.0
 
sigstore--sigstore sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release. 2026-01-23 5.8 CVE-2026-24137 https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf
https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e
https://github.com/sigstore/sigstore/releases/tag/v1.10.4
 
SourceCodester--E-Learning System A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basic cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. 2026-01-19 4.3 CVE-2026-1154 VDB-341747 | SourceCodester E-Learning System Lesson index.php cross site scripting
VDB-341747 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735855 | SourceCodester E-Learning System (CAIWL) 1.0 Stored HTML Injection Vulnerability
https://gist.github.com/0xCaptainFahim/dada955760b424a851de12bccadee997
https://www.sourcecodester.com/
 
SourceCodester--Patients Waiting Area Queue Management System A vulnerability was determined in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This vulnerability affects unknown code. Executing a manipulation can lead to cross-site request forgery. It is possible to launch the attack remotely. 2026-01-19 4.3 CVE-2026-1148 VDB-341741 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System cross-site request forgery
VDB-341741 | CTI Indicators (IOB, IOC)
Submit #735545 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross-Site Request Forgery
 
specialk--Head Meta Data The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-20 6.4 CVE-2026-0608 https://www.wordfence.com/threat-intel/vulnerabilities/id/9592bb6d-8e1d-4c89-addd-11c07272a628?source=cve
https://plugins.trac.wordpress.org/changeset?old_path=/head-meta-data/tags/20251118&new_path=/head-meta-data/tags/20260105
 
Spring--Spring Security The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. 2026-01-22 5.3 CVE-2025-22234 Spring Security Advisory: CVE-2025-22234
 
stefanristic--Simple Crypto Shortcodes The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2025-14903 https://www.wordfence.com/threat-intel/vulnerabilities/id/18bcd2ad-1989-4e2b-b82e-fddc4201c5a6?source=cve
https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L46
https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L54
 
stellarwp--The Events Calendar The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action. 2026-01-20 5.4 CVE-2025-15043 https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984?source=cve
https://plugins.trac.wordpress.org/changeset?old_path=/the-events-calendar/tags/6.15.13&new_path=/the-events-calendar/tags/6.15.13.1
 
sumatrapdfreader--sumatrapdf SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication. 2026-01-22 5.5 CVE-2026-23951 https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv
https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp
 
swift-otel--swift-w3c-trace-context Swift W3C TraceContext is a Swift implementation of the W3C Trace Context standard, and Swift OTel is an OpenTelemetry Protocol (OTLP) backend for Swift Log, Swift Metrics, and Swift Distributed Tracing. Prior to Swift W3C TraceContext version 1.0.0-beta.5 and Swift OTel version 1.0.4, a denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header. This allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel. Version 1.0.0-beta.5 of Swift W3C TraceContext and version 1.0.4 of Swift OTel contain a patch for this issue. As a workaround, disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a `TracingMiddleware`). 2026-01-19 5.3 CVE-2026-23886 https://github.com/swift-otel/swift-w3c-trace-context/security/advisories/GHSA-mvpq-2v8x-ww6g
https://github.com/swift-otel/swift-w3c-trace-context/commit/5da9b143ba6046734de3fa51dafea28290174e4e
https://github.com/swift-otel/swift-otel/releases/tag/1.0.4
https://github.com/swift-otel/swift-w3c-trace-context/releases/tag/1.0.0-beta.5
 
tandubhai--Alchemist Ajax Upload The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments. 2026-01-24 5.3 CVE-2025-14629 https://www.wordfence.com/threat-intel/vulnerabilities/id/865dbcf5-7990-40f3-bb90-3ae359b52c6f?source=cve
https://wordpress.org/plugins/alchemist-ajax-upload/
https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/tags/1.1/alchemist_ajax_upload.php#L231
https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/trunk/alchemist_ajax_upload.php#L231
 
Tapandsign Technologies Software Inc.--Tap&Sign Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS). This issue affects Tap&Sign: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-23 4.7 CVE-2025-2204 https://www.usom.gov.tr/bildirim/tr-26-0004
 
teamzt--ZT Captcha The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2026-1075 https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9d6da5-1598-4df4-8efc-306370446443?source=cve
https://plugins.trac.wordpress.org/browser/zt-captcha/trunk/request/CaptchaRequest.php#L37
https://plugins.trac.wordpress.org/browser/zt-captcha/tags/1.0.4/request/CaptchaRequest.php#L37
 
technical-laohu--mpay A security vulnerability has been detected in technical-laohu mpay up to 1.2.4. The impacted element is an unknown function of the component QR Code Image Handler. Such manipulation of the argument codeimg leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. 2026-01-19 4.7 CVE-2026-1152 VDB-341745 | technical-laohu mpay QR Code Image unrestricted upload
VDB-341745 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735775 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Arbitrary file upload vulnerability
https://github.com/bdkuzma/vuln/issues/17
 
technical-laohu--mpay A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. 2026-01-19 4.3 CVE-2026-1153 VDB-341746 | technical-laohu mpay cross-site request forgery
VDB-341746 | CTI Indicators (IOB, IOC)
Submit #735789 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Cross-Site Request Forgery
https://github.com/bdkuzma/vuln/issues/18
 
tendenci--tendenci Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12. 2026-01-22 6.8 CVE-2026-23946 https://github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3
https://github.com/tendenci/tendenci/issues/867
https://github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1
https://github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636
https://github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0e
https://docs.python.org/3/library/pickle.html#restricting-globals
https://github.com/advisories/GHSA-jqmc-fxxp-r589
https://github.com/tendenci/tendenci/releases/tag/v15.3.12
 
themeruby--ThemeRuby Multi Authors Assign Multiple Writers to Posts The ThemeRuby Multi Authors - Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-24 6.4 CVE-2026-1097 https://www.wordfence.com/threat-intel/vulnerabilities/id/ca74bb1d-1954-4869-aaa9-bf66600cdf2a?source=cve
https://plugins.trac.wordpress.org/browser/themeruby-multi-authors/trunk/includes/class-tma-shortcodes.php#L76
https://plugins.trac.wordpress.org/browser/themeruby-multi-authors/tags/1.0.0/includes/class-tma-shortcodes.php#L76
 
themeum--Tutor LMS eLearning and online course solution The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site. 2026-01-20 5.4 CVE-2026-0548 https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989?source=cve
https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php&new_path=/tutor/tags/3.9.5/classes/User.php
 
theupdateframework--go-tuf go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available. 2026-01-22 5.9 CVE-2026-23991 https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324
https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6
https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1
 
theupdateframework--go-tuf go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1. 2026-01-22 5.9 CVE-2026-23992 https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525
https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0
 
thimpress--LearnPress WordPress LMS Plugin for Create and Sell Online Courses The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included. 2026-01-20 5.3 CVE-2025-14798 https://www.wordfence.com/threat-intel/vulnerabilities/id/6fb00ce4-aa82-4479-b7f6-79e7bde098c1?source=cve
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L134
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L35
 
thorsten--phpMyFAQ phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version 2026-01-24 6.5 CVE-2026-24420 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv
 
thorsten--phpMyFAQ phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17. 2026-01-24 6.5 CVE-2026-24421 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-wm8h-26fv-mg7g
 
thorsten--phpMyFAQ phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17. 2026-01-24 5.3 CVE-2026-24422 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc
 
Totolink--LR350 A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. 2026-01-19 6.3 CVE-2026-1149 VDB-341742 | Totolink LR350 POST Request cstecgi.cgi setDiagnosisCfg command injection
VDB-341742 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735695 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injection
https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setDiagnosisCfg-2e453a41781f800d9ba9c6da80b55276?source=copy_link
https://www.totolink.net/
 
Totolink--LR350 A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. 2026-01-19 6.3 CVE-2026-1150 VDB-341743 | Totolink LR350 POST Request cstecgi.cgi setTracerouteCfg command injection
VDB-341743 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735696 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injection
https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setTracerouteCfg-2e453a41781f803494e3e4161a393487?source=copy_link
https://www.totolink.net/
 
Totolink--NR1800X A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-22 6.3 CVE-2026-1326 VDB-342302 | Totolink NR1800X POST Request cstecgi.cgi setWanCfg command injection
VDB-342302 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735787 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Command Injection
https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWanCfg-2e453a41781f80b390f3e1ce0d9dd5b9?source=copy_link
https://www.totolink.net/
 
Totolink--NR1800X A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. 2026-01-22 6.3 CVE-2026-1327 VDB-342303 | Totolink NR1800X POST Request cstecgi.cgi setTracerouteCfg command injection
VDB-342303 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735790 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Command Injection
https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setTracerouteCfg-2e453a41781f80df8ef9d32983758502?source=copy_link
https://www.totolink.net/
 
typemill--typemill Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2. 2026-01-23 5.4 CVE-2026-24127 https://github.com/typemill/typemill/security/advisories/GHSA-65x4-pjhj-r8wr
https://github.com/typemill/typemill/commit/b506acd11e80fb9c8db5fa6c2c8ad73580b4e88c
https://github.com/typemill/typemill/releases/tag/v2.19.2
 
uncannyowl--Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page. 2026-01-23 6.4 CVE-2025-15522 https://www.wordfence.com/threat-intel/vulnerabilities/id/41c54e1b-69b9-4594-8f1e-7ef17f120791?source=cve
https://wordpress.org/plugins/uncanny-automator
https://plugins.trac.wordpress.org/browser/uncanny-automator/tags/6.10.0.2/src/integrations/discord/shortcodes/discord-user-mapping-shortcode.php#L128
https://plugins.trac.wordpress.org/changeset/3440408/uncanny-automator/trunk/src/integrations/discord/shortcodes/discord-user-mapping-shortcode.php
 
vektor-inc--VK Google Job Posting Manager The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-24 6.4 CVE-2025-12836 https://www.wordfence.com/threat-intel/vulnerabilities/id/4e0fd492-19ee-430e-a495-99ad28043bf9?source=cve
https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L419
https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L468
 
vintagedaddyo--MyBB Delete Account Plugin MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons. 2026-01-23 6.1 CVE-2021-47905 ExploitDB-49500
MyBB Delete Account Plugin Repository
VulnCheck Advisory: MyBB Delete Account Plugin 1.4 - Cross-Site Scripting
 
waqasvickey0071--WP Youtube Video Gallery The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2025-14906 https://www.wordfence.com/threat-intel/vulnerabilities/id/53709d2c-6522-40f0-9dc4-82517d3ee7b2?source=cve
https://plugins.trac.wordpress.org/browser/wp-youtube-video-gallery/tags/1.0/admin/admin.php#L444
 
wedevs--weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit any documentation post. The vulnerability was partially patched in version 2.1.16. 2026-01-23 4.3 CVE-2025-13921 https://www.wordfence.com/threat-intel/vulnerabilities/id/c56234f3-7dd6-4dff-887d-5ddbf0cb7d3c?source=cve
https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/functions.php#L506
https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/Installer.php#L21
https://plugins.trac.wordpress.org/changeset/3426704/
https://plugins.trac.wordpress.org/changeset/3440068/
 
wedevs--weMail Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files. 2026-01-20 5.3 CVE-2025-14348 https://www.wordfence.com/threat-intel/vulnerabilities/id/59c0caa2-d0c2-472e-83c3-d11ad313720d?source=cve
https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L79
https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L85
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1
 
wizit--Wizit Gateway for WooCommerce The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID. 2026-01-24 5.3 CVE-2025-14843 https://www.wordfence.com/threat-intel/vulnerabilities/id/b6926c2c-79d4-477c-a2eb-ba62545f2e2b?source=cve
https://plugins.trac.wordpress.org/browser/wizit-gateway-for-woocommerce/tags/1.2.9/class-wizit-gateway.php?marks=1249,1341-1349#L1249
 
wpchill--Image Photo Gallery Final Tiles Grid The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators. 2026-01-19 5.4 CVE-2025-15466 https://www.wordfence.com/threat-intel/vulnerabilities/id/0afcfe15-2d7d-4c96-a408-28f35577a927?source=cve
https://plugins.trac.wordpress.org/changeset/3435746/
 
wpdevteam--NotificationX FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership. 2026-01-20 4.3 CVE-2026-0554 https://www.wordfence.com/threat-intel/vulnerabilities/id/e3cd843b-ab38-45c4-a661-78d4e6db5201?source=cve
https://research.cleantalk.org/cve-2026-0554
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail=
 
wpdirectorykit--WP Directory Kit The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles. 2026-01-24 5.3 CVE-2025-13920 https://www.wordfence.com/threat-intel/vulnerabilities/id/8905dcc7-d3c8-4ae8-818c-df3e6ed2ad9c?source=cve
https://plugins.trac.wordpress.org/changeset/3435482/wpdirectorykit
 
wpdiscover--Timeline Event History The Timeline Event History plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `id` parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-24 6.1 CVE-2026-1127 https://www.wordfence.com/threat-intel/vulnerabilities/id/ba779595-2674-4d84-bc41-889ae60bd6a4?source=cve
https://plugins.trac.wordpress.org/browser/timeline-event-history/tags/3.2/includes/admin/class-timeline-wp-field-builder.php#L540
 
wpgmaps--WP Go Maps (formerly WP Google Maps) The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings. 2026-01-24 5.3 CVE-2026-0593 https://www.wordfence.com/threat-intel/vulnerabilities/id/7f0741c1-a5d7-41a4-a739-2cb7cb836509?source=cve
https://plugins.trac.wordpress.org/changeset/3439283/wp-google-maps/trunk/includes/class.admin-notices.php
 
Yodinfo--Mini Mouse Mini Mouse 9.3.0 contains a path traversal vulnerability that allows attackers to access sensitive system directories through the device information endpoint. Attackers can retrieve file lists from system directories like /usr, /etc, and /var by manipulating file path parameters in API requests. 2026-01-21 6.2 CVE-2021-47849 ExploitDB-49747
Mini Mouse Apple Store
VulnCheck Advisory: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal
 
zainali99--MyBB Trending Widget Plugin MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget. 2026-01-23 6.1 CVE-2018-25132 ExploitDB-49504
Trending Widget GitHub Repository
VulnCheck Advisory: MyBB Trending Widget Plugin 1.2 - Cross-Site Scripting
 
zero1zerouk--Login Page Editor The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login page settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-24 4.3 CVE-2026-1088 https://www.wordfence.com/threat-intel/vulnerabilities/id/f428b90d-8830-445d-b1f1-d8f860dae5cf?source=cve
https://plugins.trac.wordpress.org/browser/login-page-editor/trunk/class/devotion.core.class.php#L50
https://plugins.trac.wordpress.org/browser/login-page-editor/tags/1.2/class/devotion.core.class.php#L50
 

Back to top

Low Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
Athroniaeth--fastapi-api-key FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks. 2026-01-21 3.7 CVE-2026-23996 https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g
https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8
https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0
 
backstage--backstage Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints. 2026-01-21 3.5 CVE-2026-24048 https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9
https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb
 
Beetel--777VR1 A security flaw has been discovered in Beetel 777VR1 up to 01.00.09/01.00.09_55. This affects an unknown part of the component UART Interface. Performing a manipulation results in information disclosure. The attack may be carried out on the physical device. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-25 2 CVE-2026-1407 VDB-342796 | Beetel 777VR1 UART information disclosure
VDB-342796 | CTI Indicators (IOB, IOC, TTP)
Submit #736322 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 Cleartext Exposure of Sensitive Credentials in Boot Logs - UART
https://gist.github.com/raghav20232023/253c041842f622d9c2cb6ee4111c2227
 
Beetel--777VR1 A weakness has been identified in Beetel 777VR1 up to 01.00.09/01.00.09_55. This vulnerability affects unknown code of the component UART Interface. Executing a manipulation can lead to weak password requirements. The physical device can be targeted for the attack. The attack requires a high level of complexity. It is stated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-25 2 CVE-2026-1408 VDB-342797 | Beetel 777VR1 UART weak password
VDB-342797 | CTI Indicators (IOB, IOC, TTP)
Submit #739384 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 CWE-521 — Weak Password Requirements
https://gist.github.com/raghav20232023/9c51cbd91f3798b1c10f3f30fb631633
 
Beetel--777VR1 A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack on the physical device. The attack's complexity is rated as high. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-25 2 CVE-2026-1409 VDB-342798 | Beetel 777VR1 UART excessive authentication
VDB-342798 | CTI Indicators (IOB, IOC, TTP)
Submit #739399 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 CWE-307 Improper Restriction - Excessive Authentication Attempts
https://gist.github.com/raghav20232023/19900b427445adf37f64ae953611bfce
 
Dell--PowerScale OneFS Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to denial of service. 2026-01-22 3.5 CVE-2026-22281 https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities
 
franklioxygen--MyTube MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78. 2026-01-23 2.7 CVE-2026-24140 https://github.com/franklioxygen/MyTube/security/advisories/GHSA-c938-x24g-fxcx
https://github.com/franklioxygen/MyTube/commit/9d737cb373f7af3e5c92d458e2832caf817b6de6
 
HCL Software--AION HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application's overall security posture and increase its susceptibility to common web-based attacks. 2026-01-19 3.5 CVE-2025-55249 https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995#
 
HCL Software--AION HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. 2026-01-19 3.1 CVE-2025-55251 https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995#
 
HCL Software--AION HCL AION  version 2 is affected by a Weak Password Policy vulnerability. This can  allow the use of easily guessable passwords, potentially resulting in unauthorized access 2026-01-19 3.1 CVE-2025-55252 https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995#
 
HCL Software--AION HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure. 2026-01-19 2.8 CVE-2025-52659 https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995#
 
HCL Software--AION HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. 2026-01-19 2.7 CVE-2025-52660 https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995#
 
HCL Software--AION HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. 2026-01-19 2.4 CVE-2025-52661 https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995#
 
HCL Software--AION HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. 2026-01-19 1.8 CVE-2025-55250 https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995#
 
IBM--ApplinX IBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions on the server due to server-side enforcement of client-side security. 2026-01-20 3.1 CVE-2025-36410 https://www.ibm.com/support/pages/node/7257446
 
IBM--ApplinX IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. 2026-01-20 3.5 CVE-2025-36411 https://www.ibm.com/support/pages/node/7257446
 
lcg0124--BootDo A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. This manipulation of the argument content/author/title causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. 2026-01-19 3.5 CVE-2026-1136 VDB-341726 | lcg0124 BootDo ContentController save cross site scripting
VDB-341726 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735164 | BootDo V1.0 Cross Site Scripting
https://github.com/webzzaa/CVE-/issues/4
 
lcg0124--BootDo A vulnerability was determined in lcg0124 BootDo up to 5ccd963c74058036b466e038cff37de4056c1600. Affected by this vulnerability is the function redirectToLogin of the file AccessControlFilter.java of the component Host Header Handler. This manipulation of the argument Hostname causes open redirect. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. 2026-01-25 3.5 CVE-2026-1406 VDB-342794 | lcg0124 BootDo Host Header AccessControlFilter.java redirectToLogin
VDB-342794 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736271 | BootDo web V1.0 Host header injection
https://github.com/webzzaa/CVE-/issues/5
 
libexpat project--libexpat In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. 2026-01-23 2.9 CVE-2026-24515 https://github.com/libexpat/libexpat/pull/1131
 
lobehub--lobe-chat LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target's KB ID and target's file ID. These IDs are random and not easily enumerable. However, IDs may leak through shared links, logs, referrer headers and so on. Missing authorization check is a critical security flaw regardless. Users should upgrade to version 2.0.0-next.193 to receive a patch. 2026-01-19 3.7 CVE-2026-23522 https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r
https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6
 
MineAdmin--MineAdmin A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-20 3.1 CVE-2026-1196 VDB-341781 | MineAdmin getFileInfoById information disclosure
VDB-341781 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734273 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x getFileInfoById Arbitrary File Read Vulnerability
https://github.com/SourByte05/MineAdmin-Vulnerability/issues/3
 
MineAdmin--MineAdmin A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in information disclosure. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-20 3.1 CVE-2026-1197 VDB-341782 | MineAdmin downloadById information disclosure
VDB-341782 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734274 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x downloadById Arbitrary File Download Vulnerability
https://github.com/SourByte05/MineAdmin-Vulnerability/issues/2
 
Oracle Corporation--MySQL Server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). 2026-01-20 2.7 CVE-2026-21965 Oracle Advisory
 
Oracle Corporation--Oracle Java SE Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). 2026-01-20 3.1 CVE-2026-21947 Oracle Advisory
 
Oracle Corporation--Oracle Zero Data Loss Recovery Appliance Software Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). 2026-01-20 3.1 CVE-2026-21977 Oracle Advisory
 
Oracle Corporation--Oracle ZFS Storage Appliance Kit Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Filesystems). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle ZFS Storage Appliance Kit accessible data. CVSS 3.1 Base Score 2.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). 2026-01-20 2.3 CVE-2026-21930 Oracle Advisory
 
pbrong--hrms A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. 2026-01-19 3.5 CVE-2026-1161 VDB-341755 | pbrong hrms recruitment.go UpdateRecruitmentById cross site scripting
VDB-341755 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #736510 | Pbrong hrms 1.0.1 Stored Cross Site Scripting Vulnerability
https://github.com/TheLiao233/cve/issues/1
 
Red Hat--Red Hat Build of Keycloak A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak's refresh token rotation hardening can be undermined. 2026-01-21 3.1 CVE-2026-1035 https://access.redhat.com/security/cve/CVE-2026-1035
RHBZ#2430314
 
Red Hat--Red Hat Build of Keycloak A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. 2026-01-21 2.7 CVE-2025-14083 https://access.redhat.com/security/cve/CVE-2025-14083
RHBZ#2419086
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS). 2026-01-21 3.7 CVE-2026-0988 https://access.redhat.com/security/cve/CVE-2026-0988
RHBZ#2429886
 
roxnor--MetForm Contact Form, Survey, Quiz, & Custom Form Builder for Elementor The MetForm - Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes). 2026-01-24 3.7 CVE-2026-0633 https://www.wordfence.com/threat-intel/vulnerabilities/id/d72cc420-1ff5-403b-b4ea-7c820fdebcf3?source=cve
https://plugins.trac.wordpress.org/changeset/3438419/metform
 
SourceCodester--Patients Waiting Area Queue Management System A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api_register_patient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. 2026-01-19 3.5 CVE-2026-1146 VDB-341739 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_register_patient.php cross site scripting
VDB-341739 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735543 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross Site Scripting
 
SourceCodester--Patients Waiting Area Queue Management System A vulnerability was found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This affects an unknown part of the file /php/api_patient_schedule.php. Performing a manipulation of the argument Reason results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. 2026-01-19 3.5 CVE-2026-1147 VDB-341740 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_patient_schedule.php cross site scripting
VDB-341740 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735544 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross Site Scripting
 
technical-laohu--mpay A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. This manipulation of the argument Nickname causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-19 2.4 CVE-2026-1151 VDB-341744 | technical-laohu mpay User Center cross site scripting
VDB-341744 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735773 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Stored Cross-Site Scripting
https://github.com/bdkuzma/vuln/issues/16
 

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
7-Zip--7-Zip 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26743. 2026-01-23 not yet calculated CVE-2025-11002 ZDI-25-950
 
AA-Team--SearchAzon Cross-Site Request Forgery (CSRF) vulnerability in AA-Team SearchAzon searchazon allows Cross Site Request Forgery. This issue affects SearchAzon: from n/a through <= 1.4. 2026-01-22 not yet calculated CVE-2026-22360 https://patchstack.com/database/Wordpress/Plugin/searchazon/vulnerability/wordpress-searchazon-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
AA-Team--Wordpress Movies Bulk Importer Cross-Site Request Forgery (CSRF) vulnerability in AA-Team Wordpress Movies Bulk Importer movies importer allows Cross Site Request Forgery. This issue affects Wordpress Movies Bulk Importer: from n/a through <= 1.0. 2026-01-22 not yet calculated CVE-2026-22359 https://patchstack.com/database/Wordpress/Plugin/movies%20importer/vulnerability/wordpress-wordpress-movies-bulk-importer-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Abacre--Abacre Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. 2026-01-20 not yet calculated CVE-2025-67261 https://www.abacre.com/retailpointofsale/
https://packetstorm.news/files/id/214046/
 
Abacre--Abacre Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fields, which, persisted in the database. 2026-01-20 not yet calculated CVE-2025-67263 https://www.abacre.com/retailpointofsale/
https://packetstorm.news/files/id/214045/
 
ABCdatos--Proteccin de datos – RGPD Missing Authorization vulnerability in ABCdatos Protección de datos &#8211; RGPD proteccion-datos-rgpd allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Protección de datos &#8211; RGPD: from n/a through <= 0.68. 2026-01-23 not yet calculated CVE-2026-24539 https://patchstack.com/database/Wordpress/Plugin/proteccion-datos-rgpd/vulnerability/wordpress-proteccion-de-datos-rgpd-plugin-0-68-broken-access-control-vulnerability?_s_id=cve
 
Ability, Inc--Web Accessibility with Max Access Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ability, Inc Web Accessibility with Max Access accessibility-toolbar allows Stored XSS. This issue affects Web Accessibility with Max Access: from n/a through <= 2.1.0. 2026-01-23 not yet calculated CVE-2026-24629 https://patchstack.com/database/Wordpress/Plugin/accessibility-toolbar/vulnerability/wordpress-web-accessibility-with-max-access-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
AbsolutePlugins--Absolute Addons For Elementor Missing Authorization vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Absolute Addons For Elementor: from n/a through <= 1.0.14. 2026-01-22 not yet calculated CVE-2026-22468 https://patchstack.com/database/Wordpress/Plugin/absolute-addons/vulnerability/wordpress-absolute-addons-for-elementor-plugin-1-0-14-broken-access-control-vulnerability?_s_id=cve
 
adamlabs--WordPress Photo Gallery Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamlabs WordPress Photo Gallery photo-gallery-portfolio allows Reflected XSS. This issue affects WordPress Photo Gallery: from n/a through <= 1.1.0. 2026-01-22 not yet calculated CVE-2025-53240 https://patchstack.com/database/Wordpress/Plugin/photo-gallery-portfolio/vulnerability/wordpress-wordpress-photo-gallery-plugin-1-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
agmorpheus--Syntax Highlighter Compress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in agmorpheus Syntax Highlighter Compress syntax-highlighter-compress allows Reflected XSS. This issue affects Syntax Highlighter Compress: from n/a through <= 3.0.83.3. 2026-01-22 not yet calculated CVE-2025-68859 https://patchstack.com/database/Wordpress/Plugin/syntax-highlighter-compress/vulnerability/wordpress-syntax-highlighter-compress-plugin-3-0-83-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
AivahThemes--Anona Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal. This issue affects Anona: from n/a through <= 8.0. 2026-01-22 not yet calculated CVE-2025-68901 https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-arbitrary-file-deletion-vulnerability?_s_id=cve
 
AivahThemes--Anona Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal. This issue affects Anona: from n/a through <= 8.0. 2026-01-22 not yet calculated CVE-2025-68902 https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-arbitrary-file-download-vulnerability?_s_id=cve
 
AivahThemes--Anona Deserialization of Untrusted Data vulnerability in AivahThemes Anona anona allows Object Injection. This issue affects Anona: from n/a through <= 8.0. 2026-01-22 not yet calculated CVE-2025-68903 https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-php-object-injection-vulnerability?_s_id=cve
 
AivahThemes--Hostme v2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Hostme v2 hostmev2 allows Path Traversal. This issue affects Hostme v2: from n/a through <= 7.0. 2026-01-22 not yet calculated CVE-2025-68907 https://patchstack.com/database/Wordpress/Theme/hostmev2/vulnerability/wordpress-hostme-v2-theme-7-0-arbitrary-file-deletion-vulnerability?_s_id=cve
 
Alejandro--Quick Restaurant Reservations Missing Authorization vulnerability in Alejandro Quick Restaurant Reservations quick-restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quick Restaurant Reservations: from n/a through <= 1.6.7. 2026-01-23 not yet calculated CVE-2026-24529 https://patchstack.com/database/Wordpress/Plugin/quick-restaurant-reservations/vulnerability/wordpress-quick-restaurant-reservations-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter Ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-25568. 2026-01-23 not yet calculated CVE-2026-0779 ZDI-26-001
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28289. 2026-01-23 not yet calculated CVE-2026-0780 ZDI-26-002
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28290. 2026-01-23 not yet calculated CVE-2026-0781 ZDI-26-003
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28291. 2026-01-23 not yet calculated CVE-2026-0782 ZDI-26-004
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28292. 2026-01-23 not yet calculated CVE-2026-0783 ZDI-26-005
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28293. 2026-01-23 not yet calculated CVE-2026-0784 ZDI-26-006
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter API Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the API interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28294. 2026-01-23 not yet calculated CVE-2026-0785 ZDI-26-007
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter SCI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the SCI module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28295. 2026-01-23 not yet calculated CVE-2026-0786 ZDI-26-008
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter SAC Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SAC module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28296. 2026-01-23 not yet calculated CVE-2026-0787 ZDI-26-009
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user's privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the functionality for viewing the syslog. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to interact with the application in the context of the target user. Was ZDI-CAN-28298. 2026-01-23 not yet calculated CVE-2026-0788 ZDI-26-010
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter Web UI Inclusion of Authentication Cookie in Response Body Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper management of sensitive information. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28297. 2026-01-23 not yet calculated CVE-2026-0789 ZDI-26-011
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. By navigating directly to a URL, a user can gain unauthorized access to data. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28299. 2026-01-23 not yet calculated CVE-2026-0790 ZDI-26-012
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter SIP INVITE Replaces Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Replaces header of SIP INVITE requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28300. 2026-01-23 not yet calculated CVE-2026-0791 ZDI-26-013
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter SIP INVITE Alert-Info Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Alert-Info header of SIP INVITE requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28301. 2026-01-23 not yet calculated CVE-2026-0792 ZDI-26-014
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter InformaCast Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the InformaCast functionality. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28302. 2026-01-23 not yet calculated CVE-2026-0793 ZDI-26-015
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter SIP Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SIP calls. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28303. 2026-01-23 not yet calculated CVE-2026-0794 ZDI-26-016
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28321. 2026-01-23 not yet calculated CVE-2026-0795 ZDI-26-017
 
ALGO--8180 IP Audio Alerter ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28322. 2026-01-23 not yet calculated CVE-2026-0796 ZDI-26-018
 
AmentoTech--Workreap Core Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Workreap Core workreap_core allows Authentication Abuse. This issue affects Workreap Core: from n/a through <= 3.4.0. 2026-01-22 not yet calculated CVE-2025-69101 https://patchstack.com/database/Wordpress/Plugin/workreap_core/vulnerability/wordpress-workreap-core-plugin-3-4-0-account-takeover-vulnerability?_s_id=cve
 
AncoraThemes--DiveIt Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion. This issue affects DiveIt: from n/a through <= 1.4.3. 2026-01-22 not yet calculated CVE-2025-69059 https://patchstack.com/database/Wordpress/Theme/diveit/vulnerability/wordpress-diveit-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Hobo Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion. This issue affects Hobo: from n/a through <= 1.0.10. 2026-01-22 not yet calculated CVE-2025-69077 https://patchstack.com/database/Wordpress/Theme/hobo/vulnerability/wordpress-hobo-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Indoor Plants Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Indoor Plants indoor-plants allows PHP Local File Inclusion. This issue affects Indoor Plants: from n/a through <= 1.2.7. 2026-01-22 not yet calculated CVE-2025-69066 https://patchstack.com/database/Wordpress/Theme/indoor-plants/vulnerability/wordpress-indoor-plants-theme-1-2-7-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Malta Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion. This issue affects Malta: from n/a through <= 1.3.3. 2026-01-22 not yet calculated CVE-2025-69078 https://patchstack.com/database/Wordpress/Theme/malta/vulnerability/wordpress-malta-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Modern Housewife Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion. This issue affects Modern Housewife: from n/a through <= 1.0.12. 2026-01-22 not yet calculated CVE-2025-69076 https://patchstack.com/database/Wordpress/Theme/modernhousewife/vulnerability/wordpress-modern-housewife-theme-1-0-12-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--MoveMe Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion. This issue affects MoveMe: from n/a through <= 1.2.15. 2026-01-22 not yet calculated CVE-2025-69061 https://patchstack.com/database/Wordpress/Theme/moveme/vulnerability/wordpress-moveme-theme-1-2-15-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Muji Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion. This issue affects Muji: from n/a through <= 1.2.0. 2026-01-22 not yet calculated CVE-2025-69068 https://patchstack.com/database/Wordpress/Theme/muji/vulnerability/wordpress-muji-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--PartyMaker Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion. This issue affects PartyMaker: from n/a through <= 1.1.15. 2026-01-22 not yet calculated CVE-2025-69058 https://patchstack.com/database/Wordpress/Theme/partymaker/vulnerability/wordpress-partymaker-theme-1-1-15-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Pearson Specter Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion. This issue affects Pearson Specter: from n/a through <= 1.11.3. 2026-01-22 not yet calculated CVE-2025-69074 https://patchstack.com/database/Wordpress/Theme/pearsonspecter/vulnerability/wordpress-pearson-specter-theme-1-11-3-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Pets Land Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pets Land petsland allows PHP Local File Inclusion. This issue affects Pets Land: from n/a through <= 1.2.8. 2026-01-22 not yet calculated CVE-2025-69064 https://patchstack.com/database/Wordpress/Theme/petsland/vulnerability/wordpress-pets-land-theme-1-2-8-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Piqes Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion. This issue affects Piqes: from n/a through <= 1.0.11. 2026-01-22 not yet calculated CVE-2025-69073 https://patchstack.com/database/Wordpress/Theme/piqes/vulnerability/wordpress-piqes-theme-1-0-11-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Prider Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion. This issue affects Prider: from n/a through <= 1.1.3.1. 2026-01-22 not yet calculated CVE-2025-69072 https://patchstack.com/database/Wordpress/Theme/prider/vulnerability/wordpress-prider-theme-1-1-3-1-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Snow Mountain Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Snow Mountain snowmountain allows PHP Local File Inclusion. This issue affects Snow Mountain: from n/a through <= 1.4.3. 2026-01-22 not yet calculated CVE-2025-69065 https://patchstack.com/database/Wordpress/Theme/snowmountain/vulnerability/wordpress-snow-mountain-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Tails Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion. This issue affects Tails: from n/a through <= 1.4.12. 2026-01-22 not yet calculated CVE-2025-69067 https://patchstack.com/database/Wordpress/Theme/tails/vulnerability/wordpress-tails-theme-1-4-12-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--TanTum Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion. This issue affects TanTum: from n/a through <= 1.1.13. 2026-01-22 not yet calculated CVE-2025-69071 https://patchstack.com/database/Wordpress/Theme/tantum/vulnerability/wordpress-tantum-theme-1-1-13-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Tornados Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion. This issue affects Tornados: from n/a through <= 2.1. 2026-01-22 not yet calculated CVE-2025-69070 https://patchstack.com/database/Wordpress/Theme/tornados/vulnerability/wordpress-tornados-theme-2-1-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--uReach Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion. This issue affects uReach: from n/a through <= 1.3.3. 2026-01-22 not yet calculated CVE-2025-69060 https://patchstack.com/database/Wordpress/Theme/ureach/vulnerability/wordpress-ureach-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Weedles Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Weedles weedles allows PHP Local File Inclusion. This issue affects Weedles: from n/a through <= 1.1.12. 2026-01-22 not yet calculated CVE-2025-69062 https://patchstack.com/database/Wordpress/Theme/weedles/vulnerability/wordpress-weedles-theme-1-1-12-local-file-inclusion-vulnerability?_s_id=cve
 
AncoraThemes--Yolox Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion. This issue affects Yolox: from n/a through <= 1.0.15. 2026-01-22 not yet calculated CVE-2025-69075 https://patchstack.com/database/Wordpress/Theme/yolox/vulnerability/wordpress-yolox-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve
 
Angel Costa--WP SEO Search Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery. This issue affects WP SEO Search: from n/a through <= 1.1. 2026-01-22 not yet calculated CVE-2025-67626 https://patchstack.com/database/Wordpress/Plugin/wp-seo-search/vulnerability/wordpress-wp-seo-search-plugin-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Anritsu--ShockLine Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu ShockLine. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27833. 2026-01-23 not yet calculated CVE-2025-15348 ZDI-25-1199
 
Anritsu--ShockLine Anritsu ShockLine SCPI Race Condition Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Anritsu ShockLine. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SCPI component. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27315. 2026-01-23 not yet calculated CVE-2025-15349 ZDI-25-1200
 
Anritsu--VectorStar Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27039. 2026-01-23 not yet calculated CVE-2025-15350 ZDI-25-1201
 
Anritsu--VectorStar Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27040. 2026-01-23 not yet calculated CVE-2025-15351 ZDI-25-1202
 
anthropics--claude-code Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version. 2026-01-21 not yet calculated CVE-2026-21852 https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7
 
Antideo--Antideo Email Validator Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Antideo Antideo Email Validator antideo-email-validator allows Blind SQL Injection. This issue affects Antideo Email Validator: from n/a through <= 1.0.10. 2026-01-22 not yet calculated CVE-2025-68017 https://patchstack.com/database/Wordpress/Plugin/antideo-email-validator/vulnerability/wordpress-antideo-email-validator-plugin-1-0-10-sql-injection-vulnerability?_s_id=cve
 
antoniobg--ABG Rich Pins Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antoniobg ABG Rich Pins abg-rich-pins allows Stored XSS. This issue affects ABG Rich Pins: from n/a through <= 1.1. 2026-01-23 not yet calculated CVE-2026-24558 https://patchstack.com/database/Wordpress/Plugin/abg-rich-pins/vulnerability/wordpress-abg-rich-pins-plugin-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Apache Software Foundation--Apache Linkis A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters. Scope of Impact This issue affects Apache Linkis: from 1.3.0 through 1.7.0. Severity level moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding. Users are recommended to upgrade to version 1.8.0, which fixes the issue. More questions about this vulnerability can be discussed here:  https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve 2026-01-19 not yet calculated CVE-2025-29847 https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057
 
Apache Software Foundation--Apache Linkis A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage. Affected Scope Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64. Version: Apache Linkis 1.0.0 - 1.7.0 Trigger Conditions The value of the configuration item is an invalid Base64 string. Log files are readable by users other than hive-site.xml administrators. Severity: Low The probability of Base64 decoding failure is low. The leakage is only triggered when logs at the Error level are exposed. Remediation Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content. logger.error("URL decode failed: {}", e.getMessage()); // 不再输出 str Users are recommended to upgrade to version 1.8.0, which fixes the issue. 2026-01-19 not yet calculated CVE-2025-59355 https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj
https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h
 
Apache Software Foundation--Apache Solr Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.  Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role.  Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1. 2026-01-21 not yet calculated CVE-2026-22022 https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn
 
Apache Software Foundation--Apache Solr The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element .  These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem.  On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes.  Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users.  This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores.  Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue. 2026-01-21 not yet calculated CVE-2026-22444 https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m
 
Apple--Container The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0. 2026-01-22 not yet calculated CVE-2026-20613 https://github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3
 
Apryse--Apryse A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover. 2026-01-22 not yet calculated CVE-2025-56589 http://apryse.com
https://www.stratascale.com/resource/apryse-server-module-ssrf-lfi/
 
Apryse--Apryse An issue was discovered in the InsertFromURL() function of the Apryse HTML2PDF SDK thru 11.10. This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server. 2026-01-22 not yet calculated CVE-2025-56590 http://apryse.com
https://www.stratascale.com/resource/apryse-server-argument-injection-rce/
 
Aptsys--Aptsys An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions. 2026-01-23 not yet calculated CVE-2025-52026 http://aptsys.com
https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39
 
ApusTheme--Drone Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS. This issue affects Drone: from n/a through <= 1.40. 2026-01-22 not yet calculated CVE-2025-49249 https://patchstack.com/database/Wordpress/Theme/drone/vulnerability/wordpress-drone-theme-1-40-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
arduino--ArduinoCore-avr ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings with high precision. By passing very large `decimalPlaces` values to the affected String constructors or concat methods, the `dtostrf` function writes beyond fixed-size stack buffers, causing memory corruption and denial of service. Under specific conditions, this could enable arbitrary code execution on AVR-based Arduino boards. ### Patches - The Fix is included starting from the `1.8.7` release available from the following link [ArduinoCore-avr v1.8.7](https://github.com/arduino/ArduinoCore-avr) - The Fixing Commit is available at the following link [1a6a417f89c8901dad646efce74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore-avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59) ### References - [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer Overflow Vulnerability](https://support.arduino.cc/hc/en-us/articles/XXXXX) ### Credits - Maxime Rossi Bellom and Ramtine Tofighi Shirazi from SecMate (https://secmate.dev/) 2026-01-21 not yet calculated CVE-2025-69209 https://github.com/arduino/ArduinoCore-avr/security/advisories/GHSA-pvx3-fm7w-6hjm
https://github.com/arduino/ArduinoCore-avr/pull/613
https://github.com/arduino/ArduinoCore-avr/commit/82a8ad2fb33911d8927c7af22e0472b94325d1a7
https://github.com/arduino/ArduinoCore-avr/releases/tag/1.8.7
https://support.arduino.cc/hc/en-us/articles/24985906702748-ASEC-26-001-ArduinoCore-AVR-v1-8-7-Resolves-Stack-Based-Buffer-Overflow-Vulnerability
 
Arevico--WP Simple Redirect Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS. This issue affects WP Simple Redirect: from n/a through <= 1.1. 2026-01-22 not yet calculated CVE-2025-68884 https://patchstack.com/database/Wordpress/Plugin/wp-simple-redirect/vulnerability/wordpress-wp-simple-redirect-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
argoproj--argo-workflows Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user's browser under the Argo Server origin, enabling API actions with the victim's privileges. Versions 3.6.17 and 3.7.8 fix the issue. 2026-01-21 not yet calculated CVE-2026-23960 https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82
https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17
https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244
https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8
 
Arksine--moonraker Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the "ldap" component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0. 2026-01-22 not yet calculated CVE-2026-24130 https://github.com/Arksine/moonraker/security/advisories/GHSA-3jqf-v4mv-747g
https://github.com/Arksine/moonraker/commit/74c5d8e44c4a4abbfbb06fb991e7ebb9ac947f42
 
Arraytics--Eventin Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection. This issue affects Eventin: from n/a through <= 4.1.1. 2026-01-22 not yet calculated CVE-2025-68047 https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-52-php-object-injection-vulnerability?_s_id=cve
 
artbees--JupiterX Core Deserialization of Untrusted Data vulnerability in artbees JupiterX Core jupiterx-core allows Object Injection. This issue affects JupiterX Core: from n/a through <= 4.10.1. 2026-01-22 not yet calculated CVE-2025-50004 https://patchstack.com/database/Wordpress/Plugin/jupiterx-core/vulnerability/wordpress-jupiterx-core-plugin-4-10-1-php-object-injection-vulnerability?_s_id=cve
 
artplacer--ArtPlacer Widget Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS. This issue affects ArtPlacer Widget: from n/a through <= 2.23.1. 2026-01-23 not yet calculated CVE-2026-24555 https://patchstack.com/database/Wordpress/Plugin/artplacer-widget/vulnerability/wordpress-artplacer-widget-plugin-2-23-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Arul Prasad J--WP Quick Post Duplicator Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Quick Post Duplicator: from n/a through <= 2.1. 2026-01-22 not yet calculated CVE-2026-24387 https://patchstack.com/database/Wordpress/Plugin/wp-quick-post-duplicator/vulnerability/wordpress-wp-quick-post-duplicator-plugin-2-1-broken-access-control-vulnerability?_s_id=cve
 
Ashan Perera--LifePress Missing Authorization vulnerability in Ashan Perera LifePress lifepress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LifePress: from n/a through <= 2.1.3. 2026-01-23 not yet calculated CVE-2026-24563 https://patchstack.com/database/Wordpress/Plugin/lifepress/vulnerability/wordpress-lifepress-plugin-2-1-3-broken-access-control-vulnerability-2?_s_id=cve
 
Atomberg--Atomberg An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.36 allows an attacker to obtain sensitive information and escalate privileges via a crafted deauth frame 2026-01-22 not yet calculated CVE-2025-69822 https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment/blob/main/Atomberg_Erica_SmatFan_Security_Assessment_Report.pdf
https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment.git
 
Automated Logic--WebCTRL Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web session management component allows an attacker to access stored passwords in a recoverable format which makes them subject to password reuse attacks by malicious users. This issue affects WebCTRL: from 6.0 through 9.0; i-Vu: from 6.0 through 9.0. 2026-01-22 not yet calculated CVE-2025-14295 https://www.corporate.carrier.com/product-security/advisories-resources/
 
averta--Depicter Slider Missing Authorization vulnerability in averta Depicter Slider depicter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Depicter Slider: from n/a through <= 4.0.4. 2026-01-22 not yet calculated CVE-2025-68558 https://patchstack.com/database/Wordpress/Plugin/depicter/vulnerability/wordpress-depicter-slider-plugin-4-0-4-broken-access-control-vulnerability?_s_id=cve
 
axiomthemes--Amuli Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion. This issue affects Amuli: from n/a through <= 2.3.0. 2026-01-22 not yet calculated CVE-2025-50003 https://patchstack.com/database/Wordpress/Theme/amuli/vulnerability/wordpress-amuli-theme-2-3-0-local-file-inclusion-vulnerability?_s_id=cve
 
ayecode--Restaurante Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS. This issue affects Restaurante: from n/a through <= 3.0.7. 2026-01-22 not yet calculated CVE-2025-52746 https://patchstack.com/database/Wordpress/Theme/restaurante/vulnerability/wordpress-restaurante-theme-3-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Bdtask--Isshue HTML Injection vulnerability in Isshue by Bdtask, consisting os an HTML injection due to a lack os proper validation of user input by sending a POST request to '/category_product_search', affecting the 'product_name' parameter. 2026-01-20 not yet calculated CVE-2025-40679 https://www.incibe.es/en/incibe-cert/notices/aviso-sci/html-injection-isshue-bdtask
 
bdthemes--Element Pack Elementor Addons Cross-Site Request Forgery (CSRF) vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Cross Site Request Forgery. This issue affects Element Pack Elementor Addons: from n/a through <= 8.3.13. 2026-01-22 not yet calculated CVE-2025-31413 https://patchstack.com/database/Wordpress/Plugin/bdthemes-element-pack-lite/vulnerability/wordpress-element-pack-elementor-addons-plugin-8-3-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Beam--Beam Directory Traversal vulnerability in Beam beta9 v.0.1.552 allows a remote attacker to obtain sensitive information via the joinCleanPath function 2026-01-22 not yet calculated CVE-2025-69820 https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m
https://github.com/ryotaromatsui/CVEs/tree/main/CVE-2025-69820
https://github.com/beam-cloud/beta9/blob/c1cd75e813cf7d53e916157d920099e89ef45caa/pkg/abstractions/volume/multipart.go#L45
 
Beaver Builder--Beaver Builder Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection. This issue affects Beaver Builder: from n/a through <= 2.9.4.1. 2026-01-22 not yet calculated CVE-2025-69319 https://patchstack.com/database/Wordpress/Plugin/beaver-builder-lite-version/vulnerability/wordpress-beaver-builder-plugin-2-9-4-1-arbitrary-code-execution-vulnerability?_s_id=cve
 
Benjamin Intal--Stackable Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Intal Stackable stackable-ultimate-gutenberg-blocks allows Stored XSS. This issue affects Stackable: from n/a through <= 3.19.5. 2026-01-22 not yet calculated CVE-2025-47500 https://patchstack.com/database/Wordpress/Plugin/stackable-ultimate-gutenberg-blocks/vulnerability/wordpress-stackable-plugin-3-19-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
bestwebsoft--Multilanguage by BestWebSoft Missing Authorization vulnerability in bestwebsoft Multilanguage by BestWebSoft multilanguage allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Multilanguage by BestWebSoft: from n/a through <= 1.5.2. 2026-01-23 not yet calculated CVE-2026-24598 https://patchstack.com/database/Wordpress/Plugin/multilanguage/vulnerability/wordpress-multilanguage-by-bestwebsoft-plugin-1-5-2-broken-access-control-vulnerability?_s_id=cve
 
Binance--Binance A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-20 not yet calculated CVE-2025-66692 https://github.com/trustwallet/wallet-core/commit/5668c67
https://gist.github.com/inkman97/b791189338f73b758c31a7db3cd50c2d
 
binary-parser--binary-parser A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process. 2026-01-20 not yet calculated CVE-2026-1245 https://github.com/keichi/binary-parser/pull/283
https://github.com/keichi/binary-parser
https://www.npmjs.com/package/binary-parser
https://kb.cert.org/vuls/id/102648
 
blazethemes--Blogistic Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogistic blogistic allows Using Malicious Files. This issue affects Blogistic: from n/a through <= 1.0.5. 2026-01-22 not yet calculated CVE-2025-68909 https://patchstack.com/database/Wordpress/Theme/blogistic/vulnerability/wordpress-blogistic-theme-1-0-5-arbitrary-file-upload-vulnerability?_s_id=cve
 
blazethemes--Blogmatic Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogmatic blogmatic. This issue affects Blogmatic: from n/a through <= 1.0.3. 2026-01-22 not yet calculated CVE-2025-62050 https://patchstack.com/database/Wordpress/Theme/blogmatic/vulnerability/wordpress-blogmatic-theme-1-0-3-arbitrary-file-upload-vulnerability?_s_id=cve
 
blazethemes--Blogzee Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogzee blogzee allows Using Malicious Files. This issue affects Blogzee: from n/a through <= 1.0.5. 2026-01-22 not yet calculated CVE-2025-68910 https://patchstack.com/database/Wordpress/Theme/blogzee/vulnerability/wordpress-blogzee-theme-1-0-5-arbitrary-file-upload-vulnerability?_s_id=cve
 
blazethemes--News Event Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event. This issue affects News Event: from n/a through <= 1.0.1. 2026-01-22 not yet calculated CVE-2025-62056 https://patchstack.com/database/Wordpress/Theme/news-event/vulnerability/wordpress-news-event-theme-1-0-1-arbitrary-file-upload-vulnerability?_s_id=cve
 
Booking Activities Team--Booking Activities Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation. This issue affects Booking Activities: from n/a through <= 1.16.44. 2026-01-22 not yet calculated CVE-2025-67953 https://patchstack.com/database/Wordpress/Plugin/booking-activities/vulnerability/wordpress-booking-activities-plugin-1-16-44-privilege-escalation-vulnerability?_s_id=cve
 
bookingalgorithms--BA Book Everything Missing Authorization vulnerability in bookingalgorithms BA Book Everything ba-book-everything allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BA Book Everything: from n/a through <= 1.8.16. 2026-01-22 not yet calculated CVE-2026-24371 https://patchstack.com/database/Wordpress/Plugin/ba-book-everything/vulnerability/wordpress-ba-book-everything-plugin-1-8-16-broken-access-control-vulnerability?_s_id=cve
 
Boopathi Rajan--WP Test Email Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS. This issue affects WP Test Email: from n/a through <= 1.1.7. 2026-01-22 not yet calculated CVE-2025-69102 https://patchstack.com/database/Wordpress/Plugin/wp-test-email/vulnerability/wordpress-wp-test-email-plugin-1-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Botble--TransP HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter. 2026-01-20 not yet calculated CVE-2026-1183 https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-multiple-botble-products
 
boxnow--BOX NOW Delivery Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BOX NOW Delivery: from n/a through <= 3.0.2. 2026-01-23 not yet calculated CVE-2026-24571 https://patchstack.com/database/Wordpress/Plugin/box-now-delivery/vulnerability/wordpress-box-now-delivery-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve
 
bPlugins--B Accordion Insertion of Sensitive Information Into Sent Data vulnerability in bPlugins B Accordion b-accordion allows Retrieve Embedded Sensitive Data. This issue affects B Accordion: from n/a through <= 2.0.0. 2026-01-23 not yet calculated CVE-2026-24565 https://patchstack.com/database/Wordpress/Plugin/b-accordion/vulnerability/wordpress-b-accordion-plugin-2-0-0-sensitive-data-exposure-vulnerability?_s_id=cve
 
bPlugins--B Slider Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS. This issue affects B Slider: from n/a through <= 2.0.6. 2026-01-22 not yet calculated CVE-2026-24383 https://patchstack.com/database/Wordpress/Plugin/b-slider/vulnerability/wordpress-b-slider-plugin-2-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Brecht--WP Recipe Maker Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Recipe Maker: from n/a through <= 10.2.4. 2026-01-22 not yet calculated CVE-2026-24357 https://patchstack.com/database/Wordpress/Plugin/wp-recipe-maker/vulnerability/wordpress-wp-recipe-maker-plugin-10-2-4-broken-access-control-vulnerability?_s_id=cve
 
briarinc--Anything Order by Terms Missing Authorization vulnerability in briarinc Anything Order by Terms anything-order-by-terms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Anything Order by Terms: from n/a through <= 1.4.0. 2026-01-23 not yet calculated CVE-2026-24567 https://patchstack.com/database/Wordpress/Plugin/anything-order-by-terms/vulnerability/wordpress-anything-order-by-terms-plugin-1-4-0-broken-access-control-vulnerability?_s_id=cve
 
Broadstreet--Broadstreet Ads Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Broadstreet Ads: from n/a through <= 1.52.1. 2026-01-22 not yet calculated CVE-2025-69311 https://patchstack.com/database/Wordpress/Plugin/broadstreet/vulnerability/wordpress-broadstreet-ads-plugin-1-52-1-broken-access-control-vulnerability?_s_id=cve
 
bslthemes--Myour Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Myour myour allows PHP Local File Inclusion. This issue affects Myour: from n/a through <= 1.5.1. 2026-01-22 not yet calculated CVE-2025-67615 https://patchstack.com/database/Wordpress/Theme/myour/vulnerability/wordpress-myour-theme-1-5-1-local-file-inclusion-vulnerability?_s_id=cve
 
BZOTheme--Mella Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion. This issue affects Mella: from n/a through <= 1.2.29. 2026-01-22 not yet calculated CVE-2025-67616 https://patchstack.com/database/Wordpress/Theme/mella/vulnerability/wordpress-mella-theme-1-2-29-local-file-inclusion-vulnerability?_s_id=cve
 
cardpaysolutions--Payment Gateway Authorize.Net CIM for WooCommerce Missing Authorization vulnerability in cardpaysolutions Payment Gateway Authorize.Net CIM for WooCommerce authnet-cim-for-woo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway Authorize.Net CIM for WooCommerce: from n/a through <= 2.1.2. 2026-01-22 not yet calculated CVE-2025-68013 https://patchstack.com/database/Wordpress/Plugin/authnet-cim-for-woo/vulnerability/wordpress-payment-gateway-authorize-net-cim-for-woocommerce-plugin-2-1-2-arbitrary-content-deletion-vulnerability?_s_id=cve
 
Cargus eCommerce--Cargus Insertion of Sensitive Information Into Sent Data vulnerability in Cargus eCommerce Cargus cargus allows Retrieve Embedded Sensitive Data. This issue affects Cargus: from n/a through <= 1.5.8. 2026-01-23 not yet calculated CVE-2026-24589 https://patchstack.com/database/Wordpress/Plugin/cargus/vulnerability/wordpress-cargus-plugin-1-5-8-sensitive-data-exposure-vulnerability?_s_id=cve
 
Casey Bisson--wpCAS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Casey Bisson wpCAS wpcas allows Reflected XSS. This issue affects wpCAS: from n/a through <= 1.07. 2026-01-22 not yet calculated CVE-2025-68858 https://patchstack.com/database/Wordpress/Plugin/wpcas/vulnerability/wordpress-wpcas-plugin-1-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Chainlit--Chainlit Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in the /project/element update flow. An authenticated client can send a custom Element with a user-controlled path value, causing the server to copy the referenced file into the attacker's session. The resulting element identifier (chainlitKey) can then be used to retrieve the file contents via /project/file/<chainlitKey>, allowing disclosure of any file readable by the Chainlit service. 2026-01-19 not yet calculated CVE-2026-22218 https://github.com/Chainlit/chainlit/releases/tag/2.9.4
https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover
https://www.vulncheck.com/advisories/chainlit-arbitrary-file-read-via-project-element
 
Chainlit--Chainlit Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider. 2026-01-19 not yet calculated CVE-2026-22219 https://github.com/Chainlit/chainlit/releases/tag/2.9.4
https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover
https://www.vulncheck.com/advisories/chainlit-sqlalchemy-data-layer-ssrf-via-project-element
 
Chandni Patel--WP MapIt Missing Authorization vulnerability in Chandni Patel WP MapIt wp-mapit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP MapIt: from n/a through <= 3.0.3. 2026-01-22 not yet calculated CVE-2026-22466 https://patchstack.com/database/Wordpress/Plugin/wp-mapit/vulnerability/wordpress-wp-mapit-plugin-3-0-3-broken-access-control-vulnerability?_s_id=cve
 
charmbracelet--soft-serve Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3. 2026-01-22 not yet calculated CVE-2026-24058 https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r
https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741
https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3
 
Chris Simmons--WP BackItUp Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP BackItUp: from n/a through <= 2.0.0. 2026-01-22 not yet calculated CVE-2025-68039 https://patchstack.com/database/Wordpress/Plugin/wp-backitup/vulnerability/wordpress-wp-backitup-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve
 
cjjparadoxmax--Synergy Project Manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cjjparadoxmax Synergy Project Manager synergy-project-manager allows Stored XSS. This issue affects Synergy Project Manager: from n/a through <= 1.5. 2026-01-22 not yet calculated CVE-2025-68898 https://patchstack.com/database/Wordpress/Plugin/synergy-project-manager/vulnerability/wordpress-synergy-project-manager-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
cleverplugins--SEO Booster Missing Authorization vulnerability in cleverplugins SEO Booster seo-booster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SEO Booster: from n/a through <= 6.1.8. 2026-01-22 not yet calculated CVE-2025-68019 https://patchstack.com/database/Wordpress/Plugin/seo-booster/vulnerability/wordpress-seo-booster-plugin-6-1-8-broken-access-control-vulnerability?_s_id=cve
 
CleverReach--CleverReach WP Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach® CleverReach® WP cleverreach-wp allows SQL Injection. This issue affects CleverReach® WP: from n/a through <= 1.5.22. 2026-01-22 not yet calculated CVE-2025-68034 https://patchstack.com/database/Wordpress/Plugin/cleverreach-wp/vulnerability/wordpress-cleverreach-wp-plugin-1-5-22-sql-injection-vulnerability?_s_id=cve
 
CleverSoft--Anon Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS. This issue affects Anon: from n/a through <= 2.2.10. 2026-01-22 not yet calculated CVE-2025-67620 https://patchstack.com/database/Wordpress/Theme/anon2x/vulnerability/wordpress-anon-theme-2-2-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Cloudflare--Wrangler SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g.,  execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version. 2026-01-20 not yet calculated CVE-2026-0933 https://github.com/cloudflare/workers-sdk
 
Cloudinary--Cloudinary Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cloudinary: from n/a through <= 3.3.0. 2026-01-23 not yet calculated CVE-2026-24560 https://patchstack.com/database/Wordpress/Plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability?_s_id=cve
 
CloudPanel--CLP Varnish Cache Missing Authorization vulnerability in CloudPanel CLP Varnish Cache clp-varnish-cache allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CLP Varnish Cache: from n/a through <= 1.0.2. 2026-01-23 not yet calculated CVE-2026-24525 https://patchstack.com/database/Wordpress/Plugin/clp-varnish-cache/vulnerability/wordpress-clp-varnish-cache-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve
 
Codeless--Slider Templates Missing Authorization vulnerability in Codeless Slider Templates slider-templates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Slider Templates: from n/a through <= 1.0.3. 2026-01-22 not yet calculated CVE-2025-68009 https://patchstack.com/database/Wordpress/Plugin/slider-templates/vulnerability/wordpress-slider-templates-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve
 
codisto--Omnichannel for WooCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codisto Omnichannel for WooCommerce codistoconnect allows Stored XSS. This issue affects Omnichannel for WooCommerce: from n/a through <= 1.3.65. 2026-01-22 not yet calculated CVE-2025-68041 https://patchstack.com/database/Wordpress/Plugin/codistoconnect/vulnerability/wordpress-omnichannel-for-woocommerce-plugin-1-3-65-cross-site-scripting-xss-vulnerability?_s_id=cve
 
COP--UX Flat Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in COP UX Flat ux-flat allows Stored XSS. This issue affects UX Flat: from n/a through <= 5.4.0. 2026-01-23 not yet calculated CVE-2026-24576 https://patchstack.com/database/Wordpress/Plugin/ux-flat/vulnerability/wordpress-ux-flat-plugin-5-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
copier-org--copier Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with `_preserve_symlinks: false` (which is Copier's default setting). Version 9.11.2 patches the issue. 2026-01-21 not yet calculated CVE-2026-23968 https://github.com/copier-org/copier/security/advisories/GHSA-xjhm-gp88-8pfx
https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6
 
copier-org--copier Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with `_preserve_symlinks: true` and a generated directory structure whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. Version 9.11.2 patches the issue. 2026-01-21 not yet calculated CVE-2026-23986 https://github.com/copier-org/copier/security/advisories/GHSA-4fqp-r85r-hxqh
https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6
https://github.com/copier-org/copier/releases/tag/v9.11.2
 
coreshop--CoreShop CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue. 2026-01-22 not yet calculated CVE-2026-23959 https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86x2
https://github.com/coreshop/CoreShop/commit/af80b8f5c7df5f02f44e9c5e0a4a564de274eec2
https://github.com/coreshop/CoreShop/releases/tag/4.1.9
 
cozythemes--HomeLancer Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HomeLancer: from n/a through <= 1.0.1. 2026-01-22 not yet calculated CVE-2025-49375 https://patchstack.com/database/Wordpress/Theme/homelancer/vulnerability/wordpress-homelancer-theme-1-0-1-broken-access-control-vulnerability?_s_id=cve
 
Craig Hewitt--Seriously Simple Podcasting Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery. This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1. 2026-01-22 not yet calculated CVE-2026-24360 https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
crawlchat--crawlchat CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base. Usually, admin / mods of a Discord guild use the `jigsaw` emoji to save a specific message (chain) onto the collection's knowledge base of CrawlChat. Unfortunately an permission check (for e.g. MANAGE_SERVER; MANAGE_MESSAGES etc.) was not done, allowing normal users of the guild to information to the knowledge base. With targeting specific parts that are commonly asked, users can manipulate the content given out by the bot (on all integrations), to e.g. redirect users to a malicious site, or send information to a malicious user. Version 0.0.8 patches the issue. 2026-01-19 not yet calculated CVE-2026-23875 https://github.com/crawlchat/crawlchat/security/advisories/GHSA-f484-62p4-6w4p
https://github.com/crawlchat/crawlchat/commit/f90ebb93c6a830f6cf609d683f6425af8434573a
https://github.com/crawlchat/crawlchat/releases/tag/v0.0.8
 
CridioStudio--ListingPro Reviews Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Reviews listingpro-reviews allows Reflected XSS. This issue affects ListingPro Reviews: from n/a through <= 1.7. 2026-01-22 not yet calculated CVE-2025-69051 https://patchstack.com/database/Wordpress/Plugin/listingpro-reviews/vulnerability/wordpress-listingpro-reviews-theme-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
CRM Perks--Integration for Contact Form 7 HubSpot Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data. This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.3. 2026-01-23 not yet calculated CVE-2026-24559 https://patchstack.com/database/Wordpress/Plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-4-3-sensitive-data-exposure-vulnerability?_s_id=cve
 
Crocoblock--JetEngine Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS. This issue affects JetEngine: from n/a through <= 3.7.7. 2026-01-22 not yet calculated CVE-2025-67923 https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-7-7-cross-site-scripting-xss-vulnerability?_s_id=cve
 
cvat-ai--cvat CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue. 2026-01-21 not yet calculated CVE-2026-23516 https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp
https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70
 
cvat-ai--cvat CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the issue. As a workaround, review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges. 2026-01-21 not yet calculated CVE-2026-23526 https://github.com/cvat-ai/cvat/security/advisories/GHSA-7pvv-w55f-qmw7
https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4
 
D-Link--D-View 8 D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system. 2026-01-21 not yet calculated CVE-2026-23754 https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471
https://www.vulncheck.com/advisories/dlink-dview-8-idor-allows-credential-disclosure-and-account-takeover
 
D-Link--D-View 8 D-Link D-View 8 versions 2.0.1.107 and below contain an uncontrolled search path vulnerability in the installer. When executed with elevated privileges via UAC, the installer attempts to load version.dll from its execution directory, allowing DLL preloading. An attacker can supply a malicious version.dll alongside the legitimate installer so that, when a victim runs the installer and approves the UAC prompt, attacker-controlled code executes with administrator privileges. This can lead to full system compromise. 2026-01-21 not yet calculated CVE-2026-23755 https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471
https://www.vulncheck.com/advisories/dlink-dview-8-installer-dll-preloading-via-uncontrolled-search-path
 
daap-daap NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. 2026-01-20 not yet calculated CVE-2025-57155 https://github.com/owntone/owntone-server/commit/d857116e4143a500d6a1ea13f4baa057ba3b0028
https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md
 
dacp--dacp NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash). 2026-01-20 not yet calculated CVE-2025-57156 https://github.com/owntone/owntone-server/issues/1907
https://github.com/owntone/owntone-server/commit/5e4d40ee03ae22ab79534bb1410fa9db96c9fabd
https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md
 
dacp--dacp A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. 2026-01-20 not yet calculated CVE-2025-63648 https://github.com/owntone/owntone-server/issues/1933
https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621
https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md
 
Damian--WP Popups Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Popups: from n/a through <= 2.2.0.3. 2026-01-23 not yet calculated CVE-2026-24616 https://patchstack.com/database/Wordpress/Plugin/wp-popups-lite/vulnerability/wordpress-wp-popups-plugin-2-2-0-3-broken-access-control-vulnerability?_s_id=cve
 
Daniel Iser--Easy Modal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Easy Modal easy-modal allows Stored XSS. This issue affects Easy Modal: from n/a through <= 2.1.0. 2026-01-23 not yet calculated CVE-2026-24617 https://patchstack.com/database/Wordpress/Plugin/easy-modal/vulnerability/wordpress-easy-modal-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
dataease--dataease Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user's password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin's password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available. 2026-01-22 not yet calculated CVE-2026-23958 https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j
 
dataease--SQLBot SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via to_sql() with if_exists='replace' mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available. 2026-01-21 not yet calculated CVE-2025-69285 https://github.com/dataease/SQLBot/security/advisories/GHSA-crfm-cch4-hjpv
https://github.com/dataease/SQLBot/releases/tag/v1.5.0
 
Deetronix--Booking Ultra Pro Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data. This issue affects Booking Ultra Pro: from n/a through <= 1.1.23. 2026-01-22 not yet calculated CVE-2025-68006 https://patchstack.com/database/Wordpress/Plugin/booking-ultra-pro/vulnerability/wordpress-booking-ultra-pro-plugin-1-1-23-sensitive-data-exposure-vulnerability?_s_id=cve
 
Design--Stylish Cost Calculator Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows Stored XSS. This issue affects Stylish Cost Calculator: from n/a through <= 8.1.8. 2026-01-23 not yet calculated CVE-2026-24630 https://patchstack.com/database/Wordpress/Plugin/stylish-cost-calculator/vulnerability/wordpress-stylish-cost-calculator-plugin-8-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve
 
designingmedia--Hostiko Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS. This issue affects Hostiko: from n/a through < 94.3.6. 2026-01-22 not yet calculated CVE-2025-67949 https://patchstack.com/database/Wordpress/Theme/hostiko/vulnerability/wordpress-hostiko-theme-94-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve
 
designthemes--Kids Heaven Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection. This issue affects Kids Heaven: from n/a through <= 3.2. 2026-01-22 not yet calculated CVE-2025-67619 https://patchstack.com/database/Wordpress/Theme/kids-world/vulnerability/wordpress-kids-heaven-theme-3-2-php-object-injection-vulnerability?_s_id=cve
 
designthemes--OneLife Deserialization of Untrusted Data vulnerability in designthemes OneLife onelife allows Object Injection. This issue affects OneLife: from n/a through <= 3.9. 2026-01-22 not yet calculated CVE-2025-69002 https://patchstack.com/database/Wordpress/Theme/onelife/vulnerability/wordpress-onelife-theme-3-9-php-object-injection-vulnerability?_s_id=cve
 
designthemes--Reservation Plugin Missing Authorization vulnerability in designthemes Reservation Plugin dt-reservation-plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Reservation Plugin: from n/a through <= 1.7. 2026-01-22 not yet calculated CVE-2025-69095 https://patchstack.com/database/Wordpress/Plugin/dt-reservation-plugin/vulnerability/wordpress-reservation-plugin-plugin-1-7-settings-change-vulnerability?_s_id=cve
 
designthemes--Vivagh Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection. This issue affects Vivagh: from n/a through <= 2.4. 2026-01-22 not yet calculated CVE-2025-68899 https://patchstack.com/database/Wordpress/Theme/vivagh/vulnerability/wordpress-vivagh-theme-2-4-php-object-injection-vulnerability?_s_id=cve
 
Devolutions--Server SQL Injection vulnerability in remote-sessions in Devolutions Server. This issue affects Devolutions Server 2025.3.1 through 2025.3.12 2026-01-19 not yet calculated CVE-2026-0610 https://devolutions.net/security/advisories/DEVO-2026-0003/
 
Devolutions--Server Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules. This issue affects Server: from 2025.3.1 through 2025.3.12. 2026-01-19 not yet calculated CVE-2026-1007 https://devolutions.net/security/advisories/DEVO-2026-0003/
 
DevsBlink--EduBlink Core Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DevsBlink EduBlink Core edublink-core allows PHP Local File Inclusion. This issue affects EduBlink Core: from n/a through <= 2.0.7. 2026-01-23 not yet calculated CVE-2026-24635 https://patchstack.com/database/Wordpress/Plugin/edublink-core/vulnerability/wordpress-edublink-core-plugin-2-0-7-local-file-inclusion-vulnerability?_s_id=cve
 
Devsbrain--Flex QR Code Generator Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Devsbrain Flex QR Code Generator flex-qr-code-generator allows DOM-Based XSS. This issue affects Flex QR Code Generator: from n/a through <= 1.2.8. 2026-01-23 not yet calculated CVE-2026-24614 https://patchstack.com/database/Wordpress/Plugin/flex-qr-code-generator/vulnerability/wordpress-flex-qr-code-generator-plugin-1-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Dimitri Grassi--Salon booking system Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Retrieve Embedded Sensitive Data. This issue affects Salon booking system: from n/a through <= 10.30.3. 2026-01-22 not yet calculated CVE-2025-67954 https://patchstack.com/database/Wordpress/Plugin/salon-booking-system/vulnerability/wordpress-salon-booking-system-plugin-10-30-3-sensitive-data-exposure-vulnerability?_s_id=cve
 
DioxusLabs--components Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue. 2026-01-23 not yet calculated CVE-2026-24474 https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69
https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a
 
Discord--Client Discord Client Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Discord Client. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the discord_rpc module. The product loads a file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-27057. 2026-01-23 not yet calculated CVE-2026-0776 ZDI-26-040
 
Dmytro Shteflyuk--CodeColorer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS. This issue affects CodeColorer: from n/a through <= 0.10.1. 2026-01-22 not yet calculated CVE-2025-68012 https://patchstack.com/database/Wordpress/Plugin/codecolorer/vulnerability/wordpress-codecolorer-plugin-0-10-1-stored-cross-site-scripting-xss-vulnerability?_s_id=cve
 
docmost--docmost Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0. 2026-01-21 not yet calculated CVE-2026-23630 https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj
https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf
https://github.com/docmost/docmost/releases/tag/v0.24.0
 
docopt.cpp--docopt.cpp A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the overflow may also result in process abort (DoS). 2026-01-23 not yet calculated CVE-2025-67125 https://gist.github.com/thesmartshadow/672afe8828844c833f46f8ebe2f5f3bd
https://github.com/docopt/docopt.cpp
 
Doogee--Doogee An OS command injection vulnerability in the com.sprd.engineermode component in Doogee Note59, Note59 Pro, and Note59 Pro+ allows a local attacker to execute arbitrary code and escalate privileges via the EngineerMode ADB shell, due to incomplete patching of CVE-2025-31710 2026-01-23 not yet calculated CVE-2025-67264 http://doogee.com
https://github.com/Skorpion96/unisoc-su/blob/main/CVE-2025-67264.md
 
Dotstore--Fraud Prevention For Woocommerce Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Retrieve Embedded Sensitive Data. This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.1. 2026-01-23 not yet calculated CVE-2026-24553 https://patchstack.com/database/Wordpress/Plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve
 
dragonflyoss--dragonfly Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1. 2026-01-22 not yet calculated CVE-2026-24124 https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7
https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f
 
Dynamicweb--Dynamicweb An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later). 2026-01-23 not yet calculated CVE-2022-25369 https://www.dynamicweb.com/resources/downloads?Category=Releases
https://www.assetnote.io/resources/research/advisory-dynamicweb-logic-flaw-leading-to-rce-cve-2022-25369
 
e-plugins--Final User Missing Authorization vulnerability in e-plugins Final User final-user allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Final User: from n/a through <= 1.2.5. 2026-01-22 not yet calculated CVE-2025-69187 https://patchstack.com/database/Wordpress/Plugin/final-user/vulnerability/wordpress-final-user-plugin-1-2-5-broken-access-control-vulnerability?_s_id=cve
 
e-plugins--Final User Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation. This issue affects Final User: from n/a through <= 1.2.5. 2026-01-22 not yet calculated CVE-2025-69293 https://patchstack.com/database/Wordpress/Plugin/final-user/vulnerability/wordpress-final-user-plugin-1-2-5-privilege-escalation-vulnerability?_s_id=cve
 
e-plugins--fitness-trainer Missing Authorization vulnerability in e-plugins fitness-trainer fitness-trainer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects fitness-trainer: from n/a through <= 1.7.1. 2026-01-22 not yet calculated CVE-2025-69188 https://patchstack.com/database/Wordpress/Plugin/fitness-trainer/vulnerability/wordpress-fitness-trainer-plugin-1-7-1-broken-access-control-vulnerability?_s_id=cve
 
e-plugins--Hospital Doctor Directory Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. 2026-01-22 not yet calculated CVE-2025-68057 https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-broken-access-control-vulnerability-2?_s_id=cve
 
e-plugins--Hospital Doctor Directory Incorrect Privilege Assignment vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Privilege Escalation. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. 2026-01-22 not yet calculated CVE-2025-69183 https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-privilege-escalation-vulnerability?_s_id=cve
 
e-plugins--Hospital Doctor Directory Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. 2026-01-22 not yet calculated CVE-2025-69186 https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve
 
e-plugins--Hotel Listing Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hotel Listing: from n/a through <= 1.4.2. 2026-01-22 not yet calculated CVE-2025-68059 https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability-2?_s_id=cve
 
e-plugins--Hotel Listing Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS. This issue affects Hotel Listing: from n/a through <= 1.4.0. 2026-01-22 not yet calculated CVE-2025-69056 https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
e-plugins--Hotel Listing Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hotel Listing: from n/a through <= 1.4.2. 2026-01-22 not yet calculated CVE-2025-69185 https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve
 
e-plugins--Institutions Directory Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Institutions Directory: from n/a through <= 1.3..4. 2026-01-22 not yet calculated CVE-2025-68058 https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability-2?_s_id=cve
 
e-plugins--Institutions Directory Incorrect Privilege Assignment vulnerability in e-plugins Institutions Directory institutions-directory allows Privilege Escalation. This issue affects Institutions Directory: from n/a through <= 1.3.4. 2026-01-22 not yet calculated CVE-2025-69182 https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-privilege-escalation-vulnerability?_s_id=cve
 
e-plugins--Institutions Directory Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Institutions Directory: from n/a through <= 1.3.4. 2026-01-22 not yet calculated CVE-2025-69184 https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve
 
e-plugins--Lawyer Directory Incorrect Privilege Assignment vulnerability in e-plugins Lawyer Directory lawyer-directory allows Privilege Escalation. This issue affects Lawyer Directory: from n/a through <= 1.3.3. 2026-01-22 not yet calculated CVE-2025-67966 https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-3-privilege-escalation-vulnerability?_s_id=cve
 
e-plugins--Lawyer Directory Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lawyer Directory: from n/a through <= 1.3.3. 2026-01-22 not yet calculated CVE-2025-67967 https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve
 
e-plugins--Lawyer Directory Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lawyer Directory: from n/a through <= 1.3.4. 2026-01-22 not yet calculated CVE-2025-69181 https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve
 
e-plugins--Listihub Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Listihub: from n/a through <= 1.0.6. 2026-01-22 not yet calculated CVE-2025-69190 https://patchstack.com/database/Wordpress/Theme/listihub/vulnerability/wordpress-listihub-theme-1-0-6-broken-access-control-vulnerability?_s_id=cve
 
e-plugins--ListingHub Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingHub: from n/a through <= 1.2.7. 2026-01-22 not yet calculated CVE-2025-69191 https://patchstack.com/database/Wordpress/Plugin/listinghub/vulnerability/wordpress-listinghub-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve
 
e-plugins--Real Estate Pro Missing Authorization vulnerability in e-plugins Real Estate Pro real-estate-pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Real Estate Pro: from n/a through <= 2.1.5. 2026-01-22 not yet calculated CVE-2025-69192 https://patchstack.com/database/Wordpress/Plugin/real-estate-pro/vulnerability/wordpress-real-estate-pro-plugin-2-1-5-broken-access-control-vulnerability?_s_id=cve
 
e-plugins--WP Membership Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Membership: from n/a through <= 1.6.4. 2026-01-22 not yet calculated CVE-2025-69193 https://patchstack.com/database/Wordpress/Plugin/wp-membership/vulnerability/wordpress-wp-membership-plugin-1-6-4-broken-access-control-vulnerability?_s_id=cve
 
e-plugins--WP Membership Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation. This issue affects WP Membership: from n/a through <= 1.6.4. 2026-01-22 not yet calculated CVE-2025-69292 https://patchstack.com/database/Wordpress/Plugin/wp-membership/vulnerability/wordpress-wp-membership-plugin-1-6-4-privilege-escalation-vulnerability?_s_id=cve
 
Ecwid by Lightspeed Ecommerce Shopping Cart--Ecwid Shopping Cart Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5. 2026-01-23 not yet calculated CVE-2026-24580 https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability?_s_id=cve
 
Ecwid by Lightspeed Ecommerce Shopping Cart--Ecwid Shopping Cart Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5. 2026-01-23 not yet calculated CVE-2026-24613 https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability-2?_s_id=cve
 
Edge-Themes--Eldon Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Eldon eldon allows PHP Local File Inclusion. This issue affects Eldon: from n/a through <= 1.0. 2026-01-22 not yet calculated CVE-2025-69057 https://patchstack.com/database/Wordpress/Theme/eldon/vulnerability/wordpress-eldon-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve
 
Edge-Themes--Overworld Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion. This issue affects Overworld: from n/a through <= 1.3. 2026-01-22 not yet calculated CVE-2025-69050 https://patchstack.com/database/Wordpress/Theme/overworld/vulnerability/wordpress-overworld-theme-1-3-local-file-inclusion-vulnerability?_s_id=cve
 
Elated-Themes--Laurent Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion. This issue affects Laurent: from n/a through <= 3.1. 2026-01-23 not yet calculated CVE-2026-24609 https://patchstack.com/database/Wordpress/Theme/laurent/vulnerability/wordpress-laurent-theme-3-1-local-file-inclusion-vulnerability?_s_id=cve
 
Elated-Themes--Laurent Core Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent Core laurent-core allows PHP Local File Inclusion. This issue affects Laurent Core: from n/a through <= 2.4.1. 2026-01-23 not yet calculated CVE-2026-24608 https://patchstack.com/database/Wordpress/Plugin/laurent-core/vulnerability/wordpress-laurent-core-plugin-2-4-1-local-file-inclusion-vulnerability?_s_id=cve
 
Elated-Themes--Search & Go Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion. This issue affects Search & Go: from n/a through <= 2.8. 2026-01-22 not yet calculated CVE-2025-69005 https://patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-8-local-file-inclusion-vulnerability?_s_id=cve
 
Elated-Themes--Sweet Jane Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sweet Jane: from n/a through <= 1.2. 2026-01-22 not yet calculated CVE-2026-22426 https://patchstack.com/database/Wordpress/Theme/sweetjane/vulnerability/wordpress-sweet-jane-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Elated-Themes--Tbel Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Töbel tobel allows PHP Local File Inclusion. This issue affects Töbel: from n/a through <= 1.6. 2026-01-22 not yet calculated CVE-2025-69049 https://patchstack.com/database/Wordpress/Theme/tobel/vulnerability/wordpress-toebel-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve
 
Elated-Themes--The Aisle Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion. This issue affects The Aisle: from n/a through < 2.9.1. 2026-01-22 not yet calculated CVE-2025-67941 https://patchstack.com/database/Wordpress/Theme/theaisle/vulnerability/wordpress-the-aisle-theme-2-9-1-local-file-inclusion-vulnerability?_s_id=cve
 
Element Invader--Element Invader – Template Kits for Elementor Missing Authorization vulnerability in Element Invader Element Invader &#8211; Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Element Invader &#8211; Template Kits for Elementor: from n/a through <= 1.2.4. 2026-01-22 not yet calculated CVE-2026-24386 https://patchstack.com/database/Wordpress/Plugin/elementinvader/vulnerability/wordpress-element-invader-template-kits-for-elementor-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve
 
Enel X--JuiceBox 40 Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Enel X JuiceBox 40 charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the telnet service, which listens on TCP port 2000 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23285. 2026-01-23 not yet calculated CVE-2026-0778 ZDI-26-041
 
esphome--esphome ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check `ptr + field_length > end` in `components/api/proto.cpp` can overflow when a malicious client sends a large `field_length` value. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny). The overflow bypasses the out-of-bounds check, causing the device to read invalid memory and crash. When using the plaintext API protocol, this attack can be performed without authentication. When noise encryption is enabled, knowledge of the encryption key is required. Users should upgrade to ESPHome 2025.12.7 or later to receive a patch, enable API encryption with a unique key per device, and follow the Security Best Practices. 2026-01-19 not yet calculated CVE-2026-23833 https://github.com/esphome/esphome/security/advisories/GHSA-4h3h-63v6-88qx
https://github.com/esphome/esphome/pull/13306
https://github.com/esphome/esphome/commit/69d7b6e9210390051318bd8e6410727689de08d6
https://esphome.io/guides/security_best_practices
 
Essekia--Tablesome Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tablesome: from n/a through <= 1.1.35.2. 2026-01-23 not yet calculated CVE-2026-24524 https://patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-35-2-broken-access-control-vulnerability?_s_id=cve
 
Event Espresso--Event Espresso 4 Decaf Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf. 2026-01-22 not yet calculated CVE-2025-68007 https://patchstack.com/database/Wordpress/Plugin/event-espresso-decaf/vulnerability/wordpress-event-espresso-4-decaf-plugin-5-0-37-decaf-settings-change-vulnerability?_s_id=cve
 
EVerest--everest-core EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermeter SLIP parser reads `vec[vec.size()-1]` and `vec[vec.size()-2]` without checking that at least two bytes are present. Malformed SLIP frames on the serial link can reach `is_message_crc_correct` with `vec.size() < 2` (only via the multi-message path), causing an out-of-bounds read before CRC verification and `pop_back` underflow. Therefore, an attacker controlling the serial input can reliably crash the process. Version 2025.12.0 fixes the issue. 2026-01-21 not yet calculated CVE-2025-68132 https://github.com/EVerest/everest-core/security/advisories/GHSA-79gc-m8w6-9hx5
https://github.com/EVerest/everest-core/commit/b8139b95144e3fe0082789b7fafe4e532ee494a1
 
ExpressTech Systems--Quiz And Survey Master Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quiz And Survey Master: from n/a through <= 10.3.3. 2026-01-22 not yet calculated CVE-2026-24358 https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-3-broken-access-control-vulnerability?_s_id=cve
 
expresstechsoftware--MemberPress Discord Addon Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in expresstechsoftware MemberPress Discord Addon expresstechsoftwares-memberpress-discord-add-on allows Reflected XSS. This issue affects MemberPress Discord Addon: from n/a through <= 1.1.4. 2026-01-22 not yet calculated CVE-2025-68838 https://patchstack.com/database/Wordpress/Plugin/expresstechsoftwares-memberpress-discord-add-on/vulnerability/wordpress-memberpress-discord-addon-plugin-1-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
external-secrets--external-secrets External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource. 2026-01-21 not yet calculated CVE-2026-22822 https://github.com/external-secrets/external-secrets/security/advisories/GHSA-77v3-r3jw-j2v2
https://github.com/external-secrets/external-secrets/issues/5690
https://github.com/external-secrets/external-secrets/pull/3895
https://github.com/external-secrets/external-secrets/commit/17d3e22b8d3fbe339faf8515a95ec06ec92b1feb
https://github.com/external-secrets/external-secrets/releases/tag/v1.2.0
 
extremeidea--bidorbuy Store Integrator Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Reflected XSS. This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0. 2026-01-22 not yet calculated CVE-2025-68883 https://patchstack.com/database/Wordpress/Plugin/bidorbuystoreintegrator/vulnerability/wordpress-bidorbuy-store-integrator-plugin-2-12-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Farost--Energia Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server. This issue affects Energia: from n/a through <= 1.1.2. 2026-01-22 not yet calculated CVE-2025-50002 https://patchstack.com/database/Wordpress/Theme/energia/vulnerability/wordpress-energia-theme-1-1-2-arbitrary-file-upload-vulnerability?_s_id=cve
 
favethemes--Homey Core Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS. This issue affects Homey Core: from n/a through <= 2.4.3. 2026-01-22 not yet calculated CVE-2025-67964 https://patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
favethemes--Houzez Theme - Functionality Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality allows Stored XSS. This issue affects Houzez Theme - Functionality: from n/a through <= 4.2.6. 2026-01-22 not yet calculated CVE-2026-24355 https://patchstack.com/database/Wordpress/Plugin/houzez-theme-functionality/vulnerability/wordpress-houzez-theme-functionality-plugin-4-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve
 
FireStorm Plugins--FireStorm Professional Real Estate Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FireStorm Plugins FireStorm Professional Real Estate fs-real-estate-plugin allows Blind SQL Injection. This issue affects FireStorm Professional Real Estate: from n/a through <= 2.7.11. 2026-01-22 not yet calculated CVE-2026-22470 https://patchstack.com/database/Wordpress/Plugin/fs-real-estate-plugin/vulnerability/wordpress-firestorm-professional-real-estate-plugin-2-7-11-sql-injection-vulnerability?_s_id=cve
 
fleetdm--fleet fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. 2026-01-21 not yet calculated CVE-2026-22808 https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j
 
fleetdm--fleet Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet's debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege "Observer" role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround. 2026-01-21 not yet calculated CVE-2026-23517 https://github.com/fleetdm/fleet/security/advisories/GHSA-4r5r-ccr6-q6f6
https://github.com/fleetdm/fleet/commit/5c030e32a3a9bc512355b5e1bf19636e4e6d0317
 
fleetdm--fleet Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. 2026-01-21 not yet calculated CVE-2026-23518 https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v
https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257
 
flexostudio--flexo-posts-manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio flexo-posts-manager flexo-posts-manager allows Reflected XSS. This issue affects flexo-posts-manager: from n/a through <= 1.0001. 2026-01-22 not yet calculated CVE-2025-52762 https://patchstack.com/database/Wordpress/Plugin/flexo-posts-manager/vulnerability/wordpress-flexo-posts-manager-plugin-1-0001-cross-site-scripting-xss-vulnerability?_s_id=cve
 
FmeAddons--Registration & Login with Mobile Phone Number for WooCommerce Missing Authorization vulnerability in FmeAddons Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Registration & Login with Mobile Phone Number for WooCommerce: from n/a through <= 1.3.1. 2026-01-22 not yet calculated CVE-2025-69052 https://patchstack.com/database/Wordpress/Plugin/registration-login-with-mobile-phone-number/vulnerability/wordpress-registration-login-with-mobile-phone-number-for-woocommerce-plugin-1-2-9-broken-access-control-vulnerability?_s_id=cve
 
FooEvents--FooEvents for WooCommerce Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FooEvents FooEvents for WooCommerce fooevents allows SQL Injection. This issue affects FooEvents for WooCommerce: from n/a through <= 1.20.4. 2026-01-22 not yet calculated CVE-2025-69045 https://patchstack.com/database/Wordpress/Plugin/fooevents/vulnerability/wordpress-fooevents-for-woocommerce-plugin-1-20-4-sql-injection-vulnerability?_s_id=cve
 
foreverpinetree--TheNa Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS. This issue affects TheNa: from n/a through <= 1.5.5. 2026-01-22 not yet calculated CVE-2025-67614 https://patchstack.com/database/Wordpress/Theme/thena/vulnerability/wordpress-thena-theme-1-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Foundation Agents--MetaGPT Foundation Agents MetaGPT deserialize_message Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the deserialize_message function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28121. 2026-01-23 not yet calculated CVE-2026-0760 ZDI-26-026
 
Foundation Agents--MetaGPT Foundation Agents MetaGPT actionoutput_str_to_mapping Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the actionoutput_str_to_mapping function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28124. 2026-01-23 not yet calculated CVE-2026-0761 ZDI-26-027
 
Framelink--Figma MCP Server Framelink Figma MCP Server fetchWithRetry Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Framelink Figma MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the fetchWithRetry method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27877. 2026-01-23 not yet calculated CVE-2025-15061 ZDI-25-1197
vendor-provided URL
 
Frank Corso--Quote Master Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS. This issue affects Quote Master: from n/a through <= 7.1.1. 2026-01-22 not yet calculated CVE-2025-68849 https://patchstack.com/database/Wordpress/Plugin/quote-master/vulnerability/wordpress-quote-master-plugin-7-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
franklioxygen--MyTube MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view. 2026-01-23 not yet calculated CVE-2026-24139 https://github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7
https://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280
 
Free5GC--Free5GC An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access token with any arbitrary scope. 2026-01-23 not yet calculated CVE-2025-66719 https://github.com/free5gc/free5gc/issues/736
https://github.com/free5gc/nrf/pull/73
 
Free5GC--Free5GC Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId. 2026-01-23 not yet calculated CVE-2025-66720 https://github.com/free5gc/free5gc/issues/726
https://github.com/free5gc/pcf/pull/57
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. 2026-01-19 not yet calculated CVE-2026-23530 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1689-L1696
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1713-L1716
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L951-L953
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. 2026-01-19 not yet calculated CVE-2026-23531 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L1139-L1145
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client's `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. 2026-01-19 not yet calculated CVE-2026-23532 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/gdi/gfx.c#L1368-L1382
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. 2026-01-19 not yet calculated CVE-2026-23533 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L268-L281
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L336
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. 2026-01-19 not yet calculated CVE-2026-23534 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L878-L879
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L883-L884
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue. 2026-01-19 not yet calculated CVE-2026-23732 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7qxp-j2fj-c3pp
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/cache/glyph.c#L463-L480
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/codec/color.c#L261-L277
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/graphics.c#L138
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/orders.c#L2186C17-L2199
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. 2026-01-19 not yet calculated CVE-2026-23883 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcrr-85qx-4p6x
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L312-L319
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L340
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/pointer.c#L164-L174
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. 2026-01-19 not yet calculated CVE-2026-23884 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L114-L122
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L87-L91
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
 
Fsas Technologies Inc.--ServerView Agents for Windows The installer of ServerView Agents for Windows provided by Fsas Technologies Inc. may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the administrator privilege when the installer is executed. 2026-01-21 not yet calculated CVE-2026-24016 https://www.fsastech.com/ja-jp/resources/security/2026/0121.html
https://jvn.jp/en/jp/JVN65211823/
 
fuelthemes--North Deserialization of Untrusted Data vulnerability in fuelthemes North north-wp allows Object Injection. This issue affects North: from n/a through <= 5.7.5. 2026-01-22 not yet calculated CVE-2025-69099 https://patchstack.com/database/Wordpress/Theme/north-wp/vulnerability/wordpress-north-theme-5-7-5-php-object-injection-vulnerability?_s_id=cve
 
fuelthemes--North Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion. This issue affects North: from n/a through <= 5.7.5. 2026-01-22 not yet calculated CVE-2025-69100 https://patchstack.com/database/Wordpress/Theme/north-wp/vulnerability/wordpress-north-theme-5-7-5-local-file-inclusion-vulnerability?_s_id=cve
 
fuelthemes--Werkstatt Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion. This issue affects Werkstatt: from n/a through < 4.8.3. 2026-01-22 not yet calculated CVE-2025-69314 https://patchstack.com/database/Wordpress/Theme/werkstatt/vulnerability/wordpress-werkstatt-theme-4-8-3-local-file-inclusion-vulnerability?_s_id=cve
 
fuelthemes--WerkStatt Plugin Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion. This issue affects WerkStatt Plugin: from n/a through <= 1.6.6. 2026-01-22 not yet calculated CVE-2025-63017 https://patchstack.com/database/Wordpress/Plugin/werkstatt-plugin/vulnerability/wordpress-werkstatt-plugin-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve
 
garidium--g-FFL Checkout Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server. This issue affects g-FFL Checkout: from n/a through <= 2.1.0. 2026-01-22 not yet calculated CVE-2025-68001 https://patchstack.com/database/Wordpress/Plugin/g-ffl-checkout/vulnerability/wordpress-g-ffl-checkout-plugin-2-1-0-arbitrary-file-upload-vulnerability?_s_id=cve
 
Gemini MCP Tool--gemini-mcp-tool gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of gemini-mcp-tool. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27783. 2026-01-23 not yet calculated CVE-2026-0755 ZDI-26-021
 
gemsloyalty--gemsloyalty A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message. 2026-01-23 not yet calculated CVE-2025-52022 http://aptsys.com
https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39
 
gemsloyalty--gemsloyalty A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message. 2026-01-23 not yet calculated CVE-2025-52023 http://aptsys.com
http://gemscms.com
https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39
 
gemsloyalty--gemsloyalty A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries. 2026-01-23 not yet calculated CVE-2025-52024 http://aptsys.com
https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39
 
gemsloyalty--gemsloyalty An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backend thru 2025-05-28. The vulnerability arises because user input is directly inserted into a dynamic SQL query syntax without proper sanitization or parameterization. This allows an attacker to inject and execute arbitrary SQL code by submitting crafted input in the id parameter, leading to unauthorized data access or modification. 2026-01-23 not yet calculated CVE-2025-52025 http://aptsys.com
https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39
 
Genetech Products--Pie Register Missing Authorization vulnerability in Genetech Products Pie Register pie-register allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pie Register: from n/a through <= 3.8.4.7. 2026-01-23 not yet calculated CVE-2026-24577 https://patchstack.com/database/Wordpress/Plugin/pie-register/vulnerability/wordpress-pie-register-plugin-3-8-4-7-broken-access-control-vulnerability?_s_id=cve
 
Get-Simple--My SMTP Contact Plugin GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. 2026-01-21 not yet calculated CVE-2021-47778 ExploitDB-49774
Vendor Homepage
GetSimple CMS GitHub Repository
Full Disclosure Repository
VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.2 - PHP Code Injection
 
getarcaneapp--arcane Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability. 2026-01-19 not yet calculated CVE-2026-23944 https://github.com/getarcaneapp/arcane/security/advisories/GHSA-2jv8-39rp-cqqr
https://github.com/getarcaneapp/arcane/pull/1532
https://github.com/getarcaneapp/arcane/commit/2008e1b93b25d0c4c3fff3af07843766231614eb
https://github.com/getarcaneapp/arcane/releases/tag/v1.13.2
 
GetSimple CMS--My SMTP Contact Plugin GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution. 2026-01-21 not yet calculated CVE-2021-47830 ExploitDB-49774
ExploitDB-49798
GetSimple CMS Webpage
GetSimple CMS GitHub Repository
VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF
 
GetSimple CMS--My SMTP Contact Plugin GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page. 2026-01-21 not yet calculated CVE-2021-47870 Full Disclosure Repository
Vendor Homepage
GetSimple CMS GitHub Repository
ExploitDB-49798
VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.2 - Stored XSS
 
GIMP--GIMP GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28232. 2026-01-23 not yet calculated CVE-2025-15059 ZDI-25-1196
vendor-provided URL
 
Gitea--Gitea Open Source Git Server Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content. 2026-01-22 not yet calculated CVE-2026-0798 GitHub Security Advisory
GitHub Pull Request #36319
Gitea v1.25.4 Release
Gitea v1.25.4 Release Blog Post
 
Gitea--Gitea Open Source Git Server Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. 2026-01-22 not yet calculated CVE-2026-20736 GitHub Security Advisory
GitHub Pull Request #36320
Gitea v1.25.4 Release
Gitea v1.25.4 Release Blog Post
 
Gitea--Gitea Open Source Git Server Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. 2026-01-22 not yet calculated CVE-2026-20750 GitHub Security Advisory
GitHub Pull Request #36318
GitHub Pull Request #36373
Gitea v1.25.4 Release
Gitea v1.25.4 Release Blog Post
 
Gitea--Gitea Open Source Git Server Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. 2026-01-22 not yet calculated CVE-2026-20800 GitHub Security Advisory
GitHub Pull Request #36339
Gitea v1.25.4 Release
Gitea v1.25.4 Release Blog Post
 
Gitea--Gitea Open Source Git Server Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. 2026-01-22 not yet calculated CVE-2026-20883 GitHub Security Advisory
GitHub Pull Request #36340
GitHub Pull Request #36368
Gitea v1.25.4 Release
Gitea v1.25.4 Release Blog Post
 
Gitea--Gitea Open Source Git Server Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. 2026-01-22 not yet calculated CVE-2026-20888 GitHub Security Advisory
GitHub Pull Request #36341
GitHub Pull Request #36356
Gitea v1.25.4 Release
Gitea v1.25.4 Release Blog Post
 
Gitea--Gitea Open Source Git Server Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. 2026-01-22 not yet calculated CVE-2026-20897 GitHub Security Advisory
GitHub Pull Request #36344
GitHub Pull Request #36349
Gitea v1.25.4 Release
Gitea v1.25.4 Release Blog Post
 
Gitea--Gitea Open Source Git Server Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities. 2026-01-22 not yet calculated CVE-2026-20904 GitHub Security Advisory
GitHub Pull Request #36346
GitHub Pull Request #36361
Gitea v1.25.4 Release
Gitea v1.25.4 Release Blog Post
 
Gitea--Gitea Open Source Git Server Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. 2026-01-22 not yet calculated CVE-2026-20912 GitHub Security Advisory
GitHub Pull Request #36320
GitHub Pull Request #36355
Gitea v1.25.4 Release
Gitea v1.25.4 Release Blog Post
 
github-kanban-mcp-server--github-kanban-mcp-server github-kanban-mcp-server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of github-kanban-mcp-server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the create_issue parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27784. 2026-01-23 not yet calculated CVE-2026-0756 ZDI-26-022
 
GLS--GLS Shipping for WooCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce allows Reflected XSS. This issue affects GLS Shipping for WooCommerce: from n/a through <= 1.4.0. 2026-01-22 not yet calculated CVE-2025-68011 https://patchstack.com/database/Wordpress/Plugin/gls-shipping-for-woocommerce/vulnerability/wordpress-gls-shipping-for-woocommerce-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
goalthemes--Bailly Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bailly bailly allows PHP Local File Inclusion. This issue affects Bailly: from n/a through <= 1.3.4. 2026-01-22 not yet calculated CVE-2025-69039 https://patchstack.com/database/Wordpress/Theme/bailly/vulnerability/wordpress-bailly-theme-1-3-4-local-file-inclusion-vulnerability?_s_id=cve
 
goalthemes--Bfres Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bfres bfres allows PHP Local File Inclusion. This issue affects Bfres: from n/a through <= 1.2.1. 2026-01-22 not yet calculated CVE-2025-69040 https://patchstack.com/database/Wordpress/Theme/bfres/vulnerability/wordpress-bfres-theme-1-2-1-local-file-inclusion-vulnerability?_s_id=cve
 
goalthemes--Dekoro Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Dekoro dekoro allows PHP Local File Inclusion. This issue affects Dekoro: from n/a through <= 1.0.7. 2026-01-22 not yet calculated CVE-2025-69041 https://patchstack.com/database/Wordpress/Theme/dekoro/vulnerability/wordpress-dekoro-theme-1-0-7-local-file-inclusion-vulnerability?_s_id=cve
 
goalthemes--Hyori Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Hyori hyori allows PHP Local File Inclusion. This issue affects Hyori: from n/a through <= 1.3.6. 2026-01-22 not yet calculated CVE-2025-69038 https://patchstack.com/database/Wordpress/Theme/hyori/vulnerability/wordpress-hyori-theme-1-3-6-local-file-inclusion-vulnerability?_s_id=cve
 
goalthemes--Lindo Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion. This issue affects Lindo: from n/a through <= 1.2.5. 2026-01-22 not yet calculated CVE-2025-69042 https://patchstack.com/database/Wordpress/Theme/lindo/vulnerability/wordpress-lindo-theme-1-2-5-local-file-inclusion-vulnerability?_s_id=cve
 
goalthemes--Pippo Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Pippo pippo allows PHP Local File Inclusion. This issue affects Pippo: from n/a through <= 1.2.3. 2026-01-22 not yet calculated CVE-2025-69037 https://patchstack.com/database/Wordpress/Theme/pippo/vulnerability/wordpress-pippo-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve
 
goalthemes--Rashy Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Rashy rashy allows PHP Local File Inclusion. This issue affects Rashy: from n/a through <= 1.1.3. 2026-01-22 not yet calculated CVE-2025-69043 https://patchstack.com/database/Wordpress/Theme/rashy/vulnerability/wordpress-rashy-theme-1-1-3-local-file-inclusion-vulnerability?_s_id=cve
 
goalthemes--Vango Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Vango vango allows PHP Local File Inclusion. This issue affects Vango: from n/a through <= 1.3.3. 2026-01-22 not yet calculated CVE-2025-69044 https://patchstack.com/database/Wordpress/Theme/vango/vulnerability/wordpress-vango-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve
 
Google--Chrome Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) 2026-01-20 not yet calculated CVE-2026-0899 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/458914193
 
Google--Chrome Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) 2026-01-20 not yet calculated CVE-2026-0900 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/465730465
 
Google--Chrome Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) 2026-01-20 not yet calculated CVE-2026-0901 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/40057499
 
Google--Chrome Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) 2026-01-20 not yet calculated CVE-2026-0902 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/469143679
 
Google--Chrome Inappropriate implementation in Downloads in Google Chrome on Windows prior to 144.0.7559.59 allowed a remote attacker to bypass dangerous file type protections via a malicious file. (Chromium security severity: Medium) 2026-01-20 not yet calculated CVE-2026-0903 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/444803530
 
Google--Chrome Incorrect security UI in Digital Credentials in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) 2026-01-20 not yet calculated CVE-2026-0904 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/452209495
 
Google--Chrome Insufficient policy enforcement in Network in Google Chrome prior to 144.0.7559.59 allowed an attack who obtained a network log file to potentially obtain potentially sensitive information via a network log file. (Chromium security severity: Medium) 2026-01-20 not yet calculated CVE-2026-0905 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/465466773
 
Google--Chrome Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low) 2026-01-20 not yet calculated CVE-2026-0906 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/467448811
 
Google--Chrome Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) 2026-01-20 not yet calculated CVE-2026-0907 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/444653104
 
Google--Chrome Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) 2026-01-20 not yet calculated CVE-2026-0908 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/452209503
 
Google--Sentencepiece Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure. 2026-01-22 not yet calculated CVE-2026-1260 https://github.com/google/sentencepiece/releases/tag/v0.2.1
 
GPT Academic--GPT Academic GPT Academic stream_daas Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Interaction with a malicious DAAS server is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the stream_daas function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27956. 2026-01-23 not yet calculated CVE-2026-0762 ZDI-26-028
 
GPT Academic--GPT Academic GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run_in_subprocess_wrapper_func function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27958. 2026-01-23 not yet calculated CVE-2026-0763 ZDI-26-029
 
GPT Academic--GPT Academic GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the upload endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27957. 2026-01-23 not yet calculated CVE-2026-0764 ZDI-26-030
 
gregmolnar--Simple XML Sitemap Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS. This issue affects Simple XML Sitemap: from n/a through <= 1.3. 2026-01-22 not yet calculated CVE-2026-22355 https://patchstack.com/database/Wordpress/Plugin/simple-xml-sitemap/vulnerability/wordpress-simple-xml-sitemap-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve
 
Hangzhou Kuozhi Network Technology Co., Ltd.--EduSoho EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC). 2026-01-22 not yet calculated CVE-2023-7335 https://www.edusoho.com/
https://github.com/edusoho/edusoho/releases/tag/v22.4.7
https://cn-sec.com/archives/2451582.html
https://blog.csdn.net/qq_41904294/article/details/135007351
https://github.com/zeroChen00/exp-poc/blob/main/EduSoho%E6%95%99%E5%9F%B9%E7%B3%BB%E7%BB%9Fclassropm-course-statistics%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
https://github.com/gobysec/GobyVuls/blob/master/CNVD-2023-03903.md
https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903
https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics
 
HappyMonster--Happy Addons for Elementor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Blind SQL Injection. This issue affects Happy Addons for Elementor: from n/a through <= 3.20.4. 2026-01-22 not yet calculated CVE-2025-68999 https://patchstack.com/database/Wordpress/Plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-4-sql-injection-vulnerability?_s_id=cve
 
Harmonic Design--HD Quiz Missing Authorization vulnerability in Harmonic Design HD Quiz hd-quiz allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HD Quiz: from n/a through <= 2.0.9. 2026-01-23 not yet calculated CVE-2026-24544 https://patchstack.com/database/Wordpress/Plugin/hd-quiz/vulnerability/wordpress-hd-quiz-plugin-2-0-9-broken-access-control-vulnerability?_s_id=cve
 
Harmonic Design--HDForms Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Harmonic Design HDForms hdforms allows Path Traversal. This issue affects HDForms: from n/a through <= 1.6.1. 2026-01-22 not yet calculated CVE-2025-68912 https://patchstack.com/database/Wordpress/Plugin/hdforms/vulnerability/wordpress-hdforms-plugin-1-6-1-arbitrary-file-deletion-vulnerability?_s_id=cve
 
hassantafreshi--Easy Form Builder Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Form Builder: from n/a through <= 3.9.6. 2026-01-22 not yet calculated CVE-2026-22472 https://patchstack.com/database/Wordpress/Plugin/easy-form-builder/vulnerability/wordpress-easy-form-builder-plugin-3-9-4-broken-access-control-vulnerability?_s_id=cve
 
hexpm--hexpm Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3. This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19. 2026-01-19 not yet calculated CVE-2026-21618 https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj
https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8
 
highwarden--Super Interactive Maps Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Interactive Maps super-interactive-maps allows Reflected XSS. This issue affects Super Interactive Maps: from n/a through <= 2.3. 2026-01-22 not yet calculated CVE-2025-49045 https://patchstack.com/database/Wordpress/Plugin/super-interactive-maps/vulnerability/wordpress-super-interactive-maps-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
highwarden--Super Logos Showcase Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Logos Showcase superlogoshowcase-wp allows Reflected XSS. This issue affects Super Logos Showcase: from n/a through <= 2.8. 2026-01-22 not yet calculated CVE-2025-69054 https://patchstack.com/database/Wordpress/Plugin/superlogoshowcase-wp/vulnerability/wordpress-super-logos-showcase-plugin-2-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Horea Radu--Materialis Companion Missing Authorization vulnerability in Horea Radu Materialis Companion materialis-companion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Materialis Companion: from n/a through <= 1.3.52. 2026-01-23 not yet calculated CVE-2026-24543 https://patchstack.com/database/Wordpress/Plugin/materialis-companion/vulnerability/wordpress-materialis-companion-plugin-1-3-52-broken-access-control-vulnerability?_s_id=cve
 
horilla-opensource--horilla Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue. 2026-01-22 not yet calculated CVE-2026-24010 https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3
https://github.com/horilla-opensource/horilla/releases/tag/1.5.0
 
Hossni Mubarak--JobWP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hossni Mubarak JobWP jobwp allows Stored XSS. This issue affects JobWP: from n/a through <= 2.4.5. 2026-01-22 not yet calculated CVE-2025-69318 https://patchstack.com/database/Wordpress/Plugin/jobwp/vulnerability/wordpress-jobwp-plugin-2-4-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Hotwired Turbo--Hotwire Turbo Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers. 2026-01-20 not yet calculated CVE-2025-66803 https://github.com/hotwired/turbo/pull/1399
https://turbo.hotwired.dev/handbook/frames
https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp
 
Hubitat--Elevation C3 An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation. 2026-01-22 not yet calculated CVE-2026-1201 https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06
 
Hyyan Abo Fakher--Hyyan WooCommerce Polylang Integration Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hyyan WooCommerce Polylang Integration: from n/a through <= 1.5.0. 2026-01-23 not yet calculated CVE-2026-24585 https://patchstack.com/database/Wordpress/Plugin/woo-poly-integration/vulnerability/wordpress-hyyan-woocommerce-polylang-integration-plugin-1-5-0-broken-access-control-vulnerability?_s_id=cve
 
Icegram--Icegram Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Icegram: from n/a through <= 3.1.35. 2026-01-22 not yet calculated CVE-2025-68507 https://patchstack.com/database/Wordpress/Plugin/icegram/vulnerability/wordpress-icegram-plugin-3-1-35-broken-access-control-vulnerability?_s_id=cve
 
ichurakov--Paid Downloads Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ichurakov Paid Downloads paid-downloads allows Blind SQL Injection. This issue affects Paid Downloads: from n/a through <= 3.15. 2026-01-22 not yet calculated CVE-2025-68857 https://patchstack.com/database/Wordpress/Plugin/paid-downloads/vulnerability/wordpress-paid-downloads-plugin-3-15-sql-injection-vulnerability?_s_id=cve
 
ilmosys--Order Listener for WooCommerce Missing Authorization vulnerability in ilmosys Order Listener for WooCommerce woc-order-alert allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Order Listener for WooCommerce: from n/a through <= 3.6.1. 2026-01-22 not yet calculated CVE-2025-68018 https://patchstack.com/database/Wordpress/Plugin/woc-order-alert/vulnerability/wordpress-order-listener-for-woocommerce-plugin-3-6-0-broken-access-control-vulnerability?_s_id=cve
 
Imaginate Solutions--File Uploads Addon for WooCommerce Missing Authorization vulnerability in Imaginate Solutions File Uploads Addon for WooCommerce woo-addon-uploads allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects File Uploads Addon for WooCommerce: from n/a through <= 1.7.3. 2026-01-23 not yet calculated CVE-2026-24625 https://patchstack.com/database/Wordpress/Plugin/woo-addon-uploads/vulnerability/wordpress-file-uploads-addon-for-woocommerce-plugin-1-7-3-broken-access-control-vulnerability?_s_id=cve
 
Imagination Technologies--Graphics DDK A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. The shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object. 2026-01-24 not yet calculated CVE-2025-13952 https://www.imaginationtech.com/gpu-driver-vulnerabilities/
 
Imran Emu--Owl Carousel WP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu Owl Carousel WP owl-carousel-wp allows Stored XSS. This issue affects Owl Carousel WP: from n/a through <= 2.2.2. 2026-01-22 not yet calculated CVE-2026-22388 https://patchstack.com/database/Wordpress/Plugin/owl-carousel-wp/vulnerability/wordpress-owl-carousel-wp-plugin-2-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
iNET--iNET Webkit Missing Authorization vulnerability in iNET iNET Webkit inet-webkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects iNET Webkit: from n/a through <= 1.2.4. 2026-01-23 not yet calculated CVE-2026-24566 https://patchstack.com/database/Wordpress/Plugin/inet-webkit/vulnerability/wordpress-inet-webkit-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve
 
Infility--Infility Global Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS. This issue affects Infility Global: from n/a through <= 2.14.50. 2026-01-22 not yet calculated CVE-2025-68864 https://patchstack.com/database/Wordpress/Plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-14-49-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Inkscape--Inkscape MacOS version of Inkscape bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Inkscape, potentially disguising attacker's malicious intent. This issue has been fixed in 1.4.3 version of Inkscape. 2026-01-22 not yet calculated CVE-2025-15523 https://inkscape.org/
https://cert.pl/en/posts/2026/01/CVE-2025-15523/
 
InspiryThemes--Real Homes CRM Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files. This issue affects Real Homes CRM: from n/a through <= 1.0.0. 2026-01-22 not yet calculated CVE-2025-67968 https://patchstack.com/database/Wordpress/Plugin/realhomes-crm/vulnerability/wordpress-real-homes-crm-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve
 
Intermesh--groupoffice Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80. 2026-01-21 not yet calculated CVE-2026-23887 https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hp
https://github.com/Intermesh/groupoffice/commit/3fa40d7edd31fbe33babe07061d5a14ad19ea40f
https://github.com/Intermesh/groupoffice/commit/ac91b128157bc9c5ea015b6141ce71cd3bbc43f0
 
Israpil--Textmetrics Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Israpil Textmetrics webtexttool allows Code Injection. This issue affects Textmetrics: from n/a through <= 3.6.3. 2026-01-23 not yet calculated CVE-2026-24564 https://patchstack.com/database/Wordpress/Plugin/webtexttool/vulnerability/wordpress-textmetrics-plugin-3-6-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve
 
jagdish1o1--Delay Redirects Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jagdish1o1 Delay Redirects delay-redirects allows DOM-Based XSS. This issue affects Delay Redirects: from n/a through <= 1.0.0. 2026-01-23 not yet calculated CVE-2026-24632 https://patchstack.com/database/Wordpress/Plugin/delay-redirects/vulnerability/wordpress-delay-redirects-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Jahid Hasan--Admin login URL Change Missing Authorization vulnerability in Jahid Hasan Admin login URL Change admin-login-url-change allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Admin login URL Change: from n/a through <= 1.1.5. 2026-01-23 not yet calculated CVE-2026-24578 https://patchstack.com/database/Wordpress/Plugin/admin-login-url-change/vulnerability/wordpress-admin-login-url-change-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve
 
Jamf--Jamf Pro Authentication Bypass by Primary Weakness vulnerability in Jamf Jamf Pro allows unspecified impact. This issue affects Jamf Pro: from 11.20 through 11.24. 2026-01-21 not yet calculated CVE-2026-1290 https://learn.jamf.com/en-US/bundle/jamf-pro-release-notes-11.24.0/page/Resolved_Issues.html
 
jegtheme--JNews - Frontend Submit Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Frontend Submit jnews-frontend-submit allows Reflected XSS. This issue affects JNews - Frontend Submit: from n/a through <= 11.0.0. 2026-01-22 not yet calculated CVE-2025-68904 https://patchstack.com/database/Wordpress/Plugin/jnews-frontend-submit/vulnerability/wordpress-jnews-frontend-submit-plugin-11-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
jegtheme--JNews - Pay Writer Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion. This issue affects JNews - Pay Writer: from n/a through <= 11.0.0. 2026-01-22 not yet calculated CVE-2025-68905 https://patchstack.com/database/Wordpress/Plugin/jnews-pay-writer/vulnerability/wordpress-jnews-pay-writer-plugin-11-0-0-local-file-inclusion-vulnerability?_s_id=cve
 
jegtheme--JNews - Video Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS. This issue affects JNews - Video: from n/a through <= 11.0.2. 2026-01-22 not yet calculated CVE-2025-68906 https://patchstack.com/database/Wordpress/Plugin/jnews-video/vulnerability/wordpress-jnews-video-plugin-11-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Johan Jonk Stenstrm--Cookies and Content Security Policy Insertion of Sensitive Information Into Sent Data vulnerability in Johan Jonk Stenström Cookies and Content Security Policy cookies-and-content-security-policy allows Retrieve Embedded Sensitive Data. This issue affects Cookies and Content Security Policy: from n/a through <= 2.34. 2026-01-22 not yet calculated CVE-2025-63019 https://patchstack.com/database/Wordpress/Plugin/cookies-and-content-security-policy/vulnerability/wordpress-cookies-and-content-security-policy-plugin-2-34-sensitive-data-exposure-vulnerability?_s_id=cve
 
John James Jacoby--WP Term Order Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Term Order wp-term-order allows Cross Site Request Forgery. This issue affects WP Term Order: from n/a through <= 2.1.0. 2026-01-23 not yet calculated CVE-2026-24542 https://patchstack.com/database/Wordpress/Plugin/wp-term-order/vulnerability/wordpress-wp-term-order-plugin-2-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Jthemes--xSmart Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes xSmart xsmart allows Reflected XSS. This issue affects xSmart: from n/a through <= 1.2.9.4. 2026-01-22 not yet calculated CVE-2025-50006 https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Jthemes--xSmart Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation. This issue affects xSmart: from n/a through <= 1.2.9.4. 2026-01-22 not yet calculated CVE-2025-50007 https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-privilege-escalation-vulnerability?_s_id=cve
 
Jthemes--xSmart Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects xSmart: from n/a through <= 1.2.9.4. 2026-01-22 not yet calculated CVE-2025-54002 https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-broken-access-control-vulnerability?_s_id=cve
 
JV--HarfBuzz::Shaper HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability.  Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693. 2026-01-19 not yet calculated CVE-2026-0943 https://bugzilla.redhat.com/show_bug.cgi?id=2429296
https://www.cve.org/CVERecord?id=CVE-2026-22693
https://metacpan.org/release/JV/HarfBuzz-Shaper-0.032/changes
 
Kaira--Blockons Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kaira Blockons blockons allows Stored XSS. This issue affects Blockons: from n/a through <= 1.2.15. 2026-01-23 not yet calculated CVE-2026-24550 https://patchstack.com/database/Wordpress/Plugin/blockons/vulnerability/wordpress-blockons-plugin-1-2-15-cross-site-scripting-xss-vulnerability?_s_id=cve
 
kamleshyadav--WP Lead Capturing Pages Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. 2026-01-22 not yet calculated CVE-2025-49050 https://patchstack.com/database/Wordpress/Plugin/wp-lead-capture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-5-sql-injection-vulnerability-2?_s_id=cve
 
kamleshyadav--WP Lead Capturing Pages Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. 2026-01-22 not yet calculated CVE-2025-49055 https://patchstack.com/database/Wordpress/Plugin/wp-lead-capture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-5-sql-injection-vulnerability?_s_id=cve
 
Kapil Chugh--My Post Order Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS. This issue affects My Post Order: from n/a through <= 1.2.1.1. 2026-01-22 not yet calculated CVE-2025-68004 https://patchstack.com/database/Wordpress/Plugin/my-posts-order/vulnerability/wordpress-my-post-order-plugin-1-2-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Kapil Paul--Payment Gateway bKash for WC Missing Authorization vulnerability in Kapil Paul Payment Gateway bKash for WC woo-payment-bkash allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway bKash for WC: from n/a through <= 3.1.0. 2026-01-22 not yet calculated CVE-2025-62754 https://patchstack.com/database/Wordpress/Plugin/woo-payment-bkash/vulnerability/wordpress-payment-gateway-bkash-for-wc-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve
 
Katana Network--Development Starter Kit Katana Network Development Starter Kit executeCommand Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Katana Network Development Starter Kit. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the executeCommand method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27786. 2026-01-23 not yet calculated CVE-2026-0759 ZDI-26-025
 
kpdecker--jsdiff jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`. 2026-01-22 not yet calculated CVE-2026-24001 https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx
https://github.com/kpdecker/jsdiff/issues/653
https://github.com/kpdecker/jsdiff/pull/649
https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5
 
Kriesi--Enfold Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows DOM-Based XSS. This issue affects Enfold: from n/a through <= 7.1.3. 2026-01-22 not yet calculated CVE-2025-68900 https://patchstack.com/database/Wordpress/Theme/enfold/vulnerability/wordpress-enfold-theme-7-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
kutsy--AJAX Hits Counter + Popular Posts Widget Missing Authorization vulnerability in kutsy AJAX Hits Counter + Popular Posts Widget ajax-hits-counter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AJAX Hits Counter + Popular Posts Widget: from n/a through <= 0.10.210305. 2026-01-23 not yet calculated CVE-2026-24587 https://patchstack.com/database/Wordpress/Plugin/ajax-hits-counter/vulnerability/wordpress-ajax-hits-counter-popular-posts-widget-plugin-0-10-210305-broken-access-control-vulnerability?_s_id=cve
 
LambertGroup--Accordion Slider PRO Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Reflected XSS. This issue affects Accordion Slider PRO: from n/a through <= 1.2. 2026-01-22 not yet calculated CVE-2025-49066 https://patchstack.com/database/Wordpress/Plugin/accordion_slider_pro/vulnerability/wordpress-accordion-slider-pro-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
LambertGroup--HTML5 Video Player Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player lbg-vp2-html5-bottom allows Reflected XSS. This issue affects HTML5 Video Player: from n/a through <= 5.3.5. 2026-01-22 not yet calculated CVE-2025-27005 https://patchstack.com/database/Wordpress/Plugin/lbg-vp2-html5-bottom/vulnerability/wordpress-html5-video-player-plugin-5-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
LambertGroup--HTML5 Video Player with Playlist & Multiple Skins Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS. This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5. 2026-01-22 not yet calculated CVE-2025-32123 https://patchstack.com/database/Wordpress/Plugin/lbg-vp2-html5-rightside/vulnerability/wordpress-html5-video-player-with-playlist-multiple-skins-plugin-5-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
LambertGroup--Image&Video FullScreen Background Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS. This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. 2026-01-22 not yet calculated CVE-2025-47666 https://patchstack.com/database/Wordpress/Plugin/lbg_fullscreen_fullwidth_slider/vulnerability/wordpress-image-video-fullscreen-background-plugin-1-6-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
LambertGroup--Magic Responsive Slider and Carousel WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel allows Reflected XSS. This issue affects Magic Responsive Slider and Carousel WordPress: from n/a through <= 1.6. 2026-01-22 not yet calculated CVE-2025-49043 https://patchstack.com/database/Wordpress/Plugin/magic_carousel/vulnerability/wordpress-magic-responsive-slider-and-carousel-wordpress-plugin-1-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
LambertGroup--Magic Slider Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS. This issue affects Magic Slider: from n/a through <= 2.2. 2026-01-22 not yet calculated CVE-2025-48094 https://patchstack.com/database/Wordpress/Plugin/magic_slider/vulnerability/wordpress-magic-slider-plugin-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
LambertGroup--Universal Video Player Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS. This issue affects Universal Video Player: from n/a through <= 3.8.4. 2026-01-22 not yet calculated CVE-2025-69048 https://patchstack.com/database/Wordpress/Plugin/universal-video-player/vulnerability/wordpress-universal-video-player-plugin-3-8-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
LambertGroup--Universal Video Player Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS. This issue affects Universal Video Player: from n/a through <= 3.8.4. 2026-01-22 not yet calculated CVE-2025-69053 https://patchstack.com/database/Wordpress/Plugin/universal-video-player/vulnerability/wordpress-universal-video-player-plugin-3-8-4-reflected-cross-site-scripting-xss-vulnerability-2?_s_id=cve
 
LambertGroup--xPromoter Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS. This issue affects xPromoter: from n/a through <= 1.3.4. 2026-01-22 not yet calculated CVE-2025-49046 https://patchstack.com/database/Wordpress/Plugin/top_bar_promoter/vulnerability/wordpress-xpromoter-plugin-1-3-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Langflow--Langflow Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-27322. 2026-01-23 not yet calculated CVE-2026-0768 ZDI-26-034
 
Langflow--Langflow Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of eval_custom_component_code function. The issue results from the lack of proper validation of a user-supplied string before using it to execute python code. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26972. 2026-01-23 not yet calculated CVE-2026-0769 ZDI-26-035
 
Langflow--Langflow Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325. 2026-01-23 not yet calculated CVE-2026-0770 ZDI-26-036
 
Langflow--Langflow Langflow PythonFunction Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Attack vectors and exploitability will vary depending on the configuration of the product. The specific flaw exists within the handling of Python function components. Depending upon product configuration, an attacker may be able to introduce custom Python code into a workflow. An attacker can leverage this vulnerability to execute code in the context of the application. Was ZDI-CAN-27497. 2026-01-23 not yet calculated CVE-2026-0771 ZDI-26-037
 
Langflow--Langflow Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. The specific flaw exists within the disk cache service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27919. 2026-01-23 not yet calculated CVE-2026-0772 ZDI-26-038
 
langfuse--langfuse Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0. 2026-01-22 not yet calculated CVE-2026-24055 https://github.com/langfuse/langfuse/security/advisories/GHSA-pvq7-vvfj-p98x
https://github.com/langfuse/langfuse/commit/3adc89e4d72729eabef55e46888b8ce80a7e3b0a
https://github.com/langfuse/langfuse/releases/tag/v3.147.0
https://langfuse.com/docs/prompt-management/features/webhooks-slack-integrations
 
launchinteractive--Merge + Minify + Refresh Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Minify + Refresh merge-minify-refresh allows Cross Site Request Forgery. This issue affects Merge + Minify + Refresh: from n/a through <= 2.14. 2026-01-22 not yet calculated CVE-2026-24384 https://patchstack.com/database/Wordpress/Plugin/merge-minify-refresh/vulnerability/wordpress-merge-minify-refresh-plugin-2-14-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
LavaLite--LavaLite CMS LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim. 2026-01-23 not yet calculated CVE-2025-71177 https://github.com/LavaLite/cms/issues/420
https://lavalite.org/
https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search
 
LazyCoders LLC--LazyTasks Incorrect Privilege Assignment vulnerability in LazyCoders LLC LazyTasks lazytasks-project-task-management allows Privilege Escalation. This issue affects LazyTasks: from n/a through <= 1.4.01. 2026-01-22 not yet calculated CVE-2025-68869 https://patchstack.com/database/Wordpress/Plugin/lazytasks-project-task-management/vulnerability/wordpress-lazytasks-plugin-1-2-37-privilege-escalation-vulnerability?_s_id=cve
 
Leap13--Premium Addons for Elementor Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63. 2026-01-22 not yet calculated CVE-2025-69300 https://patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-63-settings-change-vulnerability?_s_id=cve
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. Increment the reference count also for non-OF so that the caller can decrement it unconditionally. Note that this is inherently racy just as using the returned I2C device is since nothing is preventing the PHY driver from being unbound while in use. 2026-01-23 not yet calculated CVE-2025-71145 https://git.kernel.org/stable/c/43e58abad6c08c5f0943594126ef4cd6559aac0b
https://git.kernel.org/stable/c/03bbdaa4da8c6ea0c8431a5011db188a07822c8a
https://git.kernel.org/stable/c/75c5d9bce072abbbc09b701a49869ac23c34a906
https://git.kernel.org/stable/c/5d3df03f70547d4e3fc10ed4381c052eff51b157
https://git.kernel.org/stable/c/7501ecfe3e5202490c2d13dc7e181203601fcd69
https://git.kernel.org/stable/c/b4b64fda4d30a83a7f00e92a0c8a1d47699609f3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: fix leaked ct in error paths There are some situations where ct might be leaked as error paths are skipping the refcounted check and return immediately. In order to solve it make sure that the check is always called. 2026-01-23 not yet calculated CVE-2025-71146 https://git.kernel.org/stable/c/08fa37f4c8c59c294e9c18fea2d083ee94074e5a
https://git.kernel.org/stable/c/e1ac8dce3a893641bef224ad057932f142b8a36f
https://git.kernel.org/stable/c/f381a33f34dda9e4023e38ba68c943bca83245e9
https://git.kernel.org/stable/c/325eb61bb30790ea27782203a17b007ce1754a67
https://git.kernel.org/stable/c/0b88be7211d21a0d68bb1e56dc805944e3654d6f
https://git.kernel.org/stable/c/4bd2b89f4028f250dd1c1625eb3da1979b04a5e8
https://git.kernel.org/stable/c/2e2a720766886190a6d35c116794693aabd332b6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. 2026-01-23 not yet calculated CVE-2025-71147 https://git.kernel.org/stable/c/3fd7df4636d8fd5e3592371967a5941204368936
https://git.kernel.org/stable/c/af0689cafb127a8d1af78cc8b72585c9b2a19ecd
https://git.kernel.org/stable/c/19166de9737218b77122c41a5730ac87025e089f
https://git.kernel.org/stable/c/9b015f2918b95bdde2ca9cefa10ef02b138aae1e
https://git.kernel.org/stable/c/9e7c63c69f57b1db1a8a1542359a6167ff8fcef1
https://git.kernel.org/stable/c/62cd5d480b9762ce70d720a81fa5b373052ae05f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/handshake: restore destructor on submit failure handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_destruct on the error path. 2026-01-23 not yet calculated CVE-2025-71148 https://git.kernel.org/stable/c/cd8cf2be3717137554744233fda051ffc09d1d44
https://git.kernel.org/stable/c/7b82a1d6ae869533d8bdb0282a3a78faed8e63dd
https://git.kernel.org/stable/c/b225325be7b247c7268e65eea6090db1fc786d1f
https://git.kernel.org/stable/c/6af2a01d65f89e73c1cbb9267f8880d83a88cee4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted. Additionally, ensure that if an update does cause an existing POLL_ADD to complete, that the completion value isn't always overwritten with -ECANCELED. For that case, whatever io_poll_add() set the value to should just be retained. 2026-01-23 not yet calculated CVE-2025-71149 https://git.kernel.org/stable/c/8b777ab48441b153502772ecfc78c107d4353f29
https://git.kernel.org/stable/c/0126560370ed5217958b85657b590ad25e8b9c00
https://git.kernel.org/stable/c/c1669c03bfbc2a9b5ebff4428eecebe734c646fe
https://git.kernel.org/stable/c/13a8f7b88c2d40c6b33f6216190478dda95d385f
https://git.kernel.org/stable/c/84230ad2d2afbf0c44c32967e525c0ad92e26b4e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference count leak. This patch fixes the issue by explicitly calling ksmbd_user_session_put to release the reference to the session. 2026-01-23 not yet calculated CVE-2025-71150 https://git.kernel.org/stable/c/0fb87b28cafae71e9c8248432cc3a6a1fd759efc
https://git.kernel.org/stable/c/e54fb2a4772545701766cba08aab20de5eace8cd
https://git.kernel.org/stable/c/02e06785e85b4bd86ef3d23b7c8d87acc76773d5
https://git.kernel.org/stable/c/8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7
https://git.kernel.org/stable/c/cafb57f7bdd57abba87725eb4e82bbdca4959644
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory and information leak in smb3_reconfigure() In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the function returns immediately without freeing and erasing the newly allocated new_password and new_password2. This causes both a memory leak and a potential information leak. Fix this by calling kfree_sensitive() on both password buffers before returning in this error case. 2026-01-23 not yet calculated CVE-2025-71151 https://git.kernel.org/stable/c/bc390b2737205163e48cc1655f6a0c8cd55b02fc
https://git.kernel.org/stable/c/5679cc90bb5415801fa29041da0319d9e15d295d
https://git.kernel.org/stable/c/bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6
https://git.kernel.org/stable/c/cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track of conduit reference Problem description ------------------- DSA has a mumbo-jumbo of reference handling of the conduit net device and its kobject which, sadly, is just wrong and doesn't make sense. There are two distinct problems. 1. The OF path, which uses of_find_net_device_by_node(), never releases the elevated refcount on the conduit's kobject. Nominally, the OF and non-OF paths should result in objects having identical reference counts taken, and it is already suspicious that dsa_dev_to_net_device() has a put_device() call which is missing in dsa_port_parse_of(), but we can actually even verify that an issue exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command "before" and "after" applying this patch: (unbind the conduit driver for net device eno2) echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbind we see these lines in the output diff which appear only with the patch applied: kobject: 'eno2' (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000) kobject: '109' (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000) 2. After we find the conduit interface one way (OF) or another (non-OF), it can get unregistered at any time, and DSA remains with a long-lived, but in this case stale, cpu_dp->conduit pointer. Holding the net device's underlying kobject isn't actually of much help, it just prevents it from being freed (but we never need that kobject directly). What helps us to prevent the net device from being unregistered is the parallel netdev reference mechanism (dev_hold() and dev_put()). Actually we actually use that netdev tracker mechanism implicitly on user ports since commit 2f1e8ea726e9 ("net: dsa: link interfaces with the DSA master to get rid of lockdep warnings"), via netdev_upper_dev_link(). But time still passes at DSA switch probe time between the initial of_find_net_device_by_node() code and the user port creation time, time during which the conduit could unregister itself and DSA wouldn't know about it. So we have to run of_find_net_device_by_node() under rtnl_lock() to prevent that from happening, and release the lock only with the netdev tracker having acquired the reference. Do we need to keep the reference until dsa_unregister_switch() / dsa_switch_shutdown()? 1: Maybe yes. A switch device will still be registered even if all user ports failed to probe, see commit 86f8b1c01a0a ("net: dsa: Do not make user port errors fatal"), and the cpu_dp->conduit pointers remain valid. I haven't audited all call paths to see whether they will actually use the conduit in lack of any user port, but if they do, it seems safer to not rely on user ports for that reference. 2. Definitely yes. We support changing the conduit which a user port is associated to, and we can get into a situation where we've moved all user ports away from a conduit, thus no longer hold any reference to it via the net device tracker. But we shouldn't let it go nonetheless - see the next change in relation to dsa_tree_find_first_conduit() and LAG conduits which disappear. We have to be prepared to return to the physical conduit, so the CPU port must explicitly keep another reference to it. This is also to say: the user ports and their CPU ports may not always keep a reference to the same conduit net device, and both are needed. As for the conduit's kobject for the /sys/class/net/ entry, we don't care about it, we can release it as soon as we hold the net device object itself. History and blame attribution ----------------------------- The code has been refactored so many times, it is very difficult to follow and properly attribute a blame, but I'll try to make a short history which I hope to be correct. We have two distinct probing paths: - one for OF, introduced in 2016 i ---truncated--- 2026-01-23 not yet calculated CVE-2025-71152 https://git.kernel.org/stable/c/0e766b77ba5093583dfe609fae0aa1545c46dbbd
https://git.kernel.org/stable/c/06e219f6a706c367c93051f408ac61417643d2f9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix memory leak in get_file_all_info() In get_file_all_info(), if vfs_getattr() fails, the function returns immediately without freeing the allocated filename, leading to a memory leak. Fix this by freeing the filename before returning in this error case. 2026-01-23 not yet calculated CVE-2025-71153 https://git.kernel.org/stable/c/5012b4c812230ae066902a00442708c999111183
https://git.kernel.org/stable/c/676907004256e0226c7ed3691db9f431404ca258
https://git.kernel.org/stable/c/d026f47db68638521df8543535ef863814fb01b1
https://git.kernel.org/stable/c/0c56693b06a68476ba113db6347e7897475f9e4c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and the memory is leaked. Fix this by freeing both the URB and the request structure in the error path when usb_submit_urb() fails. 2026-01-23 not yet calculated CVE-2025-71154 https://git.kernel.org/stable/c/a4e2442d3c48355a84463342f397134f149936d7
https://git.kernel.org/stable/c/2f966186b99550e3c665dbfb87b8314e30acea02
https://git.kernel.org/stable/c/db2244c580540306d60ce783ed340190720cd429
https://git.kernel.org/stable/c/4bd4ea3eb326608ffc296db12c105f92dc2f2190
https://git.kernel.org/stable/c/6492ad6439ff1a479fc94dc6052df3628faed8b6
https://git.kernel.org/stable/c/151403e903840c9cf06754097b6732c14f26c532
https://git.kernel.org/stable/c/12cab1191d9890097171156d06bfa8d31f1e39c8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: KVM: s390: Fix gmap_helper_zap_one_page() again A few checks were missing in gmap_helper_zap_one_page(), which can lead to memory corruption in the guest under specific circumstances. Add the missing checks. 2026-01-23 not yet calculated CVE-2025-71155 https://git.kernel.org/stable/c/2af2abbcbf8573100288e8f8aea2dab8a2a0ceb7
https://git.kernel.org/stable/c/2f393c228cc519ddf19b8c6c05bf15723241aa96
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: gve: defer interrupt enabling until NAPI registration Currently, interrupts are automatically enabled immediately upon request. This allows interrupt to fire before the associated NAPI context is fully initialized and cause failures like below: [ 0.946369] Call Trace: [ 0.946369] <IRQ> [ 0.946369] __napi_poll+0x2a/0x1e0 [ 0.946369] net_rx_action+0x2f9/0x3f0 [ 0.946369] handle_softirqs+0xd6/0x2c0 [ 0.946369] ? handle_edge_irq+0xc1/0x1b0 [ 0.946369] __irq_exit_rcu+0xc3/0xe0 [ 0.946369] common_interrupt+0x81/0xa0 [ 0.946369] </IRQ> [ 0.946369] <TASK> [ 0.946369] asm_common_interrupt+0x22/0x40 [ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10 Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto enablement and explicitly enable the interrupt in NAPI initialization path (and disable it during NAPI teardown). This ensures that interrupt lifecycle is strictly coupled with readiness of NAPI context. 2026-01-23 not yet calculated CVE-2025-71156 https://git.kernel.org/stable/c/f5b7f49bd2377916ad57cbd1210c61196daff013
https://git.kernel.org/stable/c/48f9277680925e1a8623d6b2c50aadb7af824ace
https://git.kernel.org/stable/c/3d970eda003441f66551a91fda16478ac0711617
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add support to add/delete a sub IB device through netlink") grabs a reference using ib_device_get_by_index() before calling ib_del_sub_device_and_put(), we need to drop that reference before returning -EOPNOTSUPP error. 2026-01-23 not yet calculated CVE-2025-71157 https://git.kernel.org/stable/c/20436f2742a92b7afeb2504eb559a98d2196b001
https://git.kernel.org/stable/c/fe8d456080423b9ed410469fbd1e2098d3acce2b
https://git.kernel.org/stable/c/fa3c411d21ebc26ffd175c7256c37cefa35020aa
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: ensure worker is torn down When an IRQ worker is running, unplugging the device would cause a crash. The sealevel hardware this driver was written for was not hotpluggable, so I never realized it. This change uses a spinlock to protect a list of workers, which it tears down on disconnect. 2026-01-23 not yet calculated CVE-2025-71158 https://git.kernel.org/stable/c/472d900c8bcac301ae0e40fdca7db799bd989ff5
https://git.kernel.org/stable/c/179ef1127d7a4f09f0e741fa9f30b8a8e7886271
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes") moved refcount_set inside the critical section, which means there is no longer a memory barrier between setting the refcount and setting btrfs_inode->delayed_node. Without that barrier, the stores to node->refs and btrfs_inode->delayed_node may become visible out of order. Another thread can then read btrfs_inode->delayed_node and attempt to increment a refcount that hasn't been set yet, leading to a refcounting bug and a use-after-free warning. The fix is to move refcount_set back to where it was to take advantage of the implicit memory barrier provided by lock acquisition. Because the allocations now happen outside of the lock's critical section, they can use GFP_NOFS instead of GFP_ATOMIC. 2026-01-23 not yet calculated CVE-2025-71159 https://git.kernel.org/stable/c/c8385851a5435f4006281828d428e5d0b0bbf8af
https://git.kernel.org/stable/c/83f59076a1ae6f5c6845d6f7ed3a1a373d883684
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547] [..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables] [..] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_table_validate+0x6b/0xb0 [nf_tables] nf_tables_validate+0x8b/0xa0 [nf_tables] nf_tables_commit+0x1df/0x1eb0 [nf_tables] [..] Currently nf_tables will traverse the entire table (chain graph), starting from the entry points (base chains), exploring all possible paths (chain jumps). But there are cases where we could avoid revalidation. Consider: 1 input -> j2 -> j3 2 input -> j2 -> j3 3 input -> j1 -> j2 -> j3 Then the second rule does not need to revalidate j2, and, by extension j3, because this was already checked during validation of the first rule. We need to validate it only for rule 3. This is needed because chain loop detection also ensures we do not exceed the jump stack: Just because we know that j2 is cycle free, its last jump might now exceed the allowed stack size. We also need to update all reachable chains with the new largest observed call depth. Care has to be taken to revalidate even if the chain depth won't be an issue: chain validation also ensures that expressions are not called from invalid base chains. For example, the masquerade expression can only be called from NAT postrouting base chains. Therefore we also need to keep record of the base chain context (type, hooknum) and revalidate if the chain becomes reachable from a different hook location. 2026-01-23 not yet calculated CVE-2025-71160 https://git.kernel.org/stable/c/53de1e6cde8f9b791d9cf61aa0e7b02cf5bbe8b1
https://git.kernel.org/stable/c/14fa3d1927f1382f86e3f70a51f26005c8e3cff6
https://git.kernel.org/stable/c/09d6074995c186e449979fe6c1b0f1a69cf9bd3b
https://git.kernel.org/stable/c/8e1a1bc4f5a42747c08130b8242ebebd1210b32f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions - that means that there may be at most 253^4 (4 billion) iterations. Red Hat QE team actually created an image that pushes dm-verity to this limit - and this image just makes the udev-worker process get stuck in the 'D' state. 2. It doesn't work. In fec_read_bufs we store data into the variable "fio->bufs", but fio bufs is shared between recursive invocations, if "verity_hash_for_block" invoked correction recursively, it would overwrite partially filled fio->bufs. 2026-01-23 not yet calculated CVE-2025-71161 https://git.kernel.org/stable/c/232948cf600fba69aff36b25d85ef91a73a35756
https://git.kernel.org/stable/c/d9f3e47d3fae0c101d9094bc956ed24e7a0ee801
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs. Fix this by properly synchronizing the virtual channel completion: - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors. Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 [ 337.427562] Call trace: [ 337.427564] dump_backtrace+0x0/0x320 [ 337.427571] show_stack+0x20/0x30 [ 337.427575] dump_stack_lvl+0x68/0x84 [ 337.427584] print_address_description.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asan_load8+0xa0/0xd0 [ 337.427603] vchan_complete+0x124/0x3b0 [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __do_softirq+0x1a0/0x5c4 [ 337.427628] irq_exit+0x110/0x140 [ 337.427633] handle_domain_irq+0xa4/0xe0 [ 337.427640] gic_handle_irq+0x64/0x160 [ 337.427644] call_on_irq_stack+0x20/0x4c [ 337.427649] do_interrupt_handler+0x7c/0x90 [ 337.427654] el1_interrupt+0x30/0x80 [ 337.427659] el1h_64_irq_handler+0x18/0x30 [ 337.427663] el1h_64_irq+0x7c/0x80 [ 337.427667] cpuidle_enter_state+0xe4/0x540 [ 337.427674] cpuidle_enter+0x54/0x80 [ 337.427679] do_idle+0x2e0/0x380 [ 337.427685] cpu_startup_entry+0x2c/0x70 [ 337.427690] rest_init+0x114/0x130 [ 337.427695] arch_call_rest_init+0x18/0x24 [ 337.427702] start_kernel+0x380/0x3b4 [ 337.427706] __primary_switched+0xc0/0xc8 2026-01-25 not yet calculated CVE-2025-71162 https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca
https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4
https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface. 2026-01-25 not yet calculated CVE-2025-71163 https://git.kernel.org/stable/c/0c97ff108f825a70c3bb29d65ddf0a013d231bb9
https://git.kernel.org/stable/c/a7226fd61def74b60dd8e47ec84cabafc39d575b
https://git.kernel.org/stable/c/799900f01792cf8b525a44764f065f83fcafd468
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_new_tfilter. When packets are enqueued through the root QFQ qdisc, the shared leaf_qdisc->q.qlen increases. At the same time, the second QFQ qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters qfq_reset() with its own q->q.qlen == 0, but its class's leaf qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: [ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 0.903571] #PF: supervisor write access in kernel mode [ 0.903860] #PF: error_code(0x0002) - not-present page [ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 [ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI [ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE [ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) [ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 Code starting with the faulting instruction =========================================== 0: 0f 84 4d 01 00 00 je 0x153 6: 48 89 70 18 mov %rsi,0x18(%rax) a: 8b 4b 10 mov 0x10(%rbx),%ecx d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx 14: 48 8b 78 08 mov 0x8(%rax),%rdi 18: 48 d3 e2 shl %cl,%rdx 1b: 48 21 f2 and %rsi,%rdx 1e: 48 2b 13 sub (%rbx),%rdx 21: 48 8b 30 mov (%rax),%rsi 24: 48 d3 ea shr %cl,%rdx 27: 8b 4b 18 mov 0x18(%rbx),%ecx ... [ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 [ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 [ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 [ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 [ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 [ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 [ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 [ 0.910247] PKRU: 55555554 [ 0.910391] Call Trace: [ 0.910527] <TASK> [ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) [ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) [ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) [ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) [ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) [ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) [ 0.912484] netlink_sendmsg (net/netlink/af ---truncated--- 2026-01-21 not yet calculated CVE-2026-22976 https://git.kernel.org/stable/c/6116a83ec167d3ab1390cded854d237481f41b63
https://git.kernel.org/stable/c/0809c4bc06c9c961222df29f2eccfd449304056f
https://git.kernel.org/stable/c/cdb24200b043438a144df501f1ebbd926bb1a2c7
https://git.kernel.org/stable/c/11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb
https://git.kernel.org/stable/c/43497313d0da3e12b5cfcd97aa17bf48ee663f95
https://git.kernel.org/stable/c/51ffd447bc37bf1a5776b85523f51d2bc69977f6
https://git.kernel.org/stable/c/c1d73b1480235731e35c81df70b08f4714a7d095
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to copy sk_buff.cb data to userspace via sock_recv_errqueue() -> put_cmsg(). The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() (from skbuff_fclone_cache) [1] 2. The skb is cloned via skb_clone() using the pre-allocated fclone [3] 3. The cloned skb is queued to sk_error_queue for timestamp reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) 5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb [4] 6. __check_heap_object() fails because skbuff_fclone_cache has no usercopy whitelist [5] When cloned skbs allocated from skbuff_fclone_cache are used in the socket error queue, accessing the sock_exterr_skb structure in skb->cb via put_cmsg() triggers a usercopy hardening violation: [ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! [ 5.382796] kernel BUG at mm/usercopy.c:102! [ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 [ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 [ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 [ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 [ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 [ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 [ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 [ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 [ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 [ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 [ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 [ 5.384903] PKRU: 55555554 [ 5.384903] Call Trace: [ 5.384903] <TASK> [ 5.384903] __check_heap_object+0x9a/0xd0 [ 5.384903] __check_object_size+0x46c/0x690 [ 5.384903] put_cmsg+0x129/0x5e0 [ 5.384903] sock_recv_errqueue+0x22f/0x380 [ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? schedule+0x6d/0x270 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? mutex_unlock+0x81/0xd0 [ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 [ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 [ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 [ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 The crash offset 296 corresponds to skb2->cb within skbuff_fclones: - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = 272 + 24 (inside sock_exterr_skb.ee) This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. [1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 [2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 [3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 [4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 [5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 2026-01-21 not yet calculated CVE-2026-22977 https://git.kernel.org/stable/c/88dd6be7ebb3153b662c2cebcb06e032a92857f5
https://git.kernel.org/stable/c/c655d2167bf014d4c61b4faeca59b60ff9b9f6b1
https://git.kernel.org/stable/c/8c6901aa29626e35045130bac09b75f791acca85
https://git.kernel.org/stable/c/582a5e922a9652fcbb7d0165c95d5b20aa37575d
https://git.kernel.org/stable/c/005671c60fcf1dbdb8bddf12a62568fd5e4ec391
https://git.kernel.org/stable/c/e00b169eaac5f7cdbf710c354c8fa76d02009115
https://git.kernel.org/stable/c/2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. 2026-01-23 not yet calculated CVE-2026-22978 https://git.kernel.org/stable/c/d943b5f592767b107ba8c12a902f17431350378c
https://git.kernel.org/stable/c/a3827e310b5a73535646ef4a552d53b3c8bf74f6
https://git.kernel.org/stable/c/442ceac0393185e9982323f6682a52a53e8462b1
https://git.kernel.org/stable/c/d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8
https://git.kernel.org/stable/c/024f71a57d563fbe162e528c8bf2d27e9cac7c7b
https://git.kernel.org/stable/c/e3c35177103ead4658b8a62f41e3080d45885464
https://git.kernel.org/stable/c/21cbf883d073abbfe09e3924466aa5e0449e7261
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments. Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this truesize subtraction in skb_segment_list() was valid because fragments still carry a reference to the original socket. However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed this behavior by ensuring that fraglist entries are explicitly orphaned (skb->sk = NULL) to prevent illegal orphaning later in the stack. This change meant that the entire socket memory charge remained with the head SKB, but the corresponding accounting logic in skb_segment_list() was never updated. As a result, the current code unconditionally adds each fragment's truesize to delta_truesize and subtracts it from the parent SKB. Since the fragments are no longer charged to the socket, this subtraction results in an effective under-count of memory when the head is freed. This causes sk_wmem_alloc to remain non-zero, preventing socket destruction and leading to a persistent memory leak. The leak can be observed via KMEMLEAK when tearing down the networking environment: unreferenced object 0xffff8881e6eb9100 (size 2048): comm "ping", pid 6720, jiffies 4295492526 backtrace: kmem_cache_alloc_noprof+0x5c6/0x800 sk_prot_alloc+0x5b/0x220 sk_alloc+0x35/0xa00 inet6_create.part.0+0x303/0x10d0 __sock_create+0x248/0x640 __sys_socket+0x11b/0x1d0 Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST packets constructed by GRO, the truesize adjustment is removed. The call to skb_release_head_state() must be preserved. As documented in commit cf673ed0e057 ("net: fix fraglist segmentation reference count leak"), it is still required to correctly drop references to SKB extensions that may be overwritten during __copy_skb_header(). 2026-01-23 not yet calculated CVE-2026-22979 https://git.kernel.org/stable/c/0b27828ebd1ed3107d7929c3737adbe862e99e74
https://git.kernel.org/stable/c/88bea149db2057112af3aaf63534b24fab5858ab
https://git.kernel.org/stable/c/3264881431e308b9c72cb8a0159d57a56d67dd79
https://git.kernel.org/stable/c/c114a32a2e70b82d447f409f7ffcfa3058f9d5bd
https://git.kernel.org/stable/c/238e03d0466239410b72294b79494e43d4fabe77
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called by the landromat work queue and this doesn't require locking as server shutdown will stop the work and wait for it before freeing anything that nfsd4_end_grace() might access. However, we must be sure that writing to v4_end_grace doesn't restart the work item after shutdown has already waited for it. For this we add a new flag protected with nn->client_lock. It is set only while it is safe to make client tracking calls, and v4_end_grace only schedules work while the flag is set with the spinlock held. So this patch adds a nfsd_net field "client_tracking_active" which is set as described. Another field "grace_end_forced", is set when v4_end_grace is written. After this is set, and providing client_tracking_active is set, the laundromat is scheduled. This "grace_end_forced" field bypasses other checks for whether the grace period has finished. This resolves a race which can result in use-after-free. 2026-01-23 not yet calculated CVE-2026-22980 https://git.kernel.org/stable/c/ca97360860eb02e3ae4ba42c19b439a0fcecbf06
https://git.kernel.org/stable/c/e8bfa2401d4c51eca6e48e9b33c798828ca9df61
https://git.kernel.org/stable/c/34eb22836e0cdba093baac66599d68c4cd245a9d
https://git.kernel.org/stable/c/06600719d0f7a723811c45e4d51f5b742f345309
https://git.kernel.org/stable/c/ba4811c8b433bfa681729ca42cc62b6034f223b0
https://git.kernel.org/stable/c/53f07d095e7e680c5e4569a55a019f2c0348cdc6
https://git.kernel.org/stable/c/2857bd59feb63fcf40fe4baf55401baea6b4feb4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: idpf: detach and close netdevs while handling a reset Protect the reset path from callbacks by setting the netdevs to detached state and close any netdevs in UP state until the reset handling has completed. During a reset, the driver will de-allocate resources for the vport, and there is no guarantee that those will recover, which is why the existing vport_ctrl_lock does not provide sufficient protection. idpf_detach_and_close() is called right before reset handling. If the reset handling succeeds, the netdevs state is recovered via call to idpf_attach_and_open(). If the reset handling fails the netdevs remain down. The detach/down calls are protected with RTNL lock to avoid racing with callbacks. On the recovery side the attach can be done without holding the RTNL lock as there are no callbacks expected at that point, due to detach/close always being done first in that flow. The previous logic restoring the netdevs state based on the IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is still being used to restore the state of the netdevs following the reset, but has no use outside of the reset handling flow. idpf_init_hard_reset() is converted to void, since it was used as such and there is no error handling being done based on its return value. Before this change, invoking hard and soft resets simultaneously will cause the driver to lose the vport state: ip -br a <inf> UP echo 1 > /sys/class/net/ens801f0/device/reset& \ ethtool -L ens801f0 combined 8 ip -br a <inf> DOWN ip link set <inf> up ip -br a <inf> DOWN Also in case of a failure in the reset path, the netdev is left exposed to external callbacks, while vport resources are not initialized, leading to a crash on subsequent ifup/down: [408471.398966] idpf 0000:83:00.0: HW reset detected [408471.411744] idpf 0000:83:00.0: Device HW Reset initiated [408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2 [408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078 [408508.126112] #PF: supervisor read access in kernel mode [408508.126687] #PF: error_code(0x0000) - not-present page [408508.127256] PGD 2aae2f067 P4D 0 [408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI ... [408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf] ... [408508.139193] Call Trace: [408508.139637] <TASK> [408508.140077] __dev_close_many+0xbb/0x260 [408508.140533] __dev_change_flags+0x1cf/0x280 [408508.140987] netif_change_flags+0x26/0x70 [408508.141434] dev_change_flags+0x3d/0xb0 [408508.141878] devinet_ioctl+0x460/0x890 [408508.142321] inet_ioctl+0x18e/0x1d0 [408508.142762] ? _copy_to_user+0x22/0x70 [408508.143207] sock_do_ioctl+0x3d/0xe0 [408508.143652] sock_ioctl+0x10e/0x330 [408508.144091] ? find_held_lock+0x2b/0x80 [408508.144537] __x64_sys_ioctl+0x96/0xe0 [408508.144979] do_syscall_64+0x79/0x3d0 [408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e [408508.145860] RIP: 0033:0x7f3e0bb4caff 2026-01-23 not yet calculated CVE-2026-22981 https://git.kernel.org/stable/c/ac122f5fb050903b3d262001562c452be95eaf70
https://git.kernel.org/stable/c/2e281e1155fc476c571c0bd2ffbfe28ab829a5c3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic and is susceptible to the same crash. This issue specifically affects the ocelot_vsc7514.c frontend, which leaves unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as it uses the DSA framework which registers all ports. Fix this by checking if the port pointer is valid before accessing it. 2026-01-23 not yet calculated CVE-2026-22982 https://git.kernel.org/stable/c/8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d
https://git.kernel.org/stable/c/b17818307446c5a8d925a39a792261dbfa930041
https://git.kernel.org/stable/c/2985712dc76dfa670eb7fd607c09d4d48e5f5c6e
https://git.kernel.org/stable/c/03fb1708b7d1e76aecebf767ad059c319845039f
https://git.kernel.org/stable/c/f490af47bbee02441e356a1e0b86e3b3dd5120ff
https://git.kernel.org/stable/c/34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: do not write to msg_get_inq in callee NULL pointer dereference fix. msg_get_inq is an input field from caller to callee. Don't set it in the callee, as the caller may not clear it on struct reuse. This is a kernel-internal variant of msghdr only, and the only user does reinitialize the field. So this is not critical for that reason. But it is more robust to avoid the write, and slightly simpler code. And it fixes a bug, see below. Callers set msg_get_inq to request the input queue length to be returned in msg_inq. This is equivalent to but independent from the SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq). To reduce branching in the hot path the second also sets the msg_inq. That is WAI. This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for"), which fixed the inverse. Also avoid NULL pointer dereference in unix_stream_read_generic if state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg can happen when splicing as of commit 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets"). Also collapse two branches using a bitwise or. 2026-01-23 not yet calculated CVE-2026-22983 https://git.kernel.org/stable/c/ffa2be496ef65055b28b39c6bd9a7d66943ee89a
https://git.kernel.org/stable/c/7d11e047eda5f98514ae62507065ac961981c025
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ] 2026-01-23 not yet calculated CVE-2026-22984 https://git.kernel.org/stable/c/194cfe2af4d2a1de599d39dad636b47c2f6c2c96
https://git.kernel.org/stable/c/79fe3511db416d2f2edcfd93569807cb02736e5e
https://git.kernel.org/stable/c/ef208ea331ef688729f64089b895ed1b49e842e3
https://git.kernel.org/stable/c/2802ef3380fa8c4a08cda51ec1f085b1a712e9e2
https://git.kernel.org/stable/c/2d653bb63d598ae4b096dd678744bdcc34ee89e8
https://git.kernel.org/stable/c/818156caffbf55cb4d368f9c3cac64e458fb49c9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time. Move RSS LUT initialization from ndo_open to vport creation to ensure LUT is always available. This enables RSS configuration via ethtool before bringing the interface up. Simplify LUT management by maintaining all changes in the driver's soft copy and programming zeros to the indirection table when rxhash is disabled. Defer HW programming until the interface comes up if it is down during rxhash and LUT configuration changes. Steps to reproduce: ** Load idpf driver; interfaces will be created modprobe idpf ** Before bringing the interfaces up, turn rxhash off ethtool -K eth2 rxhash off [89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000 [89408.371908] #PF: supervisor read access in kernel mode [89408.371924] #PF: error_code(0x0000) - not-present page [89408.371940] PGD 0 P4D 0 [89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [89408.372052] RIP: 0010:memcpy_orig+0x16/0x130 [89408.372310] Call Trace: [89408.372317] <TASK> [89408.372326] ? idpf_set_features+0xfc/0x180 [idpf] [89408.372363] __netdev_update_features+0x295/0xde0 [89408.372384] ethnl_set_features+0x15e/0x460 [89408.372406] genl_family_rcv_msg_doit+0x11f/0x180 [89408.372429] genl_rcv_msg+0x1ad/0x2b0 [89408.372446] ? __pfx_ethnl_set_features+0x10/0x10 [89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10 [89408.372482] netlink_rcv_skb+0x58/0x100 [89408.372502] genl_rcv+0x2c/0x50 [89408.372516] netlink_unicast+0x289/0x3e0 [89408.372533] netlink_sendmsg+0x215/0x440 [89408.372551] __sys_sendto+0x234/0x240 [89408.372571] __x64_sys_sendto+0x28/0x30 [89408.372585] x64_sys_call+0x1909/0x1da0 [89408.372604] do_syscall_64+0x7a/0xfa0 [89408.373140] ? clear_bhb_loop+0x60/0xb0 [89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e [89408.378887] </TASK> <snip> 2026-01-23 not yet calculated CVE-2026-22985 https://git.kernel.org/stable/c/b29a5a7dd1f4293ee49c469938c25bf85a5aa802
https://git.kernel.org/stable/c/83f38f210b85676f40ba8586b5a8edae19b56995
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix race condition for gdev->srcu If two drivers were calling gpiochip_add_data_with_key(), one may be traversing the srcu-protected list in gpio_name_to_desc(), meanwhile other has just added its gdev in gpiodev_add_to_list_unlocked(). This creates a non-mutexed and non-protected timeframe, when one instance is dereferencing and using &gdev->srcu, before the other has initialized it, resulting in crash: [ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000 [ 4.943396] Mem abort info: [ 4.943400] ESR = 0x0000000096000005 [ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits [ 4.943407] SET = 0, FnV = 0 [ 4.943410] EA = 0, S1PTW = 0 [ 4.943413] FSC = 0x05: level 1 translation fault [ 4.943416] Data abort info: [ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000 [ 4.961449] [ffff800272bcc000] pgd=0000000000000000 [ 4.969203] , p4d=1000000039739003 [ 4.979730] , pud=0000000000000000 [ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node "reset" [ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP ... [ 5.121359] pc : __srcu_read_lock+0x44/0x98 [ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0 [ 5.153671] sp : ffff8000833bb430 [ 5.298440] [ 5.298443] Call trace: [ 5.298445] __srcu_read_lock+0x44/0x98 [ 5.309484] gpio_name_to_desc+0x60/0x1a0 [ 5.320692] gpiochip_add_data_with_key+0x488/0xf00 5.946419] ---[ end trace 0000000000000000 ]--- Move initialization code for gdev fields before it is added to gpio_devices, with adjacent initialization code. Adjust goto statements to reflect modified order of operations [Bartosz: fixed a build issue, removed stray newline] 2026-01-23 not yet calculated CVE-2026-22986 https://git.kernel.org/stable/c/fb674c8f1a5d8dd3113a7326030f963fa2d79c02
https://git.kernel.org/stable/c/a7ac22d53d0990152b108c3f4fe30df45fcb0181
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy syzbot reported a crash in tc_act_in_hw() during netns teardown where tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action pointer, leading to an invalid dereference. Guard against ERR_PTR entries when iterating the action IDR so teardown does not call tc_act_in_hw() on an error pointer. 2026-01-23 not yet calculated CVE-2026-22987 https://git.kernel.org/stable/c/67550a1130b647bb0d093c9c0a810c69aa6a30a8
https://git.kernel.org/stable/c/adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call. 2026-01-23 not yet calculated CVE-2026-22988 https://git.kernel.org/stable/c/e432dbff342b95fe44645f9a90fcf333c80f4b5e
https://git.kernel.org/stable/c/393525dee5c39acff8d6705275d7fcaabcfb7f0a
https://git.kernel.org/stable/c/70bddc16491ef4681f3569b3a2c80309a3edcdd1
https://git.kernel.org/stable/c/029935507d0af6553c45380fbf6feecf756fd226
https://git.kernel.org/stable/c/dd6ccec088adff4bdf33e2b2dd102df20a7128fa
https://git.kernel.org/stable/c/949647e7771a4a01963fe953a96d81fba7acecf3
https://git.kernel.org/stable/c/c92510f5e3f82ba11c95991824a41e59a9c5ed81
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nfsd: check that server is running in unlock_filesystem If we are trying to unlock the filesystem via an administrative interface and nfsd isn't running, it crashes the server. This happens currently because nfsd4_revoke_states() access state structures (eg., conf_id_hashtbl) that has been freed as a part of the server shutdown. [ 59.465072] Call trace: [ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P) [ 59.465830] write_unlock_fs+0x258/0x440 [nfsd] [ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd] [ 59.466780] vfs_write+0x1f0/0x938 [ 59.467088] ksys_write+0xfc/0x1f8 [ 59.467395] __arm64_sys_write+0x74/0xb8 [ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8 [ 59.468177] do_el0_svc+0x154/0x1d8 [ 59.468489] el0_svc+0x40/0xe0 [ 59.468767] el0t_64_sync_handler+0xa0/0xe8 [ 59.469138] el0t_64_sync+0x1ac/0x1b0 Ensure this can't happen by taking the nfsd_mutex and checking that the server is still up, and then holding the mutex across the call to nfsd4_revoke_states(). 2026-01-23 not yet calculated CVE-2026-22989 https://git.kernel.org/stable/c/d95499900fe52f3d461ed26b7a30bebea8f12914
https://git.kernel.org/stable/c/e06c9f6c0f554148d4921c2a15bd054260a054ac
https://git.kernel.org/stable/c/d0424066fcd294977f310964bed6f2a487fa4515
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. 2026-01-23 not yet calculated CVE-2026-22990 https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d
https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea
https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c
https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9
https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b
https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3
https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating. 2026-01-23 not yet calculated CVE-2026-22991 https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234
https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4
https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba
https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd
https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf
https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5
https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the session in the background. In the case of secure mode this can trigger a WARN in setup_crypto() and later lead to a NULL pointer dereference inside of prepare_auth_signature(). 2026-01-23 not yet calculated CVE-2026-22992 https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16
https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d
https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d
https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1
https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5
https://git.kernel.org/stable/c/e84b48d31b5008932c0a0902982809fbaa1d3b70
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss lut if the soft reset does not involve queue count change. After soft reset, set the RSS LUT to default values based on the updated queue count only if the reset was a result of a queue count change and the LUT was not configured by the user. In all other cases, don't touch the LUT. Steps to reproduce: ** Bring the interface down (if up) ifconfig eth1 down ** update the queue count (eg., 27->20) ethtool -L eth1 combined 20 ** display the RSS LUT ethtool -x eth1 [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 [82375.558373] #PF: supervisor read access in kernel mode [82375.558391] #PF: error_code(0x0000) - not-present page [82375.558408] PGD 0 P4D 0 [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] [82375.558786] Call Trace: [82375.558793] <TASK> [82375.558804] rss_prepare.isra.0+0x187/0x2a0 [82375.558827] rss_prepare_data+0x3a/0x50 [82375.558845] ethnl_default_doit+0x13d/0x3e0 [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 [82375.558886] genl_rcv_msg+0x1ad/0x2b0 [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 [82375.558937] netlink_rcv_skb+0x58/0x100 [82375.558957] genl_rcv+0x2c/0x50 [82375.558971] netlink_unicast+0x289/0x3e0 [82375.558988] netlink_sendmsg+0x215/0x440 [82375.559005] __sys_sendto+0x234/0x240 [82375.559555] __x64_sys_sendto+0x28/0x30 [82375.560068] x64_sys_call+0x1909/0x1da0 [82375.560576] do_syscall_64+0x7a/0xfa0 [82375.561076] ? clear_bhb_loop+0x60/0xb0 [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e <snip> 2026-01-23 not yet calculated CVE-2026-22993 https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f
https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md(). Therefore, we can consider that the error handling path introduced by commit 1c1949982524 ("bpf: introduce frags support to bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md(). 2026-01-23 not yet calculated CVE-2026-22994 https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365
https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101
https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38
https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e
https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ublk_partition_scan_work A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: - del_gendisk(ub->ub_disk) - ublk_detach_disk() sets ub->ub_disk = NULL - put_disk() which may free the disk 3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk leading to UAF Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker either gets a valid reference or sees NULL and exits early. Also change flush_work() to cancel_work_sync() to avoid running the partition scan work unnecessarily when the disk is already detached. 2026-01-23 not yet calculated CVE-2026-22995 https://git.kernel.org/stable/c/72e28774e9644c2bdbb4920842fbf77103a15a85
https://git.kernel.org/stable/c/f0d385f6689f37a2828c686fb279121df006b4cb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to reference the netdev and mdev associated with that struct. Instead, store netdev directly into mlx5e_dev and get mdev from the containing mlx5_adev aux device structure. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000520 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_remove+0x68/0x130 RSP: 0018:ffffc900034838f0 EFLAGS: 00010246 RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10 R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0 R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400 FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0 Call Trace: <TASK> device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140 2026-01-25 not yet calculated CVE-2026-22996 https://git.kernel.org/stable/c/dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe
https://git.kernel.org/stable/c/a3d4f87d41f5140f1cf5c02fce5cdad2637f6244
https://git.kernel.org/stable/c/123eda2e5b1638e298e3a66bb1e64a8da92de5e1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem. 2026-01-25 not yet calculated CVE-2026-22997 https://git.kernel.org/stable/c/cb2a610867bc379988bae0bb4b8bbc59c0decf1a
https://git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703
https://git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated 2026-01-25 not yet calculated CVE-2026-22998 https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d
https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913
https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. 2026-01-25 not yet calculated CVE-2026-22999 https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50
https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd
https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash on profile change rollback failure mlx5e_netdev_change_profile can fail to attach a new profile and can fail to rollback to old profile, in such case, we could end up with a dangling netdev with a fully reset netdev_priv. A retry to change profile, e.g. another attempt to call mlx5e_netdev_change_profile via switchdev mode change, will crash trying to access the now NULL priv->mdev. This fix allows mlx5e_netdev_change_profile() to handle previous failures and an empty priv, by not assuming priv is valid. Pass netdev and mdev to all flows requiring mlx5e_netdev_change_profile() and avoid passing priv. In mlx5e_netdev_change_profile() check if current priv is valid, and if not, just attach the new profile without trying to access the old one. This fixes the following oops, when enabling switchdev mode for the 2nd time after first time failure: ## Enabling switchdev mode first time: mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 ^^^^^^^^ mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) ## retry: Enabling switchdev mode 2nd time: mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload BUG: kernel NULL pointer dereference, address: 0000000000000038 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_detach_netdev+0x3c/0x90 Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07 RSP: 0018:ffffc90000673890 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000 RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000 R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000 R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000 FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_netdev_change_profile+0x45/0xb0 mlx5e_vport_rep_load+0x27b/0x2d0 mlx5_esw_offloads_rep_load+0x72/0xf0 esw_offloads_enable+0x5d0/0x970 mlx5_eswitch_enable_locked+0x349/0x430 ? is_mp_supported+0x57/0xb0 mlx5_devlink_eswitch_mode_set+0x26b/0x430 devlink_nl_eswitch_set_doit+0x6f/0xf0 genl_family_rcv_msg_doit+0xe8/0x140 genl_rcv_msg+0x18b/0x290 ? __pfx_devlink_nl_pre_doit+0x10/0x10 ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10 ? __pfx_devlink_nl_post_doit+0x10/0x10 ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x52/0x100 genl_rcv+0x28/0x40 netlink_unicast+0x282/0x3e0 ? __alloc_skb+0xd6/0x190 netlink_sendmsg+0x1f7/0x430 __sys_sendto+0x213/0x220 ? __sys_recvmsg+0x6a/0xd0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdfb8495047 2026-01-25 not yet calculated CVE-2026-23000 https://git.kernel.org/stable/c/dad52950b409d6923880d65a4cddb383286e17d2
https://git.kernel.org/stable/c/e05b8084a20f6bd5827d338c928e5e0fcbafa496
https://git.kernel.org/stable/c/4dadc4077e3f77d6d31e199a925fc7a705e7adeb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u 2026-01-25 not yet calculated CVE-2026-23001 https://git.kernel.org/stable/c/8518712a2ca952d6da2238c6f0a16b4ae5ea3f13
https://git.kernel.org/stable/c/6dbead9c7677186f22b7981dd085a0feec1f038e
https://git.kernel.org/stable/c/7470a7a63dc162f07c26dbf960e41ee1e248d80e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: lib/buildid: use __kernel_read() for sleepable context Prevent a "BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio". For the sleepable context, convert freader to use __kernel_read() instead of direct page cache access via read_cache_folio(). This simplifies the faultable code path by using the standard kernel file reading interface which handles all the complexity of reading file data. At the moment we are not changing the code for non-sleepable context which uses filemap_get_folio() and only succeeds if the target folios are already in memory and up-to-date. The reason is to keep the patch simple and easier to backport to stable kernels. Syzbot repro does not crash the kernel anymore and the selftests run successfully. In the follow up we will make __kernel_read() with IOCB_NOWAIT work for non-sleepable contexts. In addition, I would like to replace the secretmem check with a more generic approach and will add fstest for the buildid code. 2026-01-25 not yet calculated CVE-2026-23002 https://git.kernel.org/stable/c/b11dfb7708f212b96c7973a474014c071aa02e05
https://git.kernel.org/stable/c/568aeb3476c770a3863c755dd2a199c212434286
https://git.kernel.org/stable/c/777a8560fd29738350c5094d4166fe5499452409
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:318 [inline] ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core net/core/dev.c:6139 [inline] __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 netif_receive_skb_internal net/core/dev.c:6338 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6397 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4960 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 tun_alloc_skb drivers/net/tun.c:1461 [inline] tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 2026-01-25 not yet calculated CVE-2026-23003 https://git.kernel.org/stable/c/df5ffde9669314500809bc498ae73d6d3d9519ac
https://git.kernel.org/stable/c/b9f915340f25cae1562f18e1eb52deafca328414
https://git.kernel.org/stable/c/81c734dae203757fb3c9eee6f9896386940776bd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has been freed. } Issue here is that rt6_uncached_list_del() did not attempt to lock ul->lock, as list_empty(&rt->dst.rt_uncached) returned true because the WRITE_ONCE(list->next, list) happened on the other CPU. We might use list_del_init_careful() and list_empty_careful(), or make sure rt6_uncached_list_del() always grabs the spinlock whenever rt->dst.rt_uncached_list has been set. A similar fix is neeed for IPv4. [1] BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450 CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: netns cleanup_net Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 INIT_LIST_HEAD include/linux/list.h:46 [inline] list_del_init include/linux/list.h:296 [inline] rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] call_netdevice_notifiers net/core/dev.c:2282 [inline] netif_close_many+0x29c/0x410 net/core/dev.c:1785 unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 803: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 dst_alloc+0x105/0x170 net/core/dst.c:89 ip6_dst_alloc net/ipv6/route.c:342 [inline] icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated--- 2026-01-25 not yet calculated CVE-2026-23004 https://git.kernel.org/stable/c/722de945216144af7cd4d39bdeb936108d2595a7
https://git.kernel.org/stable/c/9a6f0c4d5796ab89b5a28a890ce542344d58bd69
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRSTOR to #NM and panic the kernel. E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848 Modules linked in: kvm_intel kvm irqbypass CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 switch_fpu_return+0x4a/0xb0 kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1, and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's call to fpu_update_guest_xfd(). and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867 Modules linked in: kvm_intel kvm irqbypass CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 fpu_swap_kvm_fpstate+0x6b/0x120 kvm_load_guest_fpu+0x30/0x80 [kvm] kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- The new behavior is consistent with the AMX architecture. Per Intel's SDM, XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD (and non-compacted XSAVE saves the initial configuration of the state component): If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and the state component was in its initial state): it saves bit i of XSTATE_BV field of the XSAVE header as 0; in addition, XSAVE saves the initial configuration of the state component (the other instructions do not save state component i). Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using a constant XFD based on the set of enabled features when XSAVEing for a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled features can only happen in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, because fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the outgoing FPU state with the current XFD; and that is (on all but the first WRMSR to XFD) the guest XFD. Therefore, XFD can only go out of sync with XSTATE_BV in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, and it we can consider it (de facto) part of KVM ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features. [Move clea ---truncated--- 2026-01-25 not yet calculated CVE-2026-23005 https://git.kernel.org/stable/c/f577508cc8a0adb8b4ebe9480bba7683b6149930
https://git.kernel.org/stable/c/eea6f395ca502c4528314c8112da9b5d65f685eb
https://git.kernel.org/stable/c/b45f721775947a84996deb5c661602254ce25ce6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". 2026-01-25 not yet calculated CVE-2026-23006 https://git.kernel.org/stable/c/61757f5191daab863d25f03680e912b5449a1eed
https://git.kernel.org/stable/c/53bd838ed5950cb18927e4b2e8ee841b7cb10929
https://git.kernel.org/stable/c/be7664c81d3129fc313ef62ff275fd3d33cfecd4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: block: zero non-PI portion of auto integrity buffer The auto-generated integrity buffer for writes needs to be fully initialized before being passed to the underlying block device, otherwise the uninitialized memory can be read back by userspace or anyone with physical access to the storage device. If protection information is generated, that portion of the integrity buffer is already initialized. The integrity data is also zeroed if PI generation is disabled via sysfs or the PI tuple size is 0. However, this misses the case where PI is generated and the PI tuple size is nonzero, but the metadata size is larger than the PI tuple. In this case, the remainder ("opaque") of the metadata is left uninitialized. Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the metadata is larger than just the PI tuple. 2026-01-25 not yet calculated CVE-2026-23007 https://git.kernel.org/stable/c/d6072557b90e0c557df319a56f4a9dc482706d2c
https://git.kernel.org/stable/c/ca22c566b89164f6e670af56ecc45f47ef3df819
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix KMS with 3D on HW version 10 HW version 10 does not have GB Surfaces so there is no backing buffer for surface backed FBs. This would result in a nullptr dereference and crash the driver causing a black screen. 2026-01-25 not yet calculated CVE-2026-23008 https://git.kernel.org/stable/c/a91bdd21d5efb3072beefbec13762b7722200c49
https://git.kernel.org/stable/c/d9186faeae6efb7d0841a5e8eb213ff4c7966614
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: xhci: sideband: don't dereference freed ring when removing sideband endpoint xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is running and has a valid transfer ring. Lianqin reported a crash during suspend/wake-up stress testing, and found the cause to be dereferencing a non-existing transfer ring 'ep->ring' during xhci_sideband_remove_endpoint(). The endpoint and its ring may be in unknown state if this function is called after xHCI was reinitialized in resume (lost power), or if device is being re-enumerated, disconnected or endpoint already dropped. Fix this by both removing unnecessary ring access, and by checking ep->ring exists before dereferencing it. Also make sure endpoint is running before attempting to stop it. Remove the xhci_initialize_ring_info() call during sideband endpoint removal as is it only initializes ring structure enqueue, dequeue and cycle state values to their starting values without changing actual hardware enqueue, dequeue and cycle state. Leaving them out of sync is worse than leaving it as it is. The endpoint will get freed in after this in most usecases. If the (audio) class driver want's to reuse the endpoint after offload then it is up to the class driver to ensure endpoint is properly set up. 2026-01-25 not yet calculated CVE-2026-23009 https://git.kernel.org/stable/c/34f6634dba87ef72b3c3a3a524be663adef7ab42
https://git.kernel.org/stable/c/dd83dc1249737b837ac5d57c81f2b0977c613d9f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let's move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f164cf8f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 </TASK> Allocated by task 9593: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6099: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free_freelist_hook mm/slub.c:2569 [inline] slab_free_bulk mm/slub.c:6696 [inline] kmem_cache_free_bulk mm/slub.c:7383 [inline] kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 kfree_bulk include/linux/slab.h:830 [inline] kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqu ---truncated--- 2026-01-25 not yet calculated CVE-2026-23010 https://git.kernel.org/stable/c/2684610a9c9c53f262fd864fa5c407e79f304804
https://git.kernel.org/stable/c/8b6dcb565e419846bd521e31d5e1f98e4d0e1179
https://git.kernel.org/stable/c/ddf96c393a33aef4887e2e406c76c2f8cda1419c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ipgre device. [1] skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 ! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 Call Trace: <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 2026-01-25 not yet calculated CVE-2026-23011 https://git.kernel.org/stable/c/aa57bfea4674e6da8104fa3a37760a6f5f255dad
https://git.kernel.org/stable/c/554201ed0a8f4d32e719f42caeaeb2735a9ed6ca
https://git.kernel.org/stable/c/e67c577d89894811ce4dcd1a9ed29d8b63476667
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the context's call_controls list. Let's suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the call_controls list, which still has the pointer to the previous damon_call_control object, which is deallocated. As a result, use-after-free happens. This can actually be triggered using the DAMON sysfs interface. It is not easily exploitable since it requires the sysfs write permission and making a definitely weird file writes, though. Please refer to the report for more details about the issue reproduction steps. Fix the issue by making two changes. Firstly, move the final kdamond_call() for cancelling all existing damon_call() requests from terminating DAMON context to be done before the ctx->kdamond reset. This makes any code that sees NULL ctx->kdamond can safely assume the context may not access damon_call() requests anymore. Secondly, let damon_call() to cleanup the damon_call_control objects that were added to the already-terminated DAMON context, before returning the error. 2026-01-25 not yet calculated CVE-2026-23012 https://git.kernel.org/stable/c/23b061f421eef03647b512f3df48861706c87db3
https://git.kernel.org/stable/c/f9132fbc2e83baf2c45a77043672a63a675c9394
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires. Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq(). 2026-01-25 not yet calculated CVE-2026-23013 https://git.kernel.org/stable/c/aa05a8371ae4a452df623f7202c72409d3c50e40
https://git.kernel.org/stable/c/aa4c066229b05fc3d3c5f42693d25b1828533b6e
https://git.kernel.org/stable/c/f93fc5d12d69012788f82151bee55fce937e1432
 
linux4me2--Menu In Post Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS. This issue affects Menu In Post: from n/a through <= 1.4.1. 2026-01-22 not yet calculated CVE-2026-22349 https://patchstack.com/database/Wordpress/Plugin/menu-in-post/vulnerability/wordpress-menu-in-post-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
livemesh--Livemesh Addons for WPBakery Page Builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for WPBakery Page Builder addons-for-visual-composer allows Stored XSS. This issue affects Livemesh Addons for WPBakery Page Builder: from n/a through <= 3.9.4. 2026-01-23 not yet calculated CVE-2026-24594 https://patchstack.com/database/Wordpress/Plugin/addons-for-visual-composer/vulnerability/wordpress-livemesh-addons-for-wpbakery-page-builder-plugin-3-9-4-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Lodash--Lodash Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23 2026-01-21 not yet calculated CVE-2025-13465 https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
 
LogicHunt--Logo Slider Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LogicHunt Logo Slider logo-slider-wp allows Stored XSS. This issue affects Logo Slider: from n/a through <= 4.9.0. 2026-01-23 not yet calculated CVE-2026-24626 https://patchstack.com/database/Wordpress/Plugin/logo-slider-wp/vulnerability/wordpress-logo-slider-plugin-4-9-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Ludwig You--WPMasterToolKit Missing Authorization vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPMasterToolKit: from n/a through <= 2.14.0. 2026-01-22 not yet calculated CVE-2026-24388 https://patchstack.com/database/Wordpress/Plugin/wpmastertoolkit/vulnerability/wordpress-wpmastertoolkit-plugin-2-14-0-broken-access-control-vulnerability?_s_id=cve
 
M-Files Corporation--M-Files Server Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint. 2026-01-21 not yet calculated CVE-2026-0663 https://product.m-files.com/security-advisories/cve-2026-0663/
 
mackron--dr_flac dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. 2026-01-20 not yet calculated CVE-2025-14369 https://github.com/mackron/dr_libs/commit/b2197b2eb7bb609df76315bebf44db4ec2a1aed0
 
magentech--MaxShop Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech MaxShop sw_maxshop allows PHP Local File Inclusion. This issue affects MaxShop: from n/a through <= 3.6.20. 2026-01-22 not yet calculated CVE-2025-69047 https://patchstack.com/database/Wordpress/Theme/sw_maxshop/vulnerability/wordpress-maxshop-theme-3-6-20-local-file-inclusion-vulnerability?_s_id=cve
 
Mahmudul Hasan Arif--FluentBoards Missing Authorization vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FluentBoards: from n/a through <= 1.91.1. 2026-01-23 not yet calculated CVE-2026-24561 https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-1-broken-access-control-vulnerability?_s_id=cve
 
MailerLite--MailerLite WooCommerce integration Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MailerLite MailerLite - WooCommerce integration woo-mailerlite allows SQL Injection. This issue affects MailerLite - WooCommerce integration: from n/a through <= 3.1.2. 2026-01-22 not yet calculated CVE-2025-67945 https://patchstack.com/database/Wordpress/Plugin/woo-mailerlite/vulnerability/wordpress-mailerlite-woocommerce-integration-plugin-3-1-2-sql-injection-vulnerability?_s_id=cve
 
ManageIQ--manageiq ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One may also apply the patch manually. 2026-01-21 not yet calculated CVE-2026-22598 https://github.com/ManageIQ/manageiq/security/advisories/GHSA-m832-x3g8-63j3
https://github.com/ManageIQ/manageiq/commit/79cef10c7d0278d8a37c3f547c426948180df4df.patch
https://github.com/ManageIQ/manageiq/commit/86132851257d73ed9e31a88315e47a8a2b838113
 
Marco Milesi--ANAC XML Viewer Server-Side Request Forgery (SSRF) vulnerability in Marco Milesi ANAC XML Viewer anac-xml-viewer allows Server Side Request Forgery. This issue affects ANAC XML Viewer: from n/a through <= 1.8.2. 2026-01-22 not yet calculated CVE-2025-64252 https://patchstack.com/database/Wordpress/Plugin/anac-xml-viewer/vulnerability/wordpress-anac-xml-viewer-plugin-1-8-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
Marco van Wieren--WPO365 Server-Side Request Forgery (SSRF) vulnerability in Marco van Wieren WPO365 wpo365-login allows Server Side Request Forgery. This issue affects WPO365: from n/a through <= 40.0. 2026-01-22 not yet calculated CVE-2025-67961 https://patchstack.com/database/Wordpress/Plugin/wpo365-login/vulnerability/wordpress-wpo365-plugin-40-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
Marcus (aka @msykes)--WP FullCalendar Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Retrieve Embedded Sensitive Data. This issue affects WP FullCalendar: from n/a through <= 1.6. 2026-01-23 not yet calculated CVE-2026-24523 https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-sensitive-data-exposure-vulnerability?_s_id=cve
 
Mario Peshev--WP-CRM System Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP-CRM System: from n/a through <= 3.4.5. 2026-01-22 not yet calculated CVE-2025-62106 https://patchstack.com/database/Wordpress/Plugin/wp-crm-system/vulnerability/wordpress-wp-crm-system-plugin-3-4-5-broken-access-control-vulnerability-2?_s_id=cve
 
marynixie--Related Posts Thumbnails Plugin for WordPress Cross-Site Request Forgery (CSRF) vulnerability in marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails allows Cross Site Request Forgery. This issue affects Related Posts Thumbnails Plugin for WordPress: from n/a through <= 4.3.1. 2026-01-23 not yet calculated CVE-2026-24596 https://patchstack.com/database/Wordpress/Plugin/related-posts-thumbnails/vulnerability/wordpress-related-posts-thumbnails-plugin-for-wordpress-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
matiskiba--Ravpage Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in matiskiba Ravpage ravpage allows Reflected XSS. This issue affects Ravpage: from n/a through <= 2.33. 2026-01-22 not yet calculated CVE-2025-68835 https://patchstack.com/database/Wordpress/Plugin/ravpage/vulnerability/wordpress-ravpage-plugin-2-33-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
MCP Manager for Claude Desktop--MCP Manager for Claude Desktop MCP Manager for Claude Desktop execute-command Command Injection Sandbox Escape Vulnerability. This vulnerability allows remote attackers to bypass the sandbox on affected installations of MCP Manager for Claude Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of MCP config objects. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code in the context of the current process at medium integrity. Was ZDI-CAN-27810. 2026-01-23 not yet calculated CVE-2026-0757 ZDI-26-023
 
mcp-server-siri-shortcuts--mcp-server-siri-shortcuts mcp-server-siri-shortcuts shortcutName Command Injection Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of mcp-server-siri-shortcuts. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the shortcutName parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-27910. 2026-01-23 not yet calculated CVE-2026-0758 ZDI-26-024
 
merkulove--Audier For Elementor Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Audier For Elementor: from n/a through <= 1.0.9. 2026-01-22 not yet calculated CVE-2025-66139 https://patchstack.com/database/Wordpress/Plugin/audier-elementor/vulnerability/wordpress-audier-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Carter for Elementor Missing Authorization vulnerability in merkulove Carter for Elementor carter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Carter for Elementor: from n/a through <= 1.0.2. 2026-01-22 not yet calculated CVE-2025-66136 https://patchstack.com/database/Wordpress/Plugin/carter-elementor/vulnerability/wordpress-carter-for-elementor-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Comparimager for Elementor Missing Authorization vulnerability in merkulove Comparimager for Elementor comparimager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Comparimager for Elementor: from n/a through <= 1.0.1. 2026-01-22 not yet calculated CVE-2025-66142 https://patchstack.com/database/Wordpress/Plugin/comparimager-elementor/vulnerability/wordpress-comparimager-for-elementor-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Crumber Missing Authorization vulnerability in merkulove Crumber crumber-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crumber: from n/a through <= 1.0.10. 2026-01-22 not yet calculated CVE-2025-66143 https://patchstack.com/database/Wordpress/Plugin/crumber-elementor/vulnerability/wordpress-crumber-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Imager for Elementor Missing Authorization vulnerability in merkulove Imager for Elementor imager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Imager for Elementor: from n/a through <= 2.0.4. 2026-01-22 not yet calculated CVE-2025-66135 https://patchstack.com/database/Wordpress/Plugin/imager-elementor/vulnerability/wordpress-imager-for-elementor-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Motionger for Elementor Missing Authorization vulnerability in merkulove Motionger for Elementor motionger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motionger for Elementor: from n/a through <= 2.0.4. 2026-01-22 not yet calculated CVE-2025-66138 https://patchstack.com/database/Wordpress/Plugin/motionger-elementor/vulnerability/wordpress-motionger-for-elementor-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Scroller Missing Authorization vulnerability in merkulove Scroller scroller allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Scroller: from n/a through <= 2.0.2. 2026-01-22 not yet calculated CVE-2025-66141 https://patchstack.com/database/Wordpress/Plugin/scroller/vulnerability/wordpress-scroller-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Searcher for Elementor Missing Authorization vulnerability in merkulove Searcher for Elementor searcher-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Searcher for Elementor: from n/a through <= 1.0.3. 2026-01-22 not yet calculated CVE-2025-66137 https://patchstack.com/database/Wordpress/Plugin/searcher-elementor/vulnerability/wordpress-searcher-for-elementor-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Uper for Elementor Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Uper for Elementor: from n/a through <= 1.0.5. 2026-01-22 not yet calculated CVE-2025-66140 https://patchstack.com/database/Wordpress/Plugin/uper-elementor/vulnerability/wordpress-uper-for-elementor-plugin-1-0-5-broken-access-control-vulnerability?_s_id=cve
 
Merv Barrett--Easy Property Listings Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Property Listings: from n/a through <= 3.5.17. 2026-01-22 not yet calculated CVE-2025-68072 https://patchstack.com/database/Wordpress/Plugin/easy-property-listings/vulnerability/wordpress-easy-property-listings-plugin-3-5-16-broken-access-control-vulnerability?_s_id=cve
 
Metagauss--EventPrime Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through <= 4.2.8.0. 2026-01-22 not yet calculated CVE-2026-24380 https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-8-0-broken-access-control-vulnerability?_s_id=cve
 
Metagauss--RegistrationMagic Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Cross Site Request Forgery. This issue affects RegistrationMagic: from n/a through <= 6.0.6.9. 2026-01-22 not yet calculated CVE-2026-24374 https://patchstack.com/database/Wordpress/Plugin/custom-registration-form-builder-with-submission-manager/vulnerability/wordpress-registrationmagic-plugin-6-0-6-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Micro.company--Form to Chat App Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Micro.company Form to Chat App form-to-chat allows Stored XSS. This issue affects Form to Chat App: from n/a through <= 1.2.5. 2026-01-22 not yet calculated CVE-2026-22463 https://patchstack.com/database/Wordpress/Plugin/form-to-chat/vulnerability/wordpress-form-to-chat-app-plugin-1-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Mikado-Themes--Biagiotti Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion. This issue affects Biagiotti: from n/a through < 3.5.2. 2026-01-22 not yet calculated CVE-2025-67938 https://patchstack.com/database/Wordpress/Theme/biagiotti/vulnerability/wordpress-biagiotti-theme-3-5-2-local-file-inclusion-vulnerability?_s_id=cve
 
Mikado-Themes--Cocco Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cocco: from n/a through <= 1.5.1. 2026-01-22 not yet calculated CVE-2026-22391 https://patchstack.com/database/Wordpress/Theme/cocco/vulnerability/wordpress-cocco-theme-1-5-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Curly Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Curly curly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Curly: from n/a through <= 3.3. 2026-01-22 not yet calculated CVE-2026-22393 https://patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Depot Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion. This issue affects Depot: from n/a through <= 1.16. 2026-01-22 not yet calculated CVE-2025-54003 https://patchstack.com/database/Wordpress/Theme/depot/vulnerability/wordpress-depot-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve
 
Mikado-Themes--Dolcino Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Dolcino dolcino allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Dolcino: from n/a through <= 1.6. 2026-01-22 not yet calculated CVE-2026-22411 https://patchstack.com/database/Wordpress/Theme/dolcino/vulnerability/wordpress-dolcino-theme-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Fiorello Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fiorello fiorello allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fiorello: from n/a through <= 1.0. 2026-01-22 not yet calculated CVE-2026-22396 https://patchstack.com/database/Wordpress/Theme/fiorello/vulnerability/wordpress-fiorello-theme-1-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Fleur Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fleur: from n/a through <= 2.0. 2026-01-22 not yet calculated CVE-2026-22398 https://patchstack.com/database/Wordpress/Theme/fleur/vulnerability/wordpress-fleur-theme-2-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Holmes Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Holmes holmes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Holmes: from n/a through <= 1.7. 2026-01-22 not yet calculated CVE-2026-22400 https://patchstack.com/database/Wordpress/Theme/holmes/vulnerability/wordpress-holmes-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Innovio Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Innovio: from n/a through <= 1.7. 2026-01-22 not yet calculated CVE-2026-22404 https://patchstack.com/database/Wordpress/Theme/innovio/vulnerability/wordpress-innovio-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Justicia Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Justicia: from n/a through <= 1.2. 2026-01-22 not yet calculated CVE-2026-22409 https://patchstack.com/database/Wordpress/Theme/justicia/vulnerability/wordpress-justicia-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Overton Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Overton: from n/a through <= 1.3. 2026-01-22 not yet calculated CVE-2026-22406 https://patchstack.com/database/Wordpress/Theme/overton/vulnerability/wordpress-overton-theme-1-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--PawFriends - Pet Shop and Veterinary WordPress Theme Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery. This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3. 2026-01-22 not yet calculated CVE-2026-22382 https://patchstack.com/database/Wordpress/Theme/pawfriends/vulnerability/wordpress-pawfriends-pet-shop-and-veterinary-wordpress-theme-theme-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Mikado-Themes--Powerlift Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Powerlift powerlift allows PHP Local File Inclusion. This issue affects Powerlift: from n/a through < 3.2.1. 2026-01-22 not yet calculated CVE-2025-67940 https://patchstack.com/database/Wordpress/Theme/powerlift/vulnerability/wordpress-powerlift-theme-3-2-1-local-file-inclusion-vulnerability?_s_id=cve
 
Mikado-Themes--Roam Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Roam: from n/a through <= 2.1.1. 2026-01-22 not yet calculated CVE-2026-22407 https://patchstack.com/database/Wordpress/Theme/roam/vulnerability/wordpress-roam-theme-2-1-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Rosebud Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Rosebud rosebud allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Rosebud: from n/a through <= 1.4. 2026-01-23 not yet calculated CVE-2026-24631 https://patchstack.com/database/Wordpress/Theme/rosebud/vulnerability/wordpress-rosebud-theme-1-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Verdure Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Verdure verdure allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Verdure: from n/a through <= 1.6. 2026-01-22 not yet calculated CVE-2026-22430 https://patchstack.com/database/Wordpress/Theme/verdure/vulnerability/wordpress-verdure-theme-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Wanderland Missing Authorization vulnerability in Mikado-Themes Wanderland wanderland allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wanderland: from n/a through <= 1.5. 2026-01-22 not yet calculated CVE-2026-22458 https://patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-theme-1-5-broken-access-control-vulnerability?_s_id=cve
 
Milner--ImageDirector Capture The use of a hard-coded encryption key in calls to the Password function in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows a local attacker to decrypt database credentials by reading the cryptographic key from the executable. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. 2026-01-20 not yet calculated CVE-2025-58740 https://sra.io/advisories
 
Milner--ImageDirector Capture Insufficiently Protected Credentials vulnerability in the Credential Field of Milner ImageDirector Capture allows retrieval of credential material and enables database access. This issue affects ImageDirector Capture: from 7.0.9 through 7.6.3.25808. 2026-01-20 not yet calculated CVE-2025-58741 https://sra.io/advisories
 
Milner--ImageDirector Capture Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle (AiTM) by modifying the 'Server' field to redirect client authentication. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. 2026-01-20 not yet calculated CVE-2025-58742 https://sra.io/advisories
 
Milner--ImageDirector Capture Use of a Broken or Risky Cryptographic Algorithm (DES) vulnerability in the Password class in C2SConnections.dll in Milner ImageDirector Capture on Windows allows Encryption Brute Forcing to obtain database credentials. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. 2026-01-20 not yet calculated CVE-2025-58743 https://sra.io/advisories
 
Milner--ImageDirector Capture Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. 2026-01-20 not yet calculated CVE-2025-58744 https://sra.io/advisories
 
miniserve--miniserve A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume). 2026-01-23 not yet calculated CVE-2025-67124 https://github.com/svenstaro/miniserve
https://gist.github.com/thesmartshadow/55688f87f8b985eb530e07d00ef8c63f
 
mkscripts--Download After Email Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download After Email: from n/a through <= 2.1.9. 2026-01-23 not yet calculated CVE-2026-24541 https://patchstack.com/database/Wordpress/Plugin/download-after-email/vulnerability/wordpress-download-after-email-plugin-2-1-9-broken-access-control-vulnerability?_s_id=cve
 
mndpsingh287--WP Mail Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS. This issue affects WP Mail: from n/a through <= 1.3. 2026-01-22 not yet calculated CVE-2025-68008 https://patchstack.com/database/Wordpress/Plugin/wp-mail/vulnerability/wordpress-wp-mail-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
monetagwp--Monetag Official Plugin Missing Authorization vulnerability in monetagwp Monetag Official Plugin monetag-official allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Monetag Official Plugin: from n/a through <= 1.1.3. 2026-01-23 not yet calculated CVE-2026-24551 https://patchstack.com/database/Wordpress/Plugin/monetag-official/vulnerability/wordpress-monetag-official-plugin-plugin-1-1-3-broken-access-control-vulnerability-2?_s_id=cve
 
mwtemplates--DeepDigital Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection. This issue affects DeepDigital: from n/a through <= 1.0.2. 2026-01-22 not yet calculated CVE-2026-22469 https://patchstack.com/database/Wordpress/Theme/deepdigital/vulnerability/wordpress-deepdigital-theme-1-0-2-arbitrary-shortcode-execution-vulnerability?_s_id=cve
 
MyThemeShop--WP Subscribe Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Subscribe: from n/a through <= 1.2.16. 2026-01-23 not yet calculated CVE-2026-24522 https://patchstack.com/database/Wordpress/Plugin/wp-subscribe/vulnerability/wordpress-wp-subscribe-plugin-1-2-16-broken-access-control-vulnerability?_s_id=cve
 
Nelio Software--Nelio AB Testing Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection. This issue affects Nelio AB Testing: from n/a through <= 8.1.8. 2026-01-22 not yet calculated CVE-2025-67944 https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-1-8-arbitrary-code-execution-vulnerability?_s_id=cve
 
Nelio Software--Nelio Content Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection. This issue affects Nelio Content: from n/a through <= 4.1.0. 2026-01-23 not yet calculated CVE-2026-24572 https://patchstack.com/database/Wordpress/Plugin/nelio-content/vulnerability/wordpress-nelio-content-plugin-4-1-0-sql-injection-vulnerability?_s_id=cve
 
neo4j--Enterprise Edition Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property. We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed. 2026-01-22 not yet calculated CVE-2025-12738 https://neo4j.com/security/CVE-2025-12738
 
nerves-hub--nerves_hub_web NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens. Tokens included user-identifiable components and were not cryptographically secure, making them susceptible to guessing or enumeration. The vulnerability could have allowed unauthorized access to user accounts or API actions protected by these tokens. A fix is available in version 2.3.0 of NervesHub. This version introduces strong, cryptographically-random tokens using `:crypto.strong_rand_bytes/1`, hashing of tokens before database storage to prevent misuse even if the database is compromised, and context-aware token storage to distinguish between session and API tokens. There are no practical workarounds for this issue other than upgrading. In sensitive environments, as a temporary mitigation, firewalling access to the NervesHub server can help limit exposure until an upgrade is possible. 2026-01-22 not yet calculated CVE-2025-64097 https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-m9vj-776q-vc8m
https://github.com/nerves-hub/nerves_hub_web/pull/2024
https://github.com/nerves-hub/nerves_hub_web/releases/tag/v2.3.0
 
netgsm--Netgsm Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in netgsm Netgsm netgsm allows Reflected XSS. This issue affects Netgsm: from n/a through <= 2.9.63. 2026-01-22 not yet calculated CVE-2025-68010 https://patchstack.com/database/Wordpress/Plugin/netgsm/vulnerability/wordpress-netgsm-plugin-2-9-62-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
NewPlane--open5GS Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset 2026-01-20 not yet calculated CVE-2026-0622 https://github.com/open5gs/open5gs/issues/2264
https://github.com/open5gs/open5gs/issues/856
https://github.com/open5gs/open5gs/pull/857
 
Ninetheme--Anarkali Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ninetheme Anarkali anarkali allows PHP Local File Inclusion. This issue affects Anarkali: from n/a through <= 1.0.9. 2026-01-22 not yet calculated CVE-2025-47474 https://patchstack.com/database/Wordpress/Theme/anarkali/vulnerability/wordpress-anarkali-theme-1-0-9-local-file-inclusion-vulnerability?_s_id=cve
 
Ninetheme--Electron Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Electron: from n/a through <= 1.8.2. 2026-01-22 not yet calculated CVE-2025-5805 https://patchstack.com/database/Wordpress/Theme/electron/vulnerability/wordpress-electron-theme-1-8-2-broken-access-control-vulnerability?_s_id=cve
 
Ninja Team--GDPR CCPA Compliance Support Missing Authorization vulnerability in Ninja Team GDPR CCPA Compliance Support ninja-gdpr-compliance allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GDPR CCPA Compliance Support: from n/a through <= 2.7.4. 2026-01-22 not yet calculated CVE-2025-68073 https://patchstack.com/database/Wordpress/Plugin/ninja-gdpr-compliance/vulnerability/wordpress-gdpr-ccpa-compliance-support-plugin-2-7-4-broken-access-control-vulnerability?_s_id=cve
 
NixOS--nixpkgs Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`. This causes Tandoor Recipes to create its `db.sqlite3` database file in the same directory as `MEDIA_ROOT` causing it to be accessible without authentication through HTTP like any other media file. This is the case when using `GUNICORN_MEDIA=1` or when using a web server like nginx to serve media files. NixOS 26.05 changes the default value of `MEDIA_ROOT` to a sub folder of the data directory. This only applies to configurations with `system.stateVersion` >= 26.05. For older configurations, one of the workarounds should be applied instead. NixOS 25.11 has received a backport of this patch, though it doesn't fix this vulnerability without user intervention. A recommended workaround is to move `MEDIA_ROOT` into a subdirectory. Non-recommended workarounds include switching to PostgreSQL or disallowing access to `db.sqlite3`. 2026-01-19 not yet calculated CVE-2026-23838 https://github.com/NixOS/nixpkgs/security/advisories/GHSA-g8w3-p77x-mmxh
https://github.com/NixOS/nixpkgs/issues/338339
https://github.com/NixOS/nixpkgs/pull/427845
https://github.com/NixOS/nixpkgs/pull/481140
 
noCreativity--Dooodl Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noCreativity Dooodl dooodl allows Reflected XSS. This issue affects Dooodl: from n/a through <= 2.3.0. 2026-01-22 not yet calculated CVE-2025-68871 https://patchstack.com/database/Wordpress/Plugin/dooodl/vulnerability/wordpress-dooodl-plugin-2-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
nodejs--node A flaw in Node.js's Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. 2026-01-20 not yet calculated CVE-2025-55130 https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
 
nodejs--node A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. 2026-01-20 not yet calculated CVE-2025-55131 https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
 
nodejs--node A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. 2026-01-20 not yet calculated CVE-2025-55132 https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
 
nodejs--node A memory leak in Node.js's OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service. 2026-01-20 not yet calculated CVE-2025-59464 https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
 
nodejs--node A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` 2026-01-20 not yet calculated CVE-2025-59465 https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
 
nodejs--node We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. 2026-01-20 not yet calculated CVE-2025-59466 https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
 
nodejs--node A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase. 2026-01-20 not yet calculated CVE-2026-21636 https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
 
nodejs--node A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped. 2026-01-20 not yet calculated CVE-2026-21637 https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
 
npm--cli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430. 2026-01-23 not yet calculated CVE-2026-0775 ZDI-26-043
 
NSquared--Simply Schedule Appointments Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15. 2026-01-22 not yet calculated CVE-2025-69315 https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-15-broken-access-control-vulnerability?_s_id=cve
 
Ollama MCP Server--Ollama MCP Server Ollama MCP Server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ollama MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27683. 2026-01-23 not yet calculated CVE-2025-15063 ZDI-26-020
 
ollama--ollama An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder 2026-01-21 not yet calculated CVE-2025-66959 https://github.com/ollama/ollama/issues/9820
https://zero.shotlearni.ng/blog/cve-2025-66959panic-dos-via-unchecked-length-in-gguf-decoder-copy/
 
ollama-ollama An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata 2026-01-21 not yet calculated CVE-2025-66960 https://github.com/ollama/ollama/issues/9820
https://zero.shotlearni.ng/blog/cve-2025-66960guf-v1-string-length-cause-panic-in-readggufv1string/
 
OmniApp--OmniApp An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource. 2026-01-23 not yet calculated CVE-2025-69908 https://newgensoft.com/
https://github.com/CBx216/CVE-Newgen-Software-Advisories/blob/main/CVE-2025-69908.md
 
OmniDocs--OmniDocs An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration information, including cabinet names and database-related metadata. This allows unauthorized enumeration of backend deployment details and may facilitate further targeted attacks. 2026-01-23 not yet calculated CVE-2025-69907 https://newgensoft.com/
https://github.com/CBx216/CVE-Newgen-Software-Advisories/blob/main/CVE-2025-69907.md
 
omnipressteam--Omnipress Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion. This issue affects Omnipress: from n/a through <= 1.6.6. 2026-01-23 not yet calculated CVE-2026-24538 https://patchstack.com/database/Wordpress/Plugin/omnipress/vulnerability/wordpress-omnipress-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve
 
Onepay Sri Lanka--onepay Payment Gateway For WooCommerce Missing Authorization vulnerability in Onepay Sri Lanka onepay Payment Gateway For WooCommerce onepay-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects onepay Payment Gateway For WooCommerce: from n/a through <= 1.1.2. 2026-01-22 not yet calculated CVE-2025-68016 https://patchstack.com/database/Wordpress/Plugin/onepay-payment-gateway-for-woocommerce/vulnerability/wordpress-onepay-payment-gateway-for-woocommerce-plugin-1-1-2-other-vulnerability-type-vulnerability?_s_id=cve
 
Open WebUI--Open WebUI Open WebUI PIP install_frontmatter_requirements Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the install_frontmatter_requirements function.The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28258. 2026-01-23 not yet calculated CVE-2026-0765 ZDI-26-031
 
Open WebUI--Open WebUI Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the load_tool_module_by_id function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28257. 2026-01-23 not yet calculated CVE-2026-0766 ZDI-26-032
 
Open WebUI--Open WebUI Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-28259. 2026-01-23 not yet calculated CVE-2026-0767 ZDI-26-033
 
OpenSolution--Quick.Cart Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. 2026-01-22 not yet calculated CVE-2025-67683 https://cert.pl/posts/2026/01/CVE-2025-67683
https://opensolution.org/sklep-internetowy-quick-cart.html
 
OpenSolution--Quick.Cart Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. 2026-01-22 not yet calculated CVE-2025-67684 https://cert.pl/posts/2026/01/CVE-2025-67683
https://opensolution.org/sklep-internetowy-quick-cart.html
 
orjson--orjson The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents. 2026-01-22 not yet calculated CVE-2025-67221 https://github.com/kpatsakis/orjson_vulnerability
https://github.com/ijl/orjson
 
orval-labs--orval Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue. 2026-01-20 not yet calculated CVE-2026-23947 https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv
https://github.com/orval-labs/orval/releases/tag/v8.0.2
 
orval-labs--orval Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3. 2026-01-22 not yet calculated CVE-2026-24132 https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626
https://github.com/orval-labs/orval/pull/2828
https://github.com/orval-labs/orval/pull/2829
https://github.com/orval-labs/orval/pull/2830
https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5
https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06
https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62
https://github.com/orval-labs/orval/releases/tag/v7.20.0
https://github.com/orval-labs/orval/releases/tag/v8.0.3
 
ovatheme--Athens Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion. This issue affects Athens: from n/a through <= 1.1.6. 2026-01-22 not yet calculated CVE-2025-49994 https://patchstack.com/database/Wordpress/Theme/athens/vulnerability/wordpress-athens-theme-1-1-6-local-file-inclusion-vulnerability?_s_id=cve
 
ovatheme--Movie Booking Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ovatheme Movie Booking movie-booking allows Path Traversal. This issue affects Movie Booking: from n/a through <= 1.1.5. 2026-01-22 not yet calculated CVE-2025-67963 https://patchstack.com/database/Wordpress/Plugin/movie-booking/vulnerability/wordpress-movie-booking-plugin-1-1-5-arbitrary-file-deletion-vulnerability?_s_id=cve
 
owntone--owntone A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. 2026-01-20 not yet calculated CVE-2025-63647 https://github.com/archersec/poc/tree/master/owntone-server
https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7
https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md
 
Paolo--GeoDirectory Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery. This issue affects GeoDirectory: from n/a through <= 2.8.147. 2026-01-23 not yet calculated CVE-2026-24549 https://patchstack.com/database/Wordpress/Plugin/geodirectory/vulnerability/wordpress-geodirectory-plugin-2-8-147-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Passionate Brains--Add Expires Headers & Optimized Minify Missing Authorization vulnerability in Passionate Brains Add Expires Headers & Optimized Minify add-expires-headers allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Add Expires Headers & Optimized Minify: from n/a through <= 3.1.0. 2026-01-23 not yet calculated CVE-2026-24633 https://patchstack.com/database/Wordpress/Plugin/add-expires-headers/vulnerability/wordpress-add-expires-headers-optimized-minify-plugin-3-1-0-broken-access-control-vulnerability?_s_id=cve
 
pavothemes--Freshio Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Freshio freshio allows PHP Local File Inclusion. This issue affects Freshio: from n/a through <= 2.4.2. 2026-01-22 not yet calculated CVE-2026-22401 https://patchstack.com/database/Wordpress/Theme/freshio/vulnerability/wordpress-freshio-theme-2-4-2-local-file-inclusion-vulnerability?_s_id=cve
 
pavothemes--Triply Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Triply triply allows PHP Local File Inclusion. This issue affects Triply: from n/a through <= 2.4.7. 2026-01-22 not yet calculated CVE-2026-22402 https://patchstack.com/database/Wordpress/Theme/triply/vulnerability/wordpress-triply-theme-2-4-7-local-file-inclusion-vulnerability?_s_id=cve
 
peachpayments--Peach Payments Gateway Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Peach Payments Gateway: from n/a through <= 3.3.6. 2026-01-22 not yet calculated CVE-2025-67942 https://patchstack.com/database/Wordpress/Plugin/wc-peach-payments-gateway/vulnerability/wordpress-peach-payments-gateway-plugin-3-3-6-broken-access-control-vulnerability?_s_id=cve
 
PenciDesign--Penci Pay Writer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Pay Writer penci-pay-writer allows Stored XSS. This issue affects Penci Pay Writer: from n/a through <= 1.5. 2026-01-23 not yet calculated CVE-2026-24601 https://patchstack.com/database/Wordpress/Plugin/penci-pay-writer/vulnerability/wordpress-penci-pay-writer-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
PenciDesign--Penci Review Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Review penci-review allows Stored XSS. This issue affects Penci Review: from n/a through <= 3.5. 2026-01-23 not yet calculated CVE-2026-24600 https://patchstack.com/database/Wordpress/Plugin/penci-review/vulnerability/wordpress-penci-review-plugin-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
PenciDesign--Penci Shortcodes & Performance Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Shortcodes & Performance penci-shortcodes allows DOM-Based XSS. This issue affects Penci Shortcodes & Performance: from n/a through <= 6.1. 2026-01-22 not yet calculated CVE-2026-24354 https://patchstack.com/database/Wordpress/Plugin/penci-shortcodes/vulnerability/wordpress-penci-shortcodes-performance-plugin-6-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve
 
pencilwp--X Addons for Elementor Missing Authorization vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects X Addons for Elementor: from n/a through <= 1.0.23. 2026-01-23 not yet calculated CVE-2026-24605 https://patchstack.com/database/Wordpress/Plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-broken-access-control-vulnerability?_s_id=cve
 
PHPgurukul--PHPgurukul PHPgurukul Online Course Registration v3.1 lacks Cross-Site Request Forgery (CSRF) protection on all administrative forms. An attacker can perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. 2026-01-22 not yet calculated CVE-2025-70899 https://phpgurukul.com/online-course-registration-free-download/
https://github.com/mathavamoorthi/CVE-2025-70899/blob/main/Missing_CSRF_protection_poc.md
 
Pithikos--Pithikos An input validation issue in in Pithikos websocket-server v.0.6.4 allows a remote attacker to obtain sensitive information or cause unexpected server behavior via the websocket_server/websocket_server.py, WebSocketServer._message_received components. 2026-01-20 not yet calculated CVE-2025-66902 https://github.com/cyberinvest211/websocket-server-vuln-poc/tree/main
 
pixelgrade--Nova Blocks Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixelgrade Nova Blocks nova-blocks allows DOM-Based XSS. This issue affects Nova Blocks: from n/a through <= 2.1.9. 2026-01-23 not yet calculated CVE-2026-24528 https://patchstack.com/database/Wordpress/Plugin/nova-blocks/vulnerability/wordpress-nova-blocks-plugin-2-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
PluginOps--Landing Page Builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PluginOps Landing Page Builder page-builder-add allows Stored XSS. This issue affects Landing Page Builder: from n/a through <= 1.5.3.3. 2026-01-23 not yet calculated CVE-2026-24620 https://patchstack.com/database/Wordpress/Plugin/page-builder-add/vulnerability/wordpress-landing-page-builder-plugin-1-5-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
pondol--Pondol BBS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS. This issue affects Pondol BBS: from n/a through <= 1.1.8.4. 2026-01-22 not yet calculated CVE-2025-49336 https://patchstack.com/database/Wordpress/Plugin/pondol-bbs/vulnerability/wordpress-pondol-bbs-plugin-1-1-8-4-cross-site-scripting-xss-vulnerability?_s_id=cve
 
PopCash--PopCash.Net Code Integration Tool Missing Authorization vulnerability in PopCash PopCash.Net Code Integration Tool popcashnet-code-integration-tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PopCash.Net Code Integration Tool: from n/a through <= 1.8. 2026-01-23 not yet calculated CVE-2026-24619 https://patchstack.com/database/Wordpress/Plugin/popcashnet-code-integration-tool/vulnerability/wordpress-popcash-net-code-integration-tool-plugin-1-8-broken-access-control-vulnerability?_s_id=cve
 
POSIMYTH--Nexter Blocks Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data. This issue affects Nexter Blocks: from n/a through <= 4.6.3. 2026-01-22 not yet calculated CVE-2026-24377 https://patchstack.com/database/Wordpress/Plugin/the-plus-addons-for-block-editor/vulnerability/wordpress-nexter-blocks-plugin-4-6-3-sensitive-data-exposure-vulnerability?_s_id=cve
 
Poultry Farm Management System--Poultry Farm Management System Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows:  'companyaddress', 'companyemail', 'companyname', 'country', 'mobilenumber' y 'regno' parameters in '/farm/farmprofile.php'. 2026-01-20 not yet calculated CVE-2025-41024 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-poultry-farm-management-system
 
Poultry Farm Management System--Poultry Farm Management System Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows:   'category' y 'product' parameters in '/farm/sell_product.php'. 2026-01-20 not yet calculated CVE-2025-41025 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-poultry-farm-management-system
 
Prince--Integrate Google Drive Missing Authorization vulnerability in Prince Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integrate Google Drive: from n/a through <= 1.5.5. 2026-01-23 not yet calculated CVE-2026-24540 https://patchstack.com/database/Wordpress/Plugin/integrate-google-drive/vulnerability/wordpress-integrate-google-drive-plugin-1-5-5-broken-access-control-vulnerability?_s_id=cve
 
Prince--Radio Player Server-Side Request Forgery (SSRF) vulnerability in Prince Radio Player radio-player allows Server Side Request Forgery. This issue affects Radio Player: from n/a through <= 2.0.91. 2026-01-23 not yet calculated CVE-2026-24548 https://patchstack.com/database/Wordpress/Plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-91-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
Proptech Plugin--Apimo Connector Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Apimo Connector: from n/a through <= 2.6.4. 2026-01-22 not yet calculated CVE-2026-22445 https://patchstack.com/database/Wordpress/Plugin/apimo/vulnerability/wordpress-apimo-connector-plugin-2-6-4-broken-access-control-vulnerability?_s_id=cve
 
pterodactyl--panel Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle. However, in versions prior to 1.12.0, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time. As a result a server would be able to create more databases, allocations, or backups than configured. A malicious user is able to deny resources to other users on the system, and may be able to excessively consume the limited allocations for a node, or fill up backup space faster than is allowed by the system. Version 1.12.0 fixes the issue. 2026-01-19 not yet calculated CVE-2025-69198 https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g
https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607
 
pterodactyl--panel Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu. Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings. Version 1.12.0 patches the issue. 2026-01-19 not yet calculated CVE-2025-69199 https://github.com/pterodactyl/panel/security/advisories/GHSA-8w7m-w749-rx98
 
pterodactyl--wings Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wings sends activity logs to the panel it deletes the processed activity entries from the wings SQLite database. However, it does not consider the max parameter limit of SQLite, 32766 as of SQLite 3.32.0. If wings attempts to delete more than 32766 entries from the SQLite database in one query, it triggers an error (SQL logic error: too many SQL variables (1)) and does not remove any entries from the database. These entries are then indefinitely re-processed and resent to the panel each time the cron runs. By successfully exploiting this vulnerability, an attacker can trigger a situation where wings will keep uploading the same activity data to the panel repeatedly (growing each time to include new activity) until the panels' database server runs out of disk space. Version 1.12.0 fixes the issue. 2026-01-19 not yet calculated CVE-2026-21696 https://github.com/pterodactyl/wings/security/advisories/GHSA-2497-gp99-2m74
https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/activity_cron.go#L81
https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/sftp_cron.go#L86
 
purethemes--WorkScout Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS. This issue affects WorkScout: from n/a through <= 4.1.07. 2026-01-22 not yet calculated CVE-2025-67959 https://patchstack.com/database/Wordpress/Theme/workscout/vulnerability/wordpress-workscout-theme-4-1-07-cross-site-scripting-xss-vulnerability?_s_id=cve
 
purethemes--WorkScout-Core Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS. This issue affects WorkScout-Core: from n/a through <= 1.7.06. 2026-01-22 not yet calculated CVE-2025-67960 https://patchstack.com/database/Wordpress/Plugin/workscout-core/vulnerability/wordpress-workscout-core-plugin-1-7-06-cross-site-scripting-xss-vulnerability-2?_s_id=cve
 
PyPI--PiPI An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. 2026-01-20 not yet calculated CVE-2025-56005 https://github.com/bohmiiidd/Undocumented-RCE-in-PLY
 
Python Software Foundation--CPython When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. 2026-01-20 not yet calculated CVE-2025-11468 https://github.com/python/cpython/pull/143936
https://github.com/python/cpython/issues/143935
https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/
https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2
 
Python Software Foundation--CPython When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. 2026-01-21 not yet calculated CVE-2025-12781 https://github.com/python/cpython/pull/141128
https://github.com/python/cpython/issues/125346
https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/
https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b
https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947
https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5
https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76
https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5
 
Python Software Foundation--CPython User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. 2026-01-20 not yet calculated CVE-2025-15282 https://github.com/python/cpython/pull/143926
https://github.com/python/cpython/issues/143925
https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/
https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f
https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0
 
Python Software Foundation--CPython The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. 2026-01-20 not yet calculated CVE-2025-15366 https://github.com/python/cpython/issues/143921
https://github.com/python/cpython/pull/143922
https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/
https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45
 
Python Software Foundation--CPython The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. 2026-01-20 not yet calculated CVE-2025-15367 https://github.com/python/cpython/pull/143924
https://github.com/python/cpython/issues/143923
https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/
https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7
 
Python Software Foundation--CPython When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. 2026-01-20 not yet calculated CVE-2026-0672 https://github.com/python/cpython/pull/143920
https://github.com/python/cpython/issues/143919
https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/
https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70
https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440
 
Python Software Foundation--CPython User-controlled header names and values containing newlines can allow injecting HTTP headers. 2026-01-20 not yet calculated CVE-2026-0865 https://github.com/python/cpython/pull/143917
https://github.com/python/cpython/issues/143916
https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/
https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58
https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510
https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5
https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211
https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2
https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995
 
Python Software Foundation--CPython The email module, specifically the "BytesGenerator" class, didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". 2026-01-23 not yet calculated CVE-2026-1299 https://github.com/python/cpython/pull/144126
https://github.com/python/cpython/issues/144125
https://cve.org/CVERecord?id=CVE-2024-6923
https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/
https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413
 
Python--Protobuf A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python's recursion stack and causing a RecursionError. 2026-01-23 not yet calculated CVE-2026-0994 https://github.com/protocolbuffers/protobuf/pull/25239
 
QantumThemes--Kentha Elementor Widgets Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion. This issue affects Kentha Elementor Widgets: from n/a through < 3.1. 2026-01-22 not yet calculated CVE-2026-24390 https://patchstack.com/database/Wordpress/Plugin/kentha-elementor/vulnerability/wordpress-kentha-elementor-widgets-plugin-3-1-local-file-inclusion-vulnerability?_s_id=cve
 
QantumThemes--KenthaRadio Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS. This issue affects KenthaRadio: from n/a through <= 2.2.0. 2026-01-22 not yet calculated CVE-2025-69003 https://patchstack.com/database/Wordpress/Theme/qt-kentharadio/vulnerability/wordpress-kentharadio-theme-2-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
QOS.CH Sarl--Logback-core ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado. 2026-01-22 not yet calculated CVE-2026-1225 https://logback.qos.ch/news.html#1.5.25
 
Raptive--Raptive Ads Missing Authorization vulnerability in Raptive Raptive Ads adthrive-ads allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Raptive Ads: from n/a through <= 3.10.0. 2026-01-23 not yet calculated CVE-2026-24602 https://patchstack.com/database/Wordpress/Plugin/adthrive-ads/vulnerability/wordpress-raptive-ads-plugin-3-10-0-broken-access-control-vulnerability?_s_id=cve
 
Rasedul Haque Rumi--BD Courier Order Ratio Checker Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1. 2026-01-22 not yet calculated CVE-2026-22481 https://patchstack.com/database/Wordpress/Plugin/bd-courier-order-ratio-checker/vulnerability/wordpress-bd-courier-order-ratio-checker-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve
 
RealMag777--TableOn Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn posts-table-filterable allows Reflected XSS. This issue affects TableOn: from n/a through <= 1.0.4.2. 2026-01-22 not yet calculated CVE-2025-69316 https://patchstack.com/database/Wordpress/Plugin/posts-table-filterable/vulnerability/wordpress-tableon-plugin-1-0-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Remi Corson--Easy Theme Options Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Remi Corson Easy Theme Options easy-theme-options allows Reflected XSS. This issue affects Easy Theme Options: from n/a through <= 1.0. 2026-01-22 not yet calculated CVE-2025-68839 https://patchstack.com/database/Wordpress/Plugin/easy-theme-options/vulnerability/wordpress-easy-theme-options-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
renatoatshown--Shown Connector Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shown Connector: from n/a through <= 1.2.10. 2026-01-22 not yet calculated CVE-2025-68003 https://patchstack.com/database/Wordpress/Plugin/shown-connector/vulnerability/wordpress-shown-connector-plugin-1-2-10-settings-change-vulnerability?_s_id=cve
 
Revive--Revive Adserver HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error. 2026-01-20 not yet calculated CVE-2026-21640 https://hackerone.com/reports/3445332
 
Revive--Revive Adserver HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete.php` script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers owned by other accounts. 2026-01-20 not yet calculated CVE-2026-21641 https://hackerone.com/reports/3445710
 
Revive--Revive Adserver HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. 2026-01-20 not yet calculated CVE-2026-21642 https://hackerone.com/reports/3470970
 
Revive--Revive Adserver HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. 2026-01-20 not yet calculated CVE-2026-21663 https://hackerone.com/reports/3473696
 
Revive--Revive Adserver HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. 2026-01-20 not yet calculated CVE-2026-21664 https://hackerone.com/reports/3468169
 
richardevcom--Add Polylang support for Customizer Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery. This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5. 2026-01-22 not yet calculated CVE-2026-22462 https://patchstack.com/database/Wordpress/Plugin/add-polylang-support-for-customizer/vulnerability/wordpress-add-polylang-support-for-customizer-plugin-1-4-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Riftzilla--QRGen Reflected Cross-Site Scripting (XSS) vulnerability in Riftzilla's QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'id' parameter in '/article.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. 2026-01-20 not yet calculated CVE-2025-40644 https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-qrgens-riftzilla
 
Rockwell Automation--ArmorStart LT A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible. 2026-01-20 not yet calculated CVE-2025-9278 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html
 
Rockwell Automation--ArmorStart LT A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. 2026-01-20 not yet calculated CVE-2025-9279 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html
 
Rockwell Automation--ArmorStart LT A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. Fuzzing performed using Defensics causes the device to become unresponsive, requiring a reboot. 2026-01-20 not yet calculated CVE-2025-9280 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html
 
Rockwell Automation--ArmorStart LT A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive step limit storm tests, the device reboots 2026-01-20 not yet calculated CVE-2025-9281 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html
 
Rockwell Automation--ArmorStart LT A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. 2026-01-20 not yet calculated CVE-2025-9282 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html
 
Rockwell Automation--ArmorStart LT A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. 2026-01-20 not yet calculated CVE-2025-9283 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html
 
Rockwell Automation--ArmorStart LT A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive. 2026-01-20 not yet calculated CVE-2025-9464 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html
 
Rockwell Automation--ArmorStart LT A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. 2026-01-20 not yet calculated CVE-2025-9465 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html
 
Rockwell Automation--ArmorStart LT A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. 2026-01-20 not yet calculated CVE-2025-9466 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html
 
Rockwell Automation--CompactLogix 5370 A denial-of-service security issue in the affected product. The security issue occurs when a malformed CIP forward open message is sent. This could result in a major nonrecoverable fault a restart is required to recover. 2026-01-20 not yet calculated CVE-2025-11743 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1770.html
 
Rockwell Automation--ControlLogix Redundancy Enhanced Module Multiple denial-of-service vulnerabilities exist in the affected product. These issues can be triggered through various crafted inputs, including malformed Class 3 messages, memory leak conditions, and other resource exhaustion scenarios. Exploitation may cause the device to become unresponsive and, in some cases, result in a major nonrecoverable fault. Recovery may require a restart. 2026-01-20 not yet calculated CVE-2025-14027 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1769.html
 
Rockwell Automation--Verve Asset Manager A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024. 2026-01-20 not yet calculated CVE-2025-14376 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html
 
Rockwell Automation--Verve Asset Manager A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024. 2026-01-20 not yet calculated CVE-2025-14377 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html
 
Roxnor--GetGenie Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GetGenie: from n/a through <= 4.3.0. 2026-01-22 not yet calculated CVE-2026-24356 https://patchstack.com/database/Wordpress/Plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-3-0-broken-access-control-vulnerability?_s_id=cve
 
Ruijie Networks Co., Ltd.--AP180(JA) V1.xx AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices. 2026-01-22 not yet calculated CVE-2026-23699 https://www.ruijie.co.jp/products/rg-ap180-pe_p432111650928590848.html#productDocument
https://jvn.jp/en/jp/JVN86850670/
 
RuoYi--RuoYi Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope. 2026-01-23 not yet calculated CVE-2025-70985 https://github.com/yangzongzhuan/RuoYi
https://gitee.com/y_project/RuoYi
https://gitee.com/y_project/RuoYi/issues/IDIDK2
https://gist.github.com/old6ma/1a2dada02656ba9a4730c85f6c765f4f
 
RuoYi--RuoYi Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data. 2026-01-23 not yet calculated CVE-2025-70986 https://github.com/yangzongzhuan/RuoYi
https://gitee.com/y_project/RuoYi
https://gitee.com/y_project/RuoYi/issues/IDIDME
https://gist.github.com/old6ma/779320a98f361c299ca024521cb72db6
 
Rustaurius--Ultimate Reviews Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Reviews: from n/a through <= 3.2.16. 2026-01-23 not yet calculated CVE-2026-24634 https://patchstack.com/database/Wordpress/Plugin/ultimate-reviews/vulnerability/wordpress-ultimate-reviews-plugin-3-2-16-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Ryviu--Ryviu – Product Reviews for WooCommerce Missing Authorization vulnerability in Ryviu Ryviu &#8211; Product Reviews for WooCommerce ryviu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ryviu &#8211; Product Reviews for WooCommerce: from n/a through <= 3.1.26. 2026-01-23 not yet calculated CVE-2026-24562 https://patchstack.com/database/Wordpress/Plugin/ryviu/vulnerability/wordpress-ryviu-product-reviews-for-woocommerce-plugin-3-1-26-broken-access-control-vulnerability?_s_id=cve
 
Saad Iqbal--AppExperts Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal AppExperts appexperts allows SQL Injection. This issue affects AppExperts: from n/a through <= 1.4.5. 2026-01-22 not yet calculated CVE-2025-68881 https://patchstack.com/database/Wordpress/Plugin/appexperts/vulnerability/wordpress-appexperts-plugin-1-4-5-sql-injection-vulnerability?_s_id=cve
 
saeros1984--Neoforum Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in saeros1984 Neoforum neoforum allows Reflected XSS. This issue affects Neoforum: from n/a through <= 1.0. 2026-01-23 not yet calculated CVE-2026-24623 https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
saeros1984--Neoforum Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection. This issue affects Neoforum: from n/a through <= 1.0. 2026-01-23 not yet calculated CVE-2026-24624 https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-sql-injection-vulnerability?_s_id=cve
 
saleor--saleor Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner. 2026-01-21 not yet calculated CVE-2026-22849 https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv
https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386
https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b
https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335
https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee
https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d
https://docs.saleor.io/security/#editorjs--html-cleaning
 
saleor--saleor Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`. 2026-01-21 not yet calculated CVE-2026-23499 https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95
https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99
https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10
https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335
https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c
https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24
https://docs.saleor.io/security/#restricted-file-uploads
 
saleor--saleor Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF. 2026-01-23 not yet calculated CVE-2026-24136 https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr
https://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa
https://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af
https://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153
https://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944
 
Salesforce--Marketing Cloud Engagement Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. 2026-01-24 not yet calculated CVE-2026-22582 https://help.salesforce.com/s/articleView?id=005299346&type=1
 
Salesforce--Marketing Cloud Engagement Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. 2026-01-24 not yet calculated CVE-2026-22583 https://help.salesforce.com/s/articleView?id=005299346&type=1
 
Salesforce--Marketing Cloud Engagement Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. 2026-01-24 not yet calculated CVE-2026-22585 https://help.salesforce.com/s/articleView?id=005299346&type=1
 
Salesforce--Marketing Cloud Engagement Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. 2026-01-24 not yet calculated CVE-2026-22586 https://help.salesforce.com/s/articleView?id=005299346&type=1
 
Scalenut--Scalenut Missing Authorization vulnerability in Scalenut Scalenut scalenut allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Scalenut: from n/a through <= 1.1.3. 2026-01-22 not yet calculated CVE-2025-68882 https://patchstack.com/database/Wordpress/Plugin/scalenut/vulnerability/wordpress-scalenut-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve
 
scriptsbundle--AdForest Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scriptsbundle AdForest adforest allows PHP Local File Inclusion. This issue affects AdForest: from n/a through <= 6.0.11. 2026-01-22 not yet calculated CVE-2025-67946 https://patchstack.com/database/Wordpress/Theme/adforest/vulnerability/wordpress-adforest-theme-6-0-11-local-file-inclusion-vulnerability?_s_id=cve
 
scriptsbundle--AdForest Elementor Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle AdForest Elementor adforest-elementor allows Reflected XSS. This issue affects AdForest Elementor: from n/a through <= 3.0.11. 2026-01-22 not yet calculated CVE-2025-67947 https://patchstack.com/database/Wordpress/Plugin/adforest-elementor/vulnerability/wordpress-adforest-elementor-plugin-3-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve
 
scriptsbundle--CarSpot Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS. This issue affects CarSpot: from n/a through < 2.4.6. 2026-01-22 not yet calculated CVE-2025-69317 https://patchstack.com/database/Wordpress/Theme/carspot/vulnerability/wordpress-carspot-theme-2-4-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
SeaTheme--BM Content Builder Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder bm-builder allows Path Traversal. This issue affects BM Content Builder: from n/a through <= 3.16.3. 2026-01-22 not yet calculated CVE-2025-69055 https://patchstack.com/database/Wordpress/Plugin/bm-builder/vulnerability/wordpress-bm-content-builder-plugin-3-16-3-arbitrary-file-download-vulnerability?_s_id=cve
 
Select-Themes--Don Peppe Missing Authorization vulnerability in Select-Themes Don Peppe donpeppe allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Don Peppe: from n/a through <= 1.3. 2026-01-22 not yet calculated CVE-2026-22450 https://patchstack.com/database/Wordpress/Theme/donpeppe/vulnerability/wordpress-don-peppe-theme-1-3-broken-access-control-vulnerability?_s_id=cve
 
Select-Themes--Prowess Missing Authorization vulnerability in Select-Themes Prowess prowess allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Prowess: from n/a through <= 1.8.1. 2026-01-22 not yet calculated CVE-2026-22447 https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-1-8-1-broken-access-control-vulnerability?_s_id=cve
 
Select-Themes--Prowess Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Prowess prowess allows PHP Local File Inclusion. This issue affects Prowess: from n/a through <= 2.3. 2026-01-23 not yet calculated CVE-2026-24531 https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-2-3-local-file-inclusion-vulnerability?_s_id=cve
 
SEOSEON EUROPE S.L--Affiliate Link Tracker Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SEOSEON EUROPE S.L Affiliate Link Tracker affiliate-link-tracker allows Stored XSS. This issue affects Affiliate Link Tracker: from n/a through <= 0.2. 2026-01-22 not yet calculated CVE-2025-62077 https://patchstack.com/database/Wordpress/Plugin/affiliate-link-tracker/vulnerability/wordpress-affiliate-link-tracker-plugin-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Sergiy Dzysyak--Suggestion Toolkit Missing Authorization vulnerability in Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Suggestion Toolkit: from n/a through <= 5.0. 2026-01-23 not yet calculated CVE-2026-24622 https://patchstack.com/database/Wordpress/Plugin/suggestion-toolkit/vulnerability/wordpress-suggestion-toolkit-plugin-5-0-broken-access-control-vulnerability?_s_id=cve
 
SESAME LABS, S.L--Sesame Stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request using the 'logo' parameter in '/api/v3/companies/<ID>/logo', which are then stored on the server and executed in the context of any user who accesses the compromised resource. 2026-01-20 not yet calculated CVE-2025-41084 https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-sesame-web-application
 
Shahjahan Jewel--FluentForm Improper Control of Generation of Code ('Code Injection') vulnerability in Shahjahan Jewel FluentForm fluentform allows Code Injection. This issue affects FluentForm: from n/a through <= 6.1.11. 2026-01-22 not yet calculated CVE-2025-69001 https://patchstack.com/database/Wordpress/Plugin/fluentform/vulnerability/wordpress-fluentform-plugin-6-1-11-arbitrary-shortcode-execution-vulnerability?_s_id=cve
 
sheepfish--WebP Conversion Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WebP Conversion: from n/a through <= 2.1. 2026-01-23 not yet calculated CVE-2026-24530 https://patchstack.com/database/Wordpress/Plugin/webp-conversion/vulnerability/wordpress-webp-conversion-plugin-2-1-broken-access-control-vulnerability?_s_id=cve
 
shinetheme--Traveler Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection. This issue affects Traveler: from n/a through < 3.2.8. 2026-01-22 not yet calculated CVE-2026-24367 https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-8-sql-injection-vulnerability?_s_id=cve
 
shoutoutglobal--ShoutOut Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shoutoutglobal ShoutOut shoutout allows Reflected XSS. This issue affects ShoutOut: from n/a through <= 4.0.2. 2026-01-22 not yet calculated CVE-2025-68894 https://patchstack.com/database/Wordpress/Plugin/shoutout/vulnerability/wordpress-shoutout-plugin-4-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
SiteLock--SiteLock Security Missing Authorization vulnerability in SiteLock SiteLock Security sitelock allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SiteLock Security: from n/a through <= 5.0.2. 2026-01-23 not yet calculated CVE-2026-24532 https://patchstack.com/database/Wordpress/Plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-2-broken-access-control-vulnerability?_s_id=cve
 
siyuan-note--siyuan SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.] 2026-01-19 not yet calculated CVE-2026-23847 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r93
https://github.com/siyuan-note/siyuan/issues/16844
https://github.com/siyuan-note/siyuan/commit/5c0cc375b47567e15edd2119066b09bb0aa18777
 
siyuan-note--siyuan SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue. 2026-01-19 not yet calculated CVE-2026-23850 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw
https://github.com/siyuan-note/siyuan/issues/16860
https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd
https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad
https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035
https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886
 
siyuan-note--siyuan SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue. 2026-01-19 not yet calculated CVE-2026-23851 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-94c7-g2fj-7682
https://github.com/siyuan-note/siyuan/issues/16860
https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd
https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad
 
siyuan-note--siyuan SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix. 2026-01-19 not yet calculated CVE-2026-23852 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv
https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb
 
sizam--REHub Framework Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in sizam REHub Framework rehub-framework allows Retrieve Embedded Sensitive Data. This issue affects REHub Framework: from n/a through < 19.9.9.4. 2026-01-22 not yet calculated CVE-2025-63051 https://patchstack.com/database/Wordpress/Plugin/rehub-framework/vulnerability/wordpress-rehub-framework-plugin-19-9-9-sensitive-data-exposure-vulnerability?_s_id=cve
 
SmartDataSoft--Electrician - Electrical Service WordPress Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Electrician - Electrical Service WordPress electrician allows Server Side Request Forgery. This issue affects Electrician - Electrical Service WordPress: from n/a through <= 5.6. 2026-01-22 not yet calculated CVE-2026-22358 https://patchstack.com/database/Wordpress/Theme/electrician/vulnerability/wordpress-electrician-electrical-service-wordpress-theme-5-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
SmartDataSoft--Pool Services Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Pool Services pool-services allows Server Side Request Forgery. This issue affects Pool Services: from n/a through <= 3.3. 2026-01-22 not yet calculated CVE-2025-62741 https://patchstack.com/database/Wordpress/Theme/pool-services/vulnerability/wordpress-pool-services-theme-3-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
SmarterTools--SmarterMail SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host. 2026-01-22 not yet calculated CVE-2026-23760 https://www.smartertools.com/smartermail/release-notes/current
https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/
https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermail
https://www.vulncheck.com/advisories/smartertools-smartermail-authentication-bypass-via-password-reset-api
 
SmarterTools--SmarterMail SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application. 2026-01-23 not yet calculated CVE-2026-24423 https://www.smartertools.com/smartermail/release-notes/current
https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail
https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api
 
Softwebmedia--Gyan Elements Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Softwebmedia Gyan Elements gyan-elements allows PHP Local File Inclusion. This issue affects Gyan Elements: from n/a through <= 2.2.1. 2026-01-22 not yet calculated CVE-2026-23978 https://patchstack.com/database/Wordpress/Plugin/gyan-elements/vulnerability/wordpress-gyan-elements-plugin-2-2-1-local-file-inclusion-vulnerability?_s_id=cve
 
solacewp--Solace Missing Authorization vulnerability in solacewp Solace solace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Solace: from n/a through <= 2.1.16. 2026-01-22 not yet calculated CVE-2025-68911 https://patchstack.com/database/Wordpress/Theme/solace/vulnerability/wordpress-solace-theme-2-1-16-broken-access-control-vulnerability?_s_id=cve
 
Sourcecodester--Sourcecodester A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise. 2026-01-23 not yet calculated CVE-2025-70457 https://www.sourcecodester.com/php/18572/modern-image-gallery-app-using-php-and-mysql-source-code.html
https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-8xq6-hjhw-4983
 
Sourcecodester--Sourcecodester A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the unsafe innerHTML property to render domain search results. 2026-01-23 not yet calculated CVE-2025-70458 https://www.sourcecodester.com/php/18500/domain-availability-checker-using-php-and-javascript-source-code.html
https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-chm7-vgf7-6f9p
 
SpringBlade--SpringBlade Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges. 2026-01-23 not yet calculated CVE-2025-70983 https://github.com/chillzhuang/SpringBlade
https://github.com/chillzhuang/SpringBlade/issues/35
https://gist.github.com/old6ma/9c4d2ba32cd8f562cb80796538157912
 
Steve Truman--Email Inquiry & Cart Options for WooCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry &amp; Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS. This issue affects Email Inquiry &amp; Cart Options for WooCommerce: from n/a through <= 3.4.3. 2026-01-23 not yet calculated CVE-2026-24526 https://patchstack.com/database/Wordpress/Plugin/woocommerce-email-inquiry-cart-options/vulnerability/wordpress-email-inquiry-cart-options-for-woocommerce-plugin-3-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
storeapps--Stock Manager for WooCommerce Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery. This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0. 2026-01-22 not yet calculated CVE-2026-24365 https://patchstack.com/database/Wordpress/Plugin/woocommerce-stock-manager/vulnerability/wordpress-stock-manager-for-woocommerce-plugin-3-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Strategy11 Team--AWP Classifieds Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Retrieve Embedded Sensitive Data. This issue affects AWP Classifieds: from n/a through <= 4.4.3. 2026-01-23 not yet calculated CVE-2026-24593 https://patchstack.com/database/Wordpress/Plugin/another-wordpress-classifieds-plugin/vulnerability/wordpress-awp-classifieds-plugin-4-4-3-sensitive-data-exposure-vulnerability?_s_id=cve
 
strongholdthemes--Dental Care CPT Deserialization of Untrusted Data vulnerability in strongholdthemes Dental Care CPT dentalcare-cpt allows Object Injection. This issue affects Dental Care CPT: from n/a through <= 20.2. 2026-01-22 not yet calculated CVE-2025-69035 https://patchstack.com/database/Wordpress/Plugin/dentalcare-cpt/vulnerability/wordpress-dental-care-cpt-plugin-20-2-php-object-injection-vulnerability?_s_id=cve
 
strongholdthemes--Tech Life CPT Deserialization of Untrusted Data vulnerability in strongholdthemes Tech Life CPT techlife-cpt allows Object Injection. This issue affects Tech Life CPT: from n/a through <= 16.4. 2026-01-22 not yet calculated CVE-2025-69036 https://patchstack.com/database/Wordpress/Plugin/techlife-cpt/vulnerability/wordpress-tech-life-cpt-plugin-16-4-php-object-injection-vulnerability?_s_id=cve
 
subhansanjaya--Carousel Horizontal Posts Content Slider Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider allows DOM-Based XSS. This issue affects Carousel Horizontal Posts Content Slider: from n/a through <= 3.3.2. 2026-01-22 not yet calculated CVE-2026-22347 https://patchstack.com/database/Wordpress/Plugin/carousel-horizontal-posts-content-slider/vulnerability/wordpress-carousel-horizontal-posts-content-slider-plugin-3-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Sully--Media Library File Size Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Media Library File Size: from n/a through <= 1.6.7. 2026-01-23 not yet calculated CVE-2026-24569 https://patchstack.com/database/Wordpress/Plugin/media-library-file-size/vulnerability/wordpress-media-library-file-size-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve
 
sumup--SumUp Payment Gateway For WooCommerce Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SumUp Payment Gateway For WooCommerce: from n/a through <= 2.7.9. 2026-01-23 not yet calculated CVE-2026-24583 https://patchstack.com/database/Wordpress/Plugin/sumup-payment-gateway-for-woocommerce/vulnerability/wordpress-sumup-payment-gateway-for-woocommerce-plugin-2-7-9-broken-access-control-vulnerability?_s_id=cve
 
swingmx--swingmusic Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue. 2026-01-19 not yet calculated CVE-2026-23877 https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh
https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3
 
Syed Balkhi--Sugar Calendar (Lite) Missing Authorization vulnerability in Syed Balkhi Sugar Calendar (Lite) sugar-calendar-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sugar Calendar (Lite): from n/a through <= 3.10.1. 2026-01-23 not yet calculated CVE-2026-24636 https://patchstack.com/database/Wordpress/Plugin/sugar-calendar-lite/vulnerability/wordpress-sugar-calendar-lite-plugin-3-10-1-broken-access-control-vulnerability?_s_id=cve
 
tabbyai--Tabby Checkout Insertion of Sensitive Information Into Sent Data vulnerability in tabbyai Tabby Checkout tabby-checkout allows Retrieve Embedded Sensitive Data. This issue affects Tabby Checkout: from n/a through <= 5.8.4. 2026-01-22 not yet calculated CVE-2025-68035 https://patchstack.com/database/Wordpress/Plugin/tabby-checkout/vulnerability/wordpress-tabby-checkout-plugin-5-8-4-sensitive-data-exposure-vulnerability?_s_id=cve
 
tagDiv--tagDiv Composer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS. This issue affects tagDiv Composer: from n/a through <= 5.4.2. 2026-01-22 not yet calculated CVE-2025-50005 https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
TangibleWP--Listivo Core Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion. This issue affects Listivo Core: from n/a through <= 2.3.77. 2026-01-22 not yet calculated CVE-2025-67957 https://patchstack.com/database/Wordpress/Plugin/listivo-core/vulnerability/wordpress-listivo-core-plugin-2-3-77-local-file-inclusion-vulnerability?_s_id=cve
 
TangibleWP--MyHome Core Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion. This issue affects MyHome Core: from n/a through <= 4.1.0. 2026-01-22 not yet calculated CVE-2025-67955 https://patchstack.com/database/Wordpress/Plugin/myhome-core/vulnerability/wordpress-myhome-core-plugin-4-1-0-local-file-inclusion-vulnerability?_s_id=cve
 
Tasos Fel--Civic Cookie Control Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Civic Cookie Control: from n/a through <= 1.53. 2026-01-22 not yet calculated CVE-2026-22348 https://patchstack.com/database/Wordpress/Plugin/civic-cookie-control-8/vulnerability/wordpress-civic-cookie-control-plugin-1-53-broken-access-control-vulnerability?_s_id=cve
 
Taxcloud--TaxCloud for WooCommerce Missing Authorization vulnerability in Taxcloud TaxCloud for WooCommerce simple-sales-tax allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TaxCloud for WooCommerce: from n/a through <= 8.3.8. 2026-01-22 not yet calculated CVE-2025-67958 https://patchstack.com/database/Wordpress/Plugin/simple-sales-tax/vulnerability/wordpress-taxcloud-for-woocommerce-plugin-8-3-8-broken-access-control-vulnerability?_s_id=cve
 
temash--Barberry Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in temash Barberry barberry allows PHP Local File Inclusion. This issue affects Barberry: from n/a through <= 2.9.9.87. 2026-01-22 not yet calculated CVE-2025-68908 https://patchstack.com/database/Wordpress/Theme/barberry/vulnerability/wordpress-barberry-theme-2-9-9-87-local-file-inclusion-vulnerability?_s_id=cve
 
Tenda--Tenda Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the list parameter, which can cause memory corruption and enable remote code execution. 2026-01-21 not yet calculated CVE-2025-69762 https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef80718ff2c3869d32392d?pvs=74
https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef80718ff2c3869d32392d
 
Tenda--Tenda Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the vlanId parameter, which can cause memory corruption and enable remote code execution. 2026-01-21 not yet calculated CVE-2025-69763 https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef8025a3c6c4b102d95dd4?source=copy_link
https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef8025a3c6c4b102d95dd4
 
Tenda--Tenda Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the stbpvid stack buffer, which may result in memory corruption and remote code execution. 2026-01-22 not yet calculated CVE-2025-69764 https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b?source=copy_link
https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b
 
Tenda--Tenda Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the citytag stack buffer, which may result in memory corruption and remote code execution. 2026-01-21 not yet calculated CVE-2025-69766 https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef8043a091e6722b8e255a?source=copy_link
https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef8043a091e6722b8e255a
 
Tenda--Tenda Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the time parameter of the sub_60CFC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-21 not yet calculated CVE-2025-70644 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/3/1.md
 
Tenda--Tenda Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetWifiMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-21 not yet calculated CVE-2025-70645 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/2/1.md
 
Tenda--Tenda Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_72290 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-21 not yet calculated CVE-2025-70646 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/5/1.md
 
Tenda--Tenda Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_727F4 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-21 not yet calculated CVE-2025-70648 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/6/1.md
 
Tenda--Tenda Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-21 not yet calculated CVE-2025-70650 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/1/1.md
 
Tenda--Tenda Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow in the ssid parameter of the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-21 not yet calculated CVE-2025-70651 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/4/1.md
 
The GNU C Library--glibc Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. 2026-01-20 not yet calculated CVE-2025-15281 https://sourceware.org/bugzilla/show_bug.cgi?id=33814
 
Theme-one--The Grid Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Grid: from n/a through < 2.8.0. 2026-01-22 not yet calculated CVE-2026-24368 https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability?_s_id=cve
 
themebeez--Cream Magazine Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cream Magazine: from n/a through <= 2.1.10. 2026-01-23 not yet calculated CVE-2026-24615 https://patchstack.com/database/Wordpress/Theme/cream-magazine/vulnerability/wordpress-cream-magazine-theme-2-1-10-broken-access-control-vulnerability?_s_id=cve
 
themebeez--Orchid Store Missing Authorization vulnerability in themebeez Orchid Store orchid-store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Orchid Store: from n/a through <= 1.5.15. 2026-01-23 not yet calculated CVE-2026-24612 https://patchstack.com/database/Wordpress/Theme/orchid-store/vulnerability/wordpress-orchid-store-theme-1-5-15-broken-access-control-vulnerability?_s_id=cve
 
themebeez--Simple GDPR Cookie Compliance Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0. 2026-01-23 not yet calculated CVE-2026-24604 https://patchstack.com/database/Wordpress/Plugin/simple-gdpr-cookie-compliance/vulnerability/wordpress-simple-gdpr-cookie-compliance-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve
 
themebeez--Universal Google Adsense and Ads manager Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Universal Google Adsense and Ads manager: from n/a through <= 1.1.8. 2026-01-23 not yet calculated CVE-2026-24603 https://patchstack.com/database/Wordpress/Plugin/universal-google-adsense-and-ads-manager/vulnerability/wordpress-universal-google-adsense-and-ads-manager-plugin-1-1-8-broken-access-control-vulnerability?_s_id=cve
 
Themefic--Hydra Booking Incorrect Privilege Assignment vulnerability in Themefic Hydra Booking hydra-booking allows Privilege Escalation. This issue affects Hydra Booking: from n/a through <= 1.1.32. 2026-01-22 not yet calculated CVE-2025-68027 https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-privilege-escalation-vulnerability?_s_id=cve
 
ThemeGoods--Craft Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS. This issue affects Craft: from n/a through <= 2.3.6. 2026-01-22 not yet calculated CVE-2025-68538 https://patchstack.com/database/Wordpress/Theme/craftcoffee/vulnerability/wordpress-craft-coffee-shop-cafe-restaurant-wordpress-theme-2-3-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThemeGoods--DotLife Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods DotLife dotlife allows Reflected XSS. This issue affects DotLife: from n/a through < 4.9.5. 2026-01-22 not yet calculated CVE-2025-68520 https://patchstack.com/database/Wordpress/Theme/dotlife/vulnerability/wordpress-dotlife-theme-4-9-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThemeGoods--Grand Magazine Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Magazine grandmagazine allows Reflected XSS. This issue affects Grand Magazine: from n/a through <= 3.5.7. 2026-01-22 not yet calculated CVE-2025-69320 https://patchstack.com/database/Wordpress/Theme/grandmagazine/vulnerability/wordpress-grand-magazine-theme-3-5-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThemeGoods--Grand Restaurant Theme Elements for Elementor Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant Theme Elements for Elementor grandrestaurant-elementor allows Stored XSS. This issue affects Grand Restaurant Theme Elements for Elementor: from n/a through <= 2.1.1. 2026-01-22 not yet calculated CVE-2025-63026 https://patchstack.com/database/Wordpress/Plugin/grandrestaurant-elementor/vulnerability/wordpress-grand-restaurant-theme-elements-for-elementor-plugin-2-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThemeGoods--Grand Spa Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Spa grandspa allows Reflected XSS. This issue affects Grand Spa: from n/a through <= 3.5.5. 2026-01-22 not yet calculated CVE-2025-69321 https://patchstack.com/database/Wordpress/Theme/grandspa/vulnerability/wordpress-grand-spa-theme-3-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThemeGoods--Grand Tour Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS. This issue affects Grand Tour: from n/a through < 5.6.2. 2026-01-22 not yet calculated CVE-2025-67952 https://patchstack.com/database/Wordpress/Theme/grandtour/vulnerability/wordpress-grand-tour-theme-5-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThemeGoods--Hoteller Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Hoteller hoteller allows Reflected XSS. This issue affects Hoteller: from n/a through < 6.8.9. 2026-01-22 not yet calculated CVE-2025-68518 https://patchstack.com/database/Wordpress/Theme/hoteller/vulnerability/wordpress-hoteller-theme-6-8-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThemeGoods--Photography Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeGoods Photography photography allows PHP Local File Inclusion. This issue affects Photography: from n/a through < 7.7.5. 2026-01-22 not yet calculated CVE-2025-68510 https://patchstack.com/database/Wordpress/Theme/photography/vulnerability/wordpress-photography-theme-7-7-5-local-file-inclusion-vulnerability?_s_id=cve
 
ThemeGoods--PhotoMe Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods PhotoMe photome allows Server Side Request Forgery. This issue affects PhotoMe: from n/a through < 5.7.2. 2026-01-22 not yet calculated CVE-2026-24381 https://patchstack.com/database/Wordpress/Theme/photome/vulnerability/wordpress-photome-theme-5-7-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
ThemeHunk--Contact Form & Lead Form Elementor Builder Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Retrieve Embedded Sensitive Data. This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1. 2026-01-22 not yet calculated CVE-2025-68046 https://patchstack.com/database/Wordpress/Plugin/lead-form-builder/vulnerability/wordpress-contact-form-lead-form-elementor-builder-plugin-2-0-1-sensitive-data-exposure-vulnerability?_s_id=cve
 
themepassion--Ultra Portfolio Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themepassion Ultra Portfolio ultra-portfolio allows Blind SQL Injection. This issue affects Ultra Portfolio: from n/a through <= 6.7. 2026-01-22 not yet calculated CVE-2025-69180 https://patchstack.com/database/Wordpress/Plugin/ultra-portfolio/vulnerability/wordpress-ultra-portfolio-plugin-6-7-sql-injection-vulnerability?_s_id=cve
 
ThemeREX--Sound | Musical Instruments Online Store Deserialization of Untrusted Data vulnerability in ThemeREX Sound | Musical Instruments Online Store musicplace allows Object Injection. This issue affects Sound | Musical Instruments Online Store: from n/a through <= 1.6.9. 2026-01-22 not yet calculated CVE-2025-69079 https://patchstack.com/database/Wordpress/Theme/musicplace/vulnerability/wordpress-sound-musical-instruments-online-store-theme-1-6-9-deserialization-of-untrusted-data-vulnerability?_s_id=cve
 
themeton--Consult Aid Deserialization of Untrusted Data vulnerability in themeton Consult Aid consultaid allows Object Injection. This issue affects Consult Aid: from n/a through <= 1.4.3. 2026-01-22 not yet calculated CVE-2025-67617 https://patchstack.com/database/Wordpress/Theme/consultaid/vulnerability/wordpress-consult-aid-theme-1-4-3-php-object-injection-vulnerability?_s_id=cve
 
Themeum--Tutor LMS Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tutor LMS: from n/a through <= 3.9.4. 2026-01-22 not yet calculated CVE-2025-47555 https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Themeum--Tutor LMS BunnyNet Integration Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS. This issue affects Tutor LMS BunnyNet Integration: from n/a through <= 1.0.0. 2026-01-23 not yet calculated CVE-2026-24584 https://patchstack.com/database/Wordpress/Plugin/tutor-lms-bunnynet-integration/vulnerability/wordpress-tutor-lms-bunnynet-integration-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThimPress--LearnPress – Course Review Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress &#8211; Course Review learnpress-course-review allows Stored XSS. This issue affects LearnPress &#8211; Course Review: from n/a through <= 4.1.9. 2026-01-22 not yet calculated CVE-2026-24361 https://patchstack.com/database/Wordpress/Plugin/learnpress-course-review/vulnerability/wordpress-learnpress-course-review-plugin-4-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Tickera--Tickera Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tickera: from n/a through <= 3.5.6.2. 2026-01-22 not yet calculated CVE-2025-67939 https://patchstack.com/database/Wordpress/Plugin/tickera-event-ticketing-system/vulnerability/wordpress-tickera-plugin-3-5-6-2-broken-access-control-vulnerability?_s_id=cve
 
Timur Kamaev--Kama Thumbnail Cross-Site Request Forgery (CSRF) vulnerability in Timur Kamaev Kama Thumbnail kama-thumbnail allows Cross Site Request Forgery. This issue affects Kama Thumbnail: from n/a through <= 3.5.1. 2026-01-23 not yet calculated CVE-2026-24521 https://patchstack.com/database/Wordpress/Plugin/kama-thumbnail/vulnerability/wordpress-kama-thumbnail-plugin-3-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
tinyMOTT--tinyMOTT In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscription requests with arbitrarily large or invalid filter payloads. Each request causes memory to be allocated for the malformed topic filter, but the broker does not free the associated memory, leading to unbounded heap growth and potential denial of service under sustained attack. 2026-01-20 not yet calculated CVE-2025-56353 https://github.com/JustDoIt0910/tinyMQTT/issues/19
 
TMS Global--TMS Global A path traversal vulnerability exists in TMS Management Console (version 6.3.7.27386.20250818) from TMS Global Software. The "Download Template" function in the profile dashboard does not neutralize directory traversal sequences (../) in the filePath parameter, allowing authenticated users to read arbitrary files, such as the server's Web.config. 2026-01-22 not yet calculated CVE-2025-69612 http://tms.com
https://tmsglobalsoft.com/
https://github.com/Cr0wld3r/CVE-2025-69612/blob/main/PoC.md
 
TMS Global--TMS Global File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Customer/AddEdit 2026-01-22 not yet calculated CVE-2025-69828 https://tmsglobalsoft.com
https://github.com/ZuoqTr/CVE/blob/main/CVE-2025-69828.md
 
TopDesk--TopDesk An improper certificate validation vulnerability exists in ToDesktop Builder v0.32.1 This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation. 2026-01-23 not yet calculated CVE-2025-67229 https://www.todesktop.com/changelog
https://www.todesktop.com/security/advisories/TDSA-2025-001
 
TopDesktop--TopDesktop Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation. 2026-01-23 not yet calculated CVE-2025-67230 https://www.todesktop.com/changelog
https://www.todesktop.com/security/advisories/TDSA-2025-002
 
TopDesktop--TopDesktop A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload. 2026-01-23 not yet calculated CVE-2025-67231 https://www.todesktop.com/changelog
https://www.todesktop.com/security/advisories/TDSA-2025-003
 
topdevs--Smart Product Viewer Missing Authorization vulnerability in topdevs Smart Product Viewer smart-product-viewer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Product Viewer: from n/a through <= 1.5.4. 2026-01-23 not yet calculated CVE-2026-24588 https://patchstack.com/database/Wordpress/Plugin/smart-product-viewer/vulnerability/wordpress-smart-product-viewer-plugin-1-5-4-broken-access-control-vulnerability?_s_id=cve
 
TP-Link Systems Inc.--Archer C20 v6.0, Archer AX53 v1.0 Logic vulnerability in TP-Link Archer C20 v6.0 and Archer AX53 v1.0 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability. This issue affects Archer C20 v6.0 < V6_251031. Archer AX53 v1.0 < V1_251215 2026-01-21 not yet calculated CVE-2026-0834 https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
https://mattg.systems/posts/cve-2026-0834/
 
TP-Link Systems Inc.--Omada Software Controller A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator's browser, potentially exposing sensitive information and compromising confidentiality. 2026-01-22 not yet calculated CVE-2025-9289 https://support.omadanetworks.com/us/download/
https://support.omadanetworks.com/us/document/114950/
 
TP-Link Systems Inc.--Omada Software Controller An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality. 2026-01-22 not yet calculated CVE-2025-9290 https://support.omadanetworks.com/us/download/
https://support.omadanetworks.com/en/download/
https://support.omadanetworks.com/us/document/114950/
 
Trimble--SketchUp Trimble SketchUp SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27769. 2026-01-23 not yet calculated CVE-2025-15062 ZDI-25-1198
 
Trusona--Trusona for WordPress Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trusona for WordPress: from n/a through <= 2.0.0. 2026-01-23 not yet calculated CVE-2026-24627 https://patchstack.com/database/Wordpress/Plugin/trusona/vulnerability/wordpress-trusona-for-wordpress-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve
 
TYPO3--Extension "Mailqueue" The extension extends TYPO3' FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . 2026-01-20 not yet calculated CVE-2026-0895 https://typo3.org/security/advisory/typo3-ext-sa-2026-001
https://github.com/CPS-IT/mailqueue/commit/fd09aa4e1a751551bae4b228bee814e22f2048db
https://github.com/CPS-IT/mailqueue/commit/12a0a35027bb5609917790a94e43bbf117abf733
 
Unknown--Bookingor The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. 2026-01-20 not yet calculated CVE-2025-12573 https://wpscan.com/vulnerability/b6198d76-813c-4f13-8b3d-b4609095ae34/
 
upnp--upnp A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection. 2026-01-20 not yet calculated CVE-2025-55423 https://iptime.com/iptime/?pageid=4&page_id=126&dfsid=3&dftid=583&uid=25203&mod=document
https://docs.google.com/spreadsheets/d/1kryOFltCmnPJvDTpIrudgryt79uI4PWchuQ8-Gak24c/edit?usp=sharing
https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/README.md
https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/assets/affected_products_cve_format.json
 
uPress--Booter Missing Authorization vulnerability in uPress Booter booter-bots-crawlers-manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booter: from n/a through <= 1.5.7. 2026-01-23 not yet calculated CVE-2026-24534 https://patchstack.com/database/Wordpress/Plugin/booter-bots-crawlers-manager/vulnerability/wordpress-booter-plugin-1-5-7-broken-access-control-vulnerability?_s_id=cve
 
Upsonic--Upsonic Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Upsonic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the add_tool endpoint, which listens on TCP port 7541 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26845. 2026-01-23 not yet calculated CVE-2026-0773 ZDI-26-042
 
uxper--Golo Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Golo: from n/a through < 1.7.5. 2026-01-22 not yet calculated CVE-2026-23974 https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-broken-access-control-vulnerability?_s_id=cve
 
uxper--Golo Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion. This issue affects Golo: from n/a through < 1.7.5. 2026-01-22 not yet calculated CVE-2026-23975 https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-local-file-inclusion-vulnerability?_s_id=cve
 
VB-Audio Software--Matrix VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a local privilege escalation vulnerability in the VBMatrix VAIO virtual audio driver (vbmatrixvaio64*_win10.sys). The driver allocates a 128-byte non-paged pool buffer and, upon receiving IOCTL 0x222060, maps it into user space using an MDL and MmMapLockedPagesSpecifyCache. Because the allocation size is not page-aligned, the mapping exposes the entire 0x1000-byte kernel page containing the buffer plus adjacent non-paged pool allocations with read/write permissions. An unprivileged local attacker can open a device handle (using the required 0x800 attribute flag), invoke the IOCTL to obtain the mapping, and then read or modify live kernel objects and pointers present on that page. This enables bypass of KASLR, arbitrary kernel memory read/write within the exposed page, corruption of kernel objects, and escalation to SYSTEM. 2026-01-22 not yet calculated CVE-2026-23763 https://github.com/emkaix/security-research/tree/main/CVE-2026-23763
https://forum.vb-audio.com/viewtopic.php?p=7574#p7574
https://forum.vb-audio.com/viewtopic.php?p=7527#p7527
https://vb-audio.com/
https://www.vulncheck.com/advisories/vb-audio-matrix-drivers-local-privilege-escalation-via-kernel-memory-exposure
 
VB-Audio Software--Voicemeeter (Standard) VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). When a handle is opened with a special file attribute value, the drivers improperly initialize FILE_OBJECT->FsContext to a non-pointer magic value. If subsequent operations are not handled by the VB-Audio driver and are forwarded down the audio driver stack (e.g., via PortCls to ks.sys), the invalid FsContext value can be dereferenced, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_ACCESS_VIOLATION. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. 2026-01-22 not yet calculated CVE-2026-23761 https://github.com/emkaix/security-research/tree/main/CVE-2026-23761
https://forum.vb-audio.com/viewtopic.php?p=7574#p7574
https://forum.vb-audio.com/viewtopic.php?p=7527#p7527
https://vb-audio.com/
https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-improper-file-object-fscontext-initialization
 
VB-Audio Software--Voicemeeter (Standard) VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers map non-paged pool memory into user space via MmMapLockedPagesSpecifyCache using UserMode access without proper exception handling. If the mapping fails, such as when a process has exhausted available virtual address space, MmMapLockedPagesSpecifyCache raises an exception that is not caught, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_NO_MEMORY. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. 2026-01-22 not yet calculated CVE-2026-23762 https://github.com/emkaix/security-research/tree/main/CVE-2026-23762
https://forum.vb-audio.com/viewtopic.php?p=7574#p7574
https://forum.vb-audio.com/viewtopic.php?p=7527#p7527
https://vb-audio.com/
https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-mmmaplockedpagesspecifycache
 
VB-Audio Software--Voicemeeter (Standard) VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers allocate non-paged pool and map it into user space, where a length value associated with the allocation is exposed and can be modified by an unprivileged local attacker. On subsequent IOCTL handling, the corrupted length is used directly as the IoAllocateMdl length argument without adequate integrity checks before building and mapping the MDL, which can cause a kernel crash (BSoD), typically PAGE_FAULT_IN_NONPAGED_AREA. This flaw allows a local user to trigger a denial-of-service on affected Windows systems. 2026-01-22 not yet calculated CVE-2026-23764 https://github.com/emkaix/security-research/tree/main/CVE-2026-23764
https://forum.vb-audio.com/viewtopic.php?p=7574#p7574
https://forum.vb-audio.com/viewtopic.php?p=7527#p7527
https://vb-audio.com/
https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-corrupted-ioallocatemdl-length
 
VEGA--VEGA An issue in Beat XP VEGA Smartwatch (Firmware Version - RB303ATV006229) allows an attacker to cause a denial of service via the BLE connection 2026-01-22 not yet calculated CVE-2025-69821 https://github.com/CipherX1802/CVE-2025-69821-Beat-XP-Vega-Smartwatch-Security-Assessment/blob/main/BeatXP_Vega_Smartwatch_Security_Assessment_Report.pdf
https://github.com/CipherX1802/CVE-2025-69821-Beat-XP-Vega-Smartwatch-Security-Assessment.git
 
VibeThemes--WPLMS Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal. This issue affects WPLMS: from n/a through <= 1.9.9.5.4. 2026-01-22 not yet calculated CVE-2025-69097 https://patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-4-arbitrary-file-deletion-vulnerability?_s_id=cve
 
Vladimir Statsenko--Terms descriptions Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows DOM-Based XSS. This issue affects Terms descriptions: from n/a through <= 3.4.9. 2026-01-23 not yet calculated CVE-2026-24621 https://patchstack.com/database/Wordpress/Plugin/terms-descriptions/vulnerability/wordpress-terms-descriptions-plugin-3-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Vollstart--Event Tickets with Ticket Scanner Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection. This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.3. 2026-01-22 not yet calculated CVE-2025-68015 https://patchstack.com/database/Wordpress/Plugin/event-tickets-with-ticket-scanner/vulnerability/wordpress-event-tickets-with-ticket-scanner-plugin-2-7-10-remote-code-execution-rce-vulnerability?_s_id=cve
 
vrpr--WDV One Page Docs Missing Authorization vulnerability in vrpr WDV One Page Docs wdv-one-page-docs allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WDV One Page Docs: from n/a through <= 1.2.4. 2026-01-22 not yet calculated CVE-2025-68896 https://patchstack.com/database/Wordpress/Plugin/wdv-one-page-docs/vulnerability/wordpress-wdv-one-page-docs-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve
 
WANotifier--WANotifier Missing Authorization vulnerability in WANotifier WANotifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WANotifier: from n/a through <= 2.7.12. 2026-01-22 not yet calculated CVE-2025-68020 https://patchstack.com/database/Wordpress/Plugin/notifier/vulnerability/wordpress-wanotifier-plugin-2-7-12-broken-access-control-vulnerability?_s_id=cve
 
WatchYourLAN--WatchYourLAN WatchYourLAN Configuration Page Argument Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WatchYourLAN. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the arpstrs parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26708. 2026-01-23 not yet calculated CVE-2026-0774 ZDI-26-039
 
wbolt.com--IMGspider Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery. This issue affects IMGspider: from n/a through <= 2.3.12. 2026-01-22 not yet calculated CVE-2026-22482 https://patchstack.com/database/Wordpress/Plugin/imgspider/vulnerability/wordpress-imgspider-plugin-2-3-12-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
Web Impian--Bayarcash WooCommerce Missing Authorization vulnerability in Web Impian Bayarcash WooCommerce bayarcash-wc allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bayarcash WooCommerce: from n/a through <= 4.3.11. 2026-01-23 not yet calculated CVE-2026-24606 https://patchstack.com/database/Wordpress/Plugin/bayarcash-wc/vulnerability/wordpress-bayarcash-woocommerce-plugin-4-3-11-broken-access-control-vulnerability?_s_id=cve
 
WebAppick--CTX Feed Missing Authorization vulnerability in WebAppick CTX Feed webappick-product-feed-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CTX Feed: from n/a through <= 6.6.18. 2026-01-22 not yet calculated CVE-2026-22461 https://patchstack.com/database/Wordpress/Plugin/webappick-product-feed-for-woocommerce/vulnerability/wordpress-ctx-feed-plugin-6-6-15-broken-access-control-vulnerability?_s_id=cve
 
webdevstudios--Automatic Featured Images from Videos Missing Authorization vulnerability in webdevstudios Automatic Featured Images from Videos automatic-featured-images-from-videos allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Automatic Featured Images from Videos: from n/a through <= 1.2.7. 2026-01-23 not yet calculated CVE-2026-24535 https://patchstack.com/database/Wordpress/Plugin/automatic-featured-images-from-videos/vulnerability/wordpress-automatic-featured-images-from-videos-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve
 
WebGeniusLab--iRecco Core Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion. This issue affects iRecco Core: from n/a through <= 1.3.6. 2026-01-22 not yet calculated CVE-2025-69046 https://patchstack.com/database/Wordpress/Plugin/irecco-core/vulnerability/wordpress-irecco-core-plugin-1-3-6-local-file-inclusion-vulnerability?_s_id=cve
 
WebPros--WebPros An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation. 2026-01-22 not yet calculated CVE-2025-66428 https://docs.plesk.com/release-notes/obsidian/change-log/#wordpress-toolkit-6.9.1
 
webpushr--Webpushr Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in webpushr Webpushr webpushr-web-push-notifications allows Retrieve Embedded Sensitive Data. This issue affects Webpushr: from n/a through <= 4.38.0. 2026-01-23 not yet calculated CVE-2026-24536 https://patchstack.com/database/Wordpress/Plugin/webpushr-web-push-notifications/vulnerability/wordpress-webpushr-plugin-4-38-0-sensitive-data-exposure-vulnerability?_s_id=cve
 
Weintek--cMT3072XH The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges. 2026-01-22 not yet calculated CVE-2025-14750 https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05
 
Weintek--cMT3072XH A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation. 2026-01-22 not yet calculated CVE-2025-14751 https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05
 
WEN Solutions--Contact Form 7 GetResponse Extension Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension allows Retrieve Embedded Sensitive Data. This issue affects Contact Form 7 GetResponse Extension: from n/a through <= 1.0.8. 2026-01-23 not yet calculated CVE-2026-24557 https://patchstack.com/database/Wordpress/Plugin/contact-form-7-getresponse-extension/vulnerability/wordpress-contact-form-7-getresponse-extension-plugin-1-0-8-sensitive-data-exposure-vulnerability?_s_id=cve
 
whisper-money--whisper-money Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue. 2026-01-19 not yet calculated CVE-2026-23844 https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74
https://github.com/whisper-money/whisper-money/pull/60
https://github.com/whisper-money/whisper-money/commit/80117c3edeaf5c5a5166f3815fc555a15b5ce686
 
winkm89--teachPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winkm89 teachPress teachpress allows Stored XSS. This issue affects teachPress: from n/a through <= 9.0.12. 2026-01-22 not yet calculated CVE-2026-22353 https://patchstack.com/database/Wordpress/Plugin/teachpress/vulnerability/wordpress-teachpress-plugin-9-0-12-cross-site-scripting-xss-vulnerability?_s_id=cve
 
winkm89--teachPress Cross-Site Request Forgery (CSRF) vulnerability in winkm89 teachPress teachpress allows Cross Site Request Forgery. This issue affects teachPress: from n/a through <= 9.0.12. 2026-01-22 not yet calculated CVE-2026-22483 https://patchstack.com/database/Wordpress/Plugin/teachpress/vulnerability/wordpress-teachpress-plugin-9-0-12-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
WisdmLabs--Edwiser Bridge Missing Authorization vulnerability in WisdmLabs Edwiser Bridge edwiser-bridge allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Edwiser Bridge: from n/a through <= 4.3.2. 2026-01-23 not yet calculated CVE-2026-24570 https://patchstack.com/database/Wordpress/Plugin/edwiser-bridge/vulnerability/wordpress-edwiser-bridge-plugin-4-3-2-broken-access-control-vulnerability?_s_id=cve
 
woofer696--Dinatur Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in woofer696 Dinatur dinatur allows Stored XSS. This issue affects Dinatur: from n/a through <= 1.18. 2026-01-22 not yet calculated CVE-2025-68866 https://patchstack.com/database/Wordpress/Plugin/dinatur/vulnerability/wordpress-dinatur-plugin-1-18-cross-site-scripting-xss-vulnerability?_s_id=cve
 
WorklogPRO--WorklogPRO The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. The vulnerability is exploited via a specially crafted payload placed in an issue's summary field 2026-01-21 not yet calculated CVE-2025-57681 https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history
https://thestarware.atlassian.net/wiki/spaces/WLP/pages/3326574597/Security+Advisory+CVE-2025-57681+-+Stored+XSS+in+WorklogPRO+DC
 
WorklogPRO--WorklogPRO The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action. 2026-01-20 not yet calculated CVE-2025-67824 https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history
https://thestarware.atlassian.net/wiki/x/CAAdyg
 
WP Chill--Gallery PhotoBlocks Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Gallery PhotoBlocks photoblocks-grid-gallery allows DOM-Based XSS. This issue affects Gallery PhotoBlocks: from n/a through <= 1.3.2. 2026-01-22 not yet calculated CVE-2026-24389 https://patchstack.com/database/Wordpress/Plugin/photoblocks-grid-gallery/vulnerability/wordpress-gallery-photoblocks-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
WP Chill--Modula Image Gallery Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Stored XSS. This issue affects Modula Image Gallery: from n/a through <= 2.13.4. 2026-01-22 not yet calculated CVE-2026-23976 https://patchstack.com/database/Wordpress/Plugin/modula-best-grid-gallery/vulnerability/wordpress-modula-image-gallery-plugin-2-13-4-cross-site-scripting-xss-vulnerability?_s_id=cve
 
WP Messiah--Ai Image Alt Text Generator for WP Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ai Image Alt Text Generator for WP: from n/a through <= 1.1.9. 2026-01-23 not yet calculated CVE-2026-24579 https://patchstack.com/database/Wordpress/Plugin/ai-image-alt-text-generator-for-wp/vulnerability/wordpress-ai-image-alt-text-generator-for-wp-plugin-1-1-9-broken-access-control-vulnerability?_s_id=cve
 
WP Messiah--Frontis Blocks Server-Side Request Forgery (SSRF) vulnerability in WP Messiah Frontis Blocks frontis-blocks allows Server Side Request Forgery. This issue affects Frontis Blocks: from n/a through <= 1.1.5. 2026-01-22 not yet calculated CVE-2025-68030 https://patchstack.com/database/Wordpress/Plugin/frontis-blocks/vulnerability/wordpress-frontis-blocks-plugin-1-1-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
WP Swings--Points and Rewards for WooCommerce Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5. 2026-01-23 not yet calculated CVE-2026-24581 https://patchstack.com/database/Wordpress/Plugin/points-and-rewards-for-woocommerce/vulnerability/wordpress-points-and-rewards-for-woocommerce-plugin-2-9-5-broken-access-control-vulnerability?_s_id=cve
 
WP Travel--WP Travel Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Travel: from n/a through <= 11.0.0. 2026-01-23 not yet calculated CVE-2026-24568 https://patchstack.com/database/Wordpress/Plugin/wp-travel/vulnerability/wordpress-wp-travel-plugin-11-0-0-broken-access-control-vulnerability?_s_id=cve
 
wpdive--ElementCamp Missing Authorization vulnerability in wpdive ElementCamp element-camp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementCamp: from n/a through <= 2.3.2. 2026-01-23 not yet calculated CVE-2026-24556 https://patchstack.com/database/Wordpress/Plugin/element-camp/vulnerability/wordpress-elementcamp-plugin-2-3-2-broken-access-control-vulnerability?_s_id=cve
 
wpeverest--User Registration Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Registration: from n/a through <= 4.4.6. 2026-01-22 not yet calculated CVE-2025-67956 https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-6-broken-access-control-vulnerability?_s_id=cve
 
wpeverest--User Registration Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Registration: from n/a through <= 4.4.9. 2026-01-22 not yet calculated CVE-2026-24353 https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve
 
wphocus--My auctions allegro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS. This issue affects My auctions allegro: from n/a through <= 3.6.32. 2026-01-22 not yet calculated CVE-2025-67943 https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability-2?_s_id=cve
 
wphocus--My auctions allegro Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows PHP Local File Inclusion. This issue affects My auctions allegro: from n/a through <= 3.6.33. 2026-01-22 not yet calculated CVE-2026-22464 https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-33-local-file-inclusion-vulnerability?_s_id=cve
 
wpjobportal--WP Job Portal Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Job Portal: from n/a through <= 2.4.3. 2026-01-22 not yet calculated CVE-2026-24379 https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-4-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
wproyal--Bard Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bard: from n/a through <= 2.229. 2026-01-22 not yet calculated CVE-2025-63018 https://patchstack.com/database/Wordpress/Theme/bard/vulnerability/wordpress-bard-theme-2-229-broken-access-control-vulnerability?_s_id=cve
 
wptravelengine--Travel Monster Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travel Monster: from n/a through <= 1.3.3. 2026-01-23 not yet calculated CVE-2026-24607 https://patchstack.com/database/Wordpress/Theme/travel-monster/vulnerability/wordpress-travel-monster-theme-1-3-3-broken-access-control-vulnerability?_s_id=cve
 
wpWave--Hide My WP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS. This issue affects Hide My WP: from n/a through <= 6.2.12. 2026-01-22 not yet calculated CVE-2025-69098 https://patchstack.com/database/Wordpress/Plugin/hide_my_wp/vulnerability/wordpress-hide-my-wp-plugin-6-2-12-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
WPXPO--PostX Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PostX: from n/a through <= 5.0.3. 2026-01-22 not yet calculated CVE-2025-69313 https://patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-broken-access-control-vulnerability?_s_id=cve
 
XDocReport A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions. 2026-01-20 not yet calculated CVE-2025-64087 https://github.com/opensagres/xdocreport
https://github.com/opensagres/xdocreport/pull/705
https://hackmd.io/@cuongnh/BJEnw7SAlg
https://hackmd.io/@cuongnh/SkQvhEf0lx
https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI-
 
XDocReport--XDocReport An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file. 2026-01-20 not yet calculated CVE-2025-65482 https://github.com/opensagres/xdocreport
https://drive.google.com/drive/folders/1hUyCznpBN7ivo5krmyJ4OQc_q626Hy5q?usp=sharing
https://hackmd.io/@cuongnh/r1B7B8fJ-g
https://hackmd.io/@cuongnh/rkJPCgSy-l
https://github.com/AT190510-Cuong/CVE-2025-65482-XXE-
 
XLPlugins--NextMove Lite Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NextMove Lite: from n/a through <= 2.23.0. 2026-01-23 not yet calculated CVE-2026-24599 https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-23-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
XpeedStudio--Bajaar - Highly Customizable WooCommerce WordPress Theme Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in XpeedStudio Bajaar - Highly Customizable WooCommerce WordPress Theme bajaar allows PHP Local File Inclusion. This issue affects Bajaar - Highly Customizable WooCommerce WordPress Theme: from n/a through <= 2.1.0. 2026-01-22 not yet calculated CVE-2025-69004 https://patchstack.com/database/Wordpress/Theme/bajaar/vulnerability/wordpress-bajaar-highly-customizable-woocommerce-wordpress-theme-theme-2-1-0-local-file-inclusion-vulnerability?_s_id=cve
 
Xpro--Xpro Elementor Addons Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server. This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1. 2026-01-22 not yet calculated CVE-2025-69312 https://patchstack.com/database/Wordpress/Plugin/xpro-elementor-addons/vulnerability/wordpress-xpro-elementor-addons-plugin-1-4-19-1-arbitrary-file-upload-vulnerability?_s_id=cve
 
xtemos--WoodMart Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection. This issue affects WoodMart: from n/a through <= 8.3.7. 2026-01-22 not yet calculated CVE-2025-47600 https://patchstack.com/database/Wordpress/Theme/woodmart/vulnerability/wordpress-woodmart-theme-8-3-7-arbitrary-shortcode-execution-vulnerability?_s_id=cve
 
xwiki--xwiki-platform XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required. 2026-01-23 not yet calculated CVE-2026-24128 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp
https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf
https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12
https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5
https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1
https://jira.xwiki.org/browse/XWIKI-23462
 
yasir129--Turn Yoast SEO FAQ Block to Accordion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yasir129 Turn Yoast SEO FAQ Block to Accordion faq-schema-block-to-accordion allows Stored XSS. This issue affects Turn Yoast SEO FAQ Block to Accordion: from n/a through <= 1.0.6. 2026-01-23 not yet calculated CVE-2026-24591 https://patchstack.com/database/Wordpress/Plugin/faq-schema-block-to-accordion/vulnerability/wordpress-turn-yoast-seo-faq-block-to-accordion-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve
 
YITHEMES--YITH WooCommerce Request A Quote Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH WooCommerce Request A Quote: from n/a through <= 2.46.0. 2026-01-22 not yet calculated CVE-2026-24366 https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-request-a-quote/vulnerability/wordpress-yith-woocommerce-request-a-quote-plugin-2-46-0-broken-access-control-vulnerability?_s_id=cve
 
zhblue--hustoj hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication. 2026-01-21 not yet calculated CVE-2026-23873 https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw
 
zohocrm--Zoho CRM Lead Magnet Missing Authorization vulnerability in zohocrm Zoho CRM Lead Magnet zoho-crm-forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zoho CRM Lead Magnet: from n/a through <= 1.8.1.5. 2026-01-23 not yet calculated CVE-2026-24595 https://patchstack.com/database/Wordpress/Plugin/zoho-crm-forms/vulnerability/wordpress-zoho-crm-lead-magnet-plugin-1-8-1-5-broken-access-control-vulnerability?_s_id=cve
 
ZoomIt--DZS Video Gallery Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZoomIt DZS Video Gallery dzs-videogallery allows SQL Injection. This issue affects DZS Video Gallery: from n/a through <= 12.37. 2026-01-22 not yet calculated CVE-2025-49049 https://patchstack.com/database/Wordpress/Plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-37-sql-injection-vulnerability?_s_id=cve
 
zozothemes--Miion Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Miion miion allows PHP Local File Inclusion. This issue affects Miion: from n/a through <= 1.2.7. 2026-01-22 not yet calculated CVE-2025-68913 https://patchstack.com/database/Wordpress/Theme/miion/vulnerability/wordpress-miion-theme-1-2-7-local-file-inclusion-vulnerability?_s_id=cve
 
zozothemes--Miion Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Miion miion allows Upload a Web Shell to a Web Server. This issue affects Miion: from n/a through <= 1.2.7. 2026-01-22 not yet calculated CVE-2025-68986 https://patchstack.com/database/Wordpress/Theme/miion/vulnerability/wordpress-miion-theme-1-2-7-arbitrary-file-upload-vulnerability?_s_id=cve
 
Zuinq Studio--IsMyGym Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. 2026-01-20 not yet calculated CVE-2025-41081 https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-ismygym
 

Back to top

Vulnerability Summary for the Week of January 12, 2026
Posted on Tuesday January 20, 2026

High Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
10-Strike--Strike Network Inventory Explorer Pro 10-Strike Network Inventory Explorer Pro 9.31 contains a buffer overflow vulnerability in the text file import functionality that allows remote code execution. Attackers can craft a malicious text file with carefully constructed payload to trigger a reverse shell and execute arbitrary code on the target system. 2026-01-15 9.8 CVE-2021-47772 ExploitDB-50472
Vendor Homepage
 
10-Strike--Strike Network Inventory Explorer Pro 10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted service path vulnerability in the srvInventoryWebServer service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path segments to achieve privilege escalation and execute code with system-level permissions. 2026-01-15 7.8 CVE-2021-47767 ExploitDB-50494
Vendor Homepage
 
4Homepages--4images 4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with a crafted cat_id parameter. 2026-01-13 8.8 CVE-2022-50806 ExploitDB-51147
Official 4images Software Download Page
VulnCheck Advisory: 4images 1.9 - Remote Command Execution (RCE)
 
ABB--ABB Ability OPTIMAX Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120. 2026-01-16 8.1 CVE-2025-14510 https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331&LanguageCode=en&DocumentPartId=&Action=Launch
 
Acer--Acer Backup Manager Module Acer Backup Manager 3.0.0.99 contains an unquoted service path vulnerability in the NTI IScheduleSvc service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\NTI\Acer Backup Manager\ to inject malicious executables that would run with elevated LocalSystem privileges. 2026-01-16 7.8 CVE-2021-47826 ExploitDB-49889
Acer Official Homepage
VulnCheck Advisory: Acer Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path
 
Acer--Acer Updater Service Acer Updater Service 1.2.3500.0 contains an unquoted service path vulnerability that allows local users to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files\Acer\Acer Updater\ to inject malicious executables that will run with LocalSystem permissions during service startup. 2026-01-16 7.8 CVE-2021-47825 ExploitDB-49890
Acer Official Homepage
VulnCheck Advisory: Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path
 
Acer--ePowerSvc Acer ePowerSvc 6.0.3008.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. 2026-01-16 7.8 CVE-2021-47823 ExploitDB-49900
Acer Official Homepage
VulnCheck Advisory: ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path
 
Adobe--Bridge Bridge versions 15.1.2, 16.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21283 https://helpx.adobe.com/security/products/bridge/apsb26-07.html
 
Adobe--Dreamweaver Desktop Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. 2026-01-13 8.6 CVE-2026-21267 https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html
 
Adobe--Dreamweaver Desktop Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. 2026-01-13 8.6 CVE-2026-21268 https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html
 
Adobe--Dreamweaver Desktop Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. 2026-01-13 8.6 CVE-2026-21271 https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html
 
Adobe--Dreamweaver Desktop Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could leverage this vulnerability to manipulate or inject malicious data into files on the system. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. 2026-01-13 8.6 CVE-2026-21272 https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html
 
Adobe--Dreamweaver Desktop Dreamweaver Desktop versions 21.6 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could leverage this vulnerability to bypass security measures and execute unauthorized code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21274 https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html
 
Adobe--Illustrator Illustrator versions 29.8.3, 30.0 and earlier are affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses a search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. 2026-01-13 8.6 CVE-2026-21280 https://helpx.adobe.com/security/products/illustrator/apsb26-03.html
 
Adobe--InCopy InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21281 https://helpx.adobe.com/security/products/incopy/apsb26-04.html
 
Adobe--InDesign Desktop InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21275 https://helpx.adobe.com/security/products/indesign/apsb26-02.html
 
Adobe--InDesign Desktop InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21276 https://helpx.adobe.com/security/products/indesign/apsb26-02.html
 
Adobe--InDesign Desktop InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21277 https://helpx.adobe.com/security/products/indesign/apsb26-02.html
 
Adobe--InDesign Desktop InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21304 https://helpx.adobe.com/security/products/indesign/apsb26-02.html
 
Adobe--Substance3D - Designer Substance3D - Designer versions 15.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21307 https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html
 
Adobe--Substance3D - Modeler Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21298 https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html
 
Adobe--Substance3D - Modeler Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21299 https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html
 
Adobe--Substance3D - Painter Substance3D - Painter versions 11.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21305 https://helpx.adobe.com/security/products/substance3d_painter/apsb26-10.html
 
Adobe--Substance3D - Sampler Substance3D - Sampler versions 5.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21306 https://helpx.adobe.com/security/products/substance3d-sampler/apsb26-11.html
 
Adobe--Substance3D - Stager Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 7.8 CVE-2026-21287 https://helpx.adobe.com/security/products/substance3d_stager/apsb26-09.html
 
Advantech--IoTSuite and IoT Edge Products Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet. 2026-01-12 10 CVE-2025-52694 https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001/
 
agentfront--enclave Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm's core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0. 2026-01-13 10 CVE-2026-22686 https://github.com/agentfront/enclave/security/advisories/GHSA-7qm7-455j-5p63
https://github.com/agentfront/enclave/commit/ed8bc438b2cd6e6f0b5f2de321e5be6f0169b5a1
 
ahmadgb--GeekyBot Generate AI Content Without Prompt, Chatbot and Lead Generation The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Chat History page. 2026-01-14 7.2 CVE-2025-15266 https://www.wordfence.com/threat-intel/vulnerabilities/id/b30e84db-c73f-4df2-9c88-c37a7e14c95b?source=cve
https://wordpress.org/plugins/geeky-bot/
 
Aimeos--Aimeos Laravel ecommerce platform Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint. 2026-01-15 8.2 CVE-2021-47763 ExploitDB-50538
Vendor Homepage
Aimeos Laravel E-Commerce Package
 
Aimone-Video-Converter--AimOne Video Converter AimOne Video Converter 2.04 Build 103 contains a buffer overflow vulnerability in its registration form that causes application crashes. Attackers can generate a 7000-byte payload to trigger the denial of service and potentially exploit the software's registration mechanism. 2026-01-13 9.8 CVE-2023-54328 ExploitDB-51196
AimOne Video Converter Software Informer Page
Archived AimOne Software Website
Vulnerability Reproduction Repository
VulnCheck Advisory: AimOne Video Converter 2.04 Build 103 Buffer Overflow in Registration Form
 
Aiven-Open--bigquery-connector-for-apache-kafka Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configurations for authentication to BigQuery services. During connector configuration, users can supply credential JSON files that are processed by Google authentication libraries. The service fails to validate externally-sourced credential configurations before passing them to the authentication libraries. An attacker can exploit this by providing a malicious credential configuration containing crafted credential_source.file paths or credential_source.url endpoints, resulting in arbitrary file reads or SSRF attacks. 2026-01-16 7.7 CVE-2026-23529 https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/security/advisories/GHSA-3mg8-2g53-5gj4
https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/commit/20ea3921c6fe72d605a033c1943b20f49eaba981
https://docs.cloud.google.com/support/bulletins#gcp-2025-005
https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/releases/tag/v2.11.0
 
ajseidl--AJS Footnotes The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to update plugin settings and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-14 7.2 CVE-2025-15378 https://www.wordfence.com/threat-intel/vulnerabilities/id/4da167e0-c1cf-496f-9b14-35fc70386be1?source=cve
https://plugins.trac.wordpress.org/browser/ajs-footnotes/tags/1.0/ajs_footnotes.php?marks=138,271,303#L138
 
Algo Solutions--Algo 8028 Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. Attackers can exploit the insecure 'source' parameter by injecting commands that are executed with root privileges, enabling remote code execution through a crafted POST request. 2026-01-13 8.8 CVE-2022-50909 ExploitDB-50960
Algo Solutions Official Homepage
Algo 8028 Firmware Downloads
VulnCheck Advisory: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)
 
Altium--Altium 365 A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker's payload to execute in the context of the victim's authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post. 2026-01-15 9 CVE-2026-1009 https://www.altium.com/platform/security-compliance/security-advisories
 
Altium--Altium Enterprise Server A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator's browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions. 2026-01-15 8 CVE-2026-1010 https://www.altium.com/platform/security-compliance/security-advisories
 
Altium--Altium Live A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile. 2026-01-15 7.6 CVE-2026-1008 https://www.altium.com/platform/security-compliance/security-advisories
 
Ametys--Ametys CMS Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate application modules. 2026-01-13 7.2 CVE-2022-50937 ExploitDB-50692
Vulnerability Lab Advisory
Official Ametys CMS Homepage
VulnCheck Advisory: Ametys CMS v4.4.1 - Cross Site Scripting (XSS)
 
amitmerchant1990--Markdownify Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution. 2026-01-16 7.2 CVE-2021-47837 ExploitDB-49835
Markdownify GitHub Repository
Proof of Concept Video
VulnCheck Advisory: Markdownify 1.2.0 - Persistent Cross-Site Scripting
 
anomalyco--opencode OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216. 2026-01-12 8.8 CVE-2026-22812 https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh
 
appsmithorg--appsmith Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker's domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93. 2026-01-12 9.7 CVE-2026-22794 https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv
https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633
 
AVEVA--Process Optimization The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of "taoimr" service, potentially resulting in complete compromise of the  model application server. 2026-01-16 10 CVE-2025-61937 https://www.aveva.com/en/support-and-success/cyber-security-updates/
https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json
 
AVEVA--Process Optimization The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Standard User) to tamper with queries in Captive Historian and achieve code execution under SQL Server administrative privileges, potentially resulting in complete compromise of the SQL Server. 2026-01-16 8.4 CVE-2025-61943 https://www.aveva.com/en/support-and-success/cyber-security-updates/
https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json
 
AVEVA--Process Optimization The vulnerability, if exploited, could allow an authenticated miscreant (OS standard user) to tamper with TCL Macro scripts and escalate privileges to OS system, potentially resulting in complete compromise of the model application server. 2026-01-16 8.8 CVE-2025-64691 https://www.aveva.com/en/support-and-success/cyber-security-updates/
https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json
 
AVEVA--Process Optimization The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files. 2026-01-16 8.1 CVE-2025-64729 https://www.aveva.com/en/support-and-success/cyber-security-updates/
https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json
 
AVEVA--Process Optimization The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server. 2026-01-16 8.8 CVE-2025-65118 https://www.aveva.com/en/support-and-success/cyber-security-updates/
https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json
 
AVEVA--Process Optimization The Process Optimization application suite leverages connection channels/protocols that by-default are not encrypted and could become subject to hijacking or data leakage in certain man-in-the-middle or passive inspection scenarios. 2026-01-16 7.1 CVE-2025-64769 https://www.aveva.com/en/support-and-success/cyber-security-updates/
https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json
 
AVEVA--Process Optimization The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Designer User) to embed OLE objects into graphics, and escalate their privileges to the identity of a victim user who subsequently interacts with the graphical elements. 2026-01-16 7.4 CVE-2025-65117 https://www.aveva.com/en/support-and-success/cyber-security-updates/
https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json
 
Bdtask--Isshue Shopping Cart Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phishing attacks. 2026-01-15 7.2 CVE-2021-47769 ExploitDB-50490
Vulnerability-Lab Disclosure
Official Product Homepage
 
Beehive Forum--Beehive Forum Beehive Forum 1.5.2 contains a host header injection vulnerability in the forgot password functionality that allows attackers to manipulate password reset requests. Attackers can inject a malicious host header to intercept password reset tokens and change victim account passwords without direct authentication. 2026-01-13 7.5 CVE-2022-50910 ExploitDB-50923
Beehive Forum Official Website
Beehive Forum SourceForge Project
Proof of Concept Imgur
VulnCheck Advisory: Beehive Forum - Account Takeover
 
Brother--Brother BRAgent Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Brother\BRAgent\ to inject and execute malicious code with elevated system permissions. 2026-01-15 7.8 CVE-2020-36928 ExploitDB-50010
BRAgent Webpage
VulnCheck Advisory: Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path
 
Canon Inc.--Satera LBP670C Series Buffer overflow in print job processing by WSD on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. 2026-01-15 9.8 CVE-2025-14231 https://psirt.canon/advisory-information/cp2026-001/
https://canon.jp/support/support-info/260115vulnerability-response
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers
https://www.canon-europe.com/support/product-security/
 
Canon Inc.--Satera LBP670C Series Buffer overflow in XML processing of XPS file in Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. 2026-01-15 9.8 CVE-2025-14232 https://psirt.canon/advisory-information/cp2026-001/
https://canon.jp/support/support-info/260115vulnerability-response
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers
https://www.canon-europe.com/support/product-security/
 
Canon Inc.--Satera LBP670C Series Invalid free in CPCA file deletion processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. 2026-01-15 9.8 CVE-2025-14233 https://psirt.canon/advisory-information/cp2026-001/
https://canon.jp/support/support-info/260115vulnerability-response
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers
https://www.canon-europe.com/support/product-security/
 
Canon Inc.--Satera LBP670C Series Buffer overflow in CPCA list processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. 2026-01-15 9.8 CVE-2025-14234 https://psirt.canon/advisory-information/cp2026-001/
https://canon.jp/support/support-info/260115vulnerability-response
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers
https://www.canon-europe.com/support/product-security/
 
Canon Inc.--Satera LBP670C Series Buffer overflow in XPS font fpgm data processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. 2026-01-15 9.8 CVE-2025-14235 https://psirt.canon/advisory-information/cp2026-001/
https://canon.jp/support/support-info/260115vulnerability-response
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers
https://www.canon-europe.com/support/product-security/
 
Canon Inc.--Satera LBP670C Series Buffer overflow in Address Book attribute tag processing on Small Office Multifunction Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. 2026-01-15 9.8 CVE-2025-14236 https://psirt.canon/advisory-information/cp2026-001/
https://canon.jp/support/support-info/260115vulnerability-response
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers
https://www.canon-europe.com/support/product-security/
 
Canon Inc.--Satera LBP670C Series Buffer overflow in XPS font parse processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. 2026-01-15 9.8 CVE-2025-14237 https://psirt.canon/advisory-information/cp2026-001/
https://canon.jp/support/support-info/260115vulnerability-response
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers
https://www.canon-europe.com/support/product-security/
 
checkpoint--Hramony SASE A local user can trigger Harmony SASE Windows client to write or delete files outside the intended certificate working directory. 2026-01-14 7.5 CVE-2025-9142 https://support.checkpoint.com/results/sk/sk184557
 
clevo--HotKey Clipboard Clevo HotKey Clipboard 2.1.0.6 contains an unquoted service path vulnerability in the HKClipSvc service that allows local non-privileged users to potentially execute code with system privileges. Attackers can exploit the misconfigured service path to inject and execute arbitrary code by placing malicious executables in specific file system locations. 2026-01-13 8.4 CVE-2023-53984 ExploitDB-51206
Archived Vendor Homepage
VulnCheck Advisory: HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path
 
Cmder--Cmder Console Emulator Cmder Console Emulator 1.3.18 contains a buffer overflow vulnerability that allows attackers to trigger a denial of service condition through a maliciously crafted .cmd file. Attackers can create a specially constructed .cmd file with repeated characters to overwhelm the console emulator's buffer and crash the application. 2026-01-15 9.8 CVE-2021-47781 ExploitDB-50401
Cmder GitHub Repository
 
Cobbr--Covenant Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system. 2026-01-13 9.8 CVE-2020-36911 ExploitDB-51141
Vendor Homepage
Covenant GitHub Repository
Archived Researcher Blog
Exploit Repository
Archived Maintainer Patch Announcement
VulnCheck Advisory: Covenant 0.5 - Remote Code Execution (RCE)
 
Cobiansoft--Cobian Backup Cobian Backup 0.9 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CobianReflectorService to inject malicious code that will execute with LocalSystem permissions during service startup. 2026-01-13 8.4 CVE-2022-50923 ExploitDB-50810
Vendor Homepage
Software Download Page
VulnCheck Advisory: Cobian Backup 0.9 - Unquoted Service Path
 
code-projects--Online Music Site A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminUpdateUser.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. 2026-01-12 7.3 CVE-2026-0852 VDB-340447 | code-projects Online Music Site AdminUpdateUser.php sql injection
VDB-340447 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734136 | code-projects ONLINE MUSIC SITE V1.0 SQL injection
https://github.com/Learner636/CVE-smbmit/issues/2
https://code-projects.org/
 
Connectify Inc--Connectify Hotspot Connectify Hotspot 2018 contains an unquoted service path vulnerability in its ConnectifyService executable that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Connectify\ConnectifyService.exe' to inject malicious executables and escalate privileges. 2026-01-13 8.4 CVE-2022-50929 ExploitDB-50764
Official Vendor Homepage
VulnCheck Advisory: Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path
 
ConnectWise--PSA In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user's browser when the affected content is displayed. 2026-01-16 8.7 CVE-2026-0695 https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix
 
Contpaqi--CONTPAQ AdminPAQ CONTPAQi AdminPAQ 14.0.0 contains an unquoted service path vulnerability in the AppKeyLicenseServer service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject malicious code in the service binary path, potentially executing arbitrary code with elevated system privileges during service startup. 2026-01-13 8.4 CVE-2022-50938 ExploitDB-50690
CONTPAQi Official Software Download Page
VulnCheck Advisory: CONTPAQi® AdminPAQ 14.0.0 - Unquoted Service Path
 
Cooler Master Technology Inc.--Cooler Master MasterPlus CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. Attackers can drop a malicious executable in the service path and trigger code execution during service startup or system reboot. 2026-01-13 8.4 CVE-2022-50808 ExploitDB-51159
CoolerMaster MasterPlus Official Homepage
VulnCheck Advisory: CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path
 
cotonti.com--Cotonti Siena Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page. 2026-01-15 7.2 CVE-2021-47808 ExploitDB-50016
Vendor Homepage
Software Download
VulnCheck Advisory: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting
 
croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-01-14 7.5 CVE-2025-12166 https://www.wordfence.com/threat-intel/vulnerabilities/id/5214a399-21a4-4573-9840-1d5043781bc0?source=cve
https://plugins.trac.wordpress.org/changeset/3408539/
 
Cyberfox--Cyberfox Web Browser Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash. 2026-01-15 7.5 CVE-2021-47784 ExploitDB-50336
Archived Cyberfox Web Browser Homepage
 
D-Link--DIR-823X A weakness has been identified in D-Link DIR-823X 250416. Affected by this issue is the function sub_412E7C of the file /goform/set_wifidog_settings. Executing a manipulation of the argument wd_enable can lead to command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-18 7.3 CVE-2026-1125 VDB-341717 | D-Link DIR-823X set_wifidog_settings sub_412E7C command injection
VDB-341717 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734966 | D-Link DIR-823X Router V250416 Command Execution
https://github.com/DavCloudz/cve/blob/main/D-link/DIR_823X/DIR-823X%20V250416%20Command%20Execution%20Vulnerability.md
https://www.dlink.com/
 
danny-avila--LibreChat LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2. 2026-01-12 9.1 CVE-2026-22252 https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f
https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f
 
daschmi--GetContentFromURL The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. 2026-01-14 7.2 CVE-2025-14613 https://www.wordfence.com/threat-intel/vulnerabilities/id/b83db6c7-09af-4707-a96b-ee551f27e3b7?source=cve
https://plugins.trac.wordpress.org/browser/getcontentfromurl/trunk/classes/shortcode.class.php#L20
https://plugins.trac.wordpress.org/browser/getcontentfromurl/tags/1.0/classes/shortcode.class.php#L20
 
dashboardbuilder--DASHBOARD BUILDER WordPress plugin for Charts and Graphs The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output. 2026-01-14 7.1 CVE-2025-14615 https://www.wordfence.com/threat-intel/vulnerabilities/id/106b31ed-d509-4551-a134-02193ab22fe1?source=cve
https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder-admin.php#L158
https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder-admin.php#L158
https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder.php#L51
https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder.php#L51
 
Dell--SupportAssist OS Recovery Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. 2026-01-13 7.5 CVE-2025-46685 https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456
 
Delta Electronics--DIAView Delta Electronics DIAView has multiple vulnerabilities. 2026-01-16 9.8 CVE-2025-62581 https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf
 
Delta Electronics--DIAView Delta Electronics DIAView has multiple vulnerabilities. 2026-01-16 9.8 CVE-2025-62582 https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf
 
Delta Electronics--DIAView Delta Electronics DIAView has Command Injection vulnerability. 2026-01-16 7.8 CVE-2026-0975 https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00002_DIAView%20-Exposed%20Dangerous%20Method%20Remote%20Code%20Execution%20(CVE-2026-0975).pdf
 
denoland--deno Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path's extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6. 2026-01-15 8.1 CVE-2026-22864 https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6
https://github.com/denoland/deno/releases/tag/v2.5.6
 
Denver--Smart Wifi Camera Denver SHC-150 Smart Wifi Camera contains a hardcoded telnet credential vulnerability that allows unauthenticated attackers to access a Linux shell. Attackers can connect to port 23 using the default credential to execute arbitrary commands on the camera's operating system. 2026-01-15 9.8 CVE-2021-47796 ExploitDB-50160
Official Product Homepage
VulnCheck Advisory: Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)
 
dfir-iris--iris-web Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24. 2026-01-12 9.6 CVE-2026-22783 https://github.com/dfir-iris/iris-web/security/advisories/GHSA-qhqj-8qw6-wp8v
https://github.com/dfir-iris/iris-web/commit/57c1b80494bac187893aebc6d9df1ce6e56485b7
 
dharashah--Chikitsa Patient Management System Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability in the backup restoration functionality. Authenticated attackers can upload a modified backup zip file with a malicious PHP shell to execute arbitrary system commands on the server. 2026-01-15 8.8 CVE-2021-47757 ExploitDB-50572
Product Webpage
Product GitHub Repository
Product Sourceforge Page
 
dharashah--Chikitsa Patient Management System Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables arbitrary command execution on the server through a weaponized PHP script. 2026-01-15 8.8 CVE-2021-47758 ExploitDB-50571
Product Webpage
Product GitHub Repository
Product Sourceforge Page
 
Diskboss--DiskBoss Service DiskBoss Service 12.2.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path locations to gain system-level access during service startup. 2026-01-16 7.8 CVE-2021-47822 ExploitDB-49899
Official Vendor Homepage
VulnCheck Advisory: DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path
 
Diskpulse--DiskPulse DiskPulse Enterprise 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Pulse Enterprise\bin\diskpls.exe' to inject malicious executables and escalate privileges. 2026-01-15 7.8 CVE-2020-36927 ExploitDB-50012
Vendor Homepage
VulnCheck Advisory: DiskPulse 13.6.14 - Unquoted Service Path
 
Disksavvy--Disk Savvy Disk Savvy 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries to inject malicious executables that will be run with elevated LocalSystem privileges. 2026-01-15 7.8 CVE-2021-47805 ExploitDB-50024
Vendor Homepage
VulnCheck Advisory: Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path
 
Disksorter--Disk Sorter Enterprise Disk Sorter Enterprise 13.6.12 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe' to inject malicious executables and escalate privileges. 2026-01-15 7.8 CVE-2021-47809 ExploitDB-50014
Vendor Homepage
VulnCheck Advisory: Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path
 
Disksorter--Disk Sorter Server Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Server\bin\disksrs.exe' to inject malicious executables and escalate privileges. 2026-01-16 7.8 CVE-2021-47847 ExploitDB-50013
Vendor Homepage
VulnCheck Advisory: Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path
 
divisupreme--Supreme Modules Lite Divi Theme, Extra Theme and Divi Builder The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. 2026-01-15 8.8 CVE-2025-13062 https://www.wordfence.com/threat-intel/vulnerabilities/id/1819f2eb-51ef-4ba4-9137-ab64710fa6c8?source=cve
https://plugins.trac.wordpress.org/changeset/3423427/supreme-modules-for-divi
 
docmost--docmost Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0. 2026-01-15 7.1 CVE-2026-22249 https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg
https://github.com/docmost/docmost/pull/1753
https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05
https://github.com/docmost/docmost/releases/tag/v0.24.0
 
Dolibarr--CRM Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation. 2026-01-15 7.2 CVE-2021-47779 ExploitDB-50432
Official Dolibarr Vendor Homepage
Dolibarr GitHub Repository
VulnCheck Advisory: Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation
 
donknap--dpanel DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2. 2026-01-15 8.1 CVE-2025-66292 https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq
https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119
https://github.com/donknap/dpanel/releases/tag/v1.9.2
 
Dupscout--Dup Scout Dup Scout 13.5.28 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Dup Scout Server\bin\dupscts.exe' to inject malicious executables and escalate privileges. 2026-01-15 7.8 CVE-2021-47806 ExploitDB-50025
Vendor Homepage
VulnCheck Advisory: Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path
 
dupterminator--DupTerminator DupTerminator 1.4.5639.37199 contains a denial of service vulnerability that allows attackers to crash the application by inputting a long character string in the Excluded text box. Attackers can generate a payload of 8000 repeated characters to trigger the application to stop working on Windows 10. 2026-01-16 7.5 CVE-2021-47818 ExploitDB-49917
DupTerminator Project Homepage
VulnCheck Advisory: DupTerminator 1.4.5639.37199 - Denial of Service
 
dvcrn--Markright Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. Attackers can upload specially crafted markdown files that execute arbitrary JavaScript when opened, potentially enabling remote code execution on the victim's system. 2026-01-16 7.2 CVE-2021-47838 ExploitDB-49834
Markright GitHub Repository
Proof of Concept Video
VulnCheck Advisory: Markright 1.0 - Persistent Cross-Site Scripting
 
Dynojet--Dynojet Power Core Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. Attackers can exploit the unquoted binary path by placing malicious executables in the service's file path to gain Local System access. 2026-01-15 7.8 CVE-2021-47773 ExploitDB-50466
Official Vendor Homepage
 
E107--e107 CMS e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended upload directory. This can lead to complete compromise of the web application by overwriting configuration files, executable scripts, or other critical system components. The vulnerability was discovered by Hubert Wojciechowski and affects the image.php component in the admin interface. 2026-01-13 7.2 CVE-2022-50939 ExploitDB-50910
Official Vendor Homepage
Software Download Page
VulnCheck Advisory: e107 CMS v3.2.1 - Upload Restriction Bypass with Path Traversal File Override
 
e107--e107 CMS e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS. 2026-01-13 9.8 CVE-2022-50905 ExploitDB-50910
Official Vendor Homepage
Software Download Page
VulnCheck Advisory: e107 CMS v3.2.1 - Reflected XSS via Comment Flow
 
e107--e107 CMS e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution through the Media Manager import feature. 2026-01-13 7.2 CVE-2022-50907 ExploitDB-50910
Official e107 CMS Vendor Homepage
e107 CMS Download Page
VulnCheck Advisory: e107 CMS v3.2.1 - Admin Upload Restriction Bypass + RCE
 
e107--e107 CMS e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing files like top.php in the web application directory. 2026-01-13 7.2 CVE-2022-50916 ExploitDB-50910
Official Vendor Homepage
Software Download Page
VulnCheck Advisory: e107 CMS v3.2.1 - Upload restriction bypass (Authenticated [Admin])+ Server file override
 
EaseUS--EaseUS Data Recovery EaseUS Data Recovery 15.1.0.0 contains an unquoted service path vulnerability in the EaseUS UPDATE SERVICE executable. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. 2026-01-13 8.4 CVE-2022-50914 ExploitDB-50886
EaseUS Official Homepage
VulnCheck Advisory: EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path
 
Elastic--Kibana External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads. 2026-01-14 8.6 CVE-2026-0532 https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524
 
Emerson--Emerson PAC Machine Edition Emerson PAC Machine Edition 9.80 contains an unquoted service path vulnerability in the TrapiServer service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. 2026-01-13 8.4 CVE-2022-50930 ExploitDB-50745
Emerson Official Homepage
Software Download Link
VulnCheck Advisory: Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path
 
En--Kingdia CD Extractor Kingdia CD Extractor 3.0.2 contains a buffer overflow vulnerability in the registration name field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload exceeding 256 bytes to overwrite Structured Exception Handler and gain remote code execution through a bind shell. 2026-01-15 9.8 CVE-2021-47774 ExploitDB-50470
Software Download Page
 
envoyproxy--gateway Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2. 2026-01-12 8.8 CVE-2026-22771 https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22
 
Epic Games--Epic Games Store A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. 2026-01-15 8.8 CVE-2025-61973 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2279
 
Explorerplusplus--Explorer32++ Explorer32++ 1.3.5.531 contains a buffer overflow vulnerability in Structured Exception Handler (SEH) records that allows attackers to execute arbitrary code. Attackers can exploit the vulnerability by providing a long file name argument over 396 characters to corrupt the SEH chain and potentially execute malicious code. 2026-01-13 9.8 CVE-2023-54334 ExploitDB-51077
Archived Explorer++ Website
VulnCheck Advisory: Explorer32++ 1.3.5.531 - Buffer overflow
 
Extplorer--eXtplorer eXtplorer 2.1.14 contains an authentication bypass vulnerability that allows attackers to login without a password by manipulating the login request. Attackers can exploit this flaw to upload malicious PHP files and execute remote commands on the vulnerable file management system. 2026-01-13 9.8 CVE-2023-54335 ExploitDB-51067
Official eXtplorer Product Homepage
VulnCheck Advisory: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)
 
FeMiner--wms A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-17 7.3 CVE-2026-1059 VDB-341628 | FeMiner wms chkuser.php sql injection
VDB-341628 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731236 | GitHub WMS (Warehouse Management System) V1.0 SQL Injection
https://github.com/wangchaoxing/CVE/issues/1
 
FmeAddons--Registration & Login with Mobile Phone Number for WooCommerce The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password. 2026-01-17 9.8 CVE-2025-10484 https://www.wordfence.com/threat-intel/vulnerabilities/id/6aef6fbb-be8c-49e1-ada5-7b4aa8b2ff72?source=cve
https://woocommerce.com/products/registration-login-with-mobile-phone-number/
 
Fortinet--FortiFone An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in Fortinet FortiFone 7.0.0 through 7.0.1, FortiFone 3.0.13 through 3.0.23 allows an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests. 2026-01-13 9.3 CVE-2025-47855 https://fortiguard.fortinet.com/psirt/FG-IR-25-260
 
Fortinet--FortiSIEM An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7.10 may allow an attacker to execute unauthorized code or commands via crafted TCP requests. 2026-01-13 9.4 CVE-2025-64155 https://fortiguard.fortinet.com/psirt/FG-IR-25-772
 
Fortinet--FortiSwitchManager A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4.0 through 6.4.16, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets 2026-01-13 7.4 CVE-2025-25249 https://fortiguard.fortinet.com/psirt/FG-IR-25-084
 
Freeter--Freeter Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. Attackers can craft malicious files with embedded scripts that execute when victims interact with the application, potentially enabling remote code execution. 2026-01-16 7.2 CVE-2021-47835 ExploitDB-49833
Official Freeter Product Homepage
Proof of Concept Video
VulnCheck Advisory: Freeter 1.2.1 - Persistent Cross-Site Scripting
 
Gearboxcomputers--WifiHotSpot WifiHotSpot 1.0.0.0 contains an unquoted service path vulnerability in its WifiHotSpotService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. 2026-01-16 7.8 CVE-2021-47833 ExploitDB-49845
WiFi Hotspot Product Page
VulnCheck Advisory: WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path
 
getarcaneapp--arcane Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane's updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0. 2026-01-15 9.1 CVE-2026-23520 https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8
https://github.com/getarcaneapp/arcane/pull/1468
https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4
https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0
 
Getgrav--GravCMS GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution. 2026-01-15 7.5 CVE-2021-47812 ExploitDB-49973
Official Grav CMS Homepage
VulnCheck Advisory: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)
 
Getoutline--Outline Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be executed with LocalSystem permissions. 2026-01-13 8.4 CVE-2023-54331 ExploitDB-51128
Official Outline Product Homepage
VulnCheck Advisory: Outline 1.6.0 - Unquoted Service Path
 
Github--Sandboxie Plus Sandboxie Plus 0.7.4 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. 2026-01-16 7.8 CVE-2021-47832 ExploitDB-49842
Sandboxie Plus GitHub Repository
VulnCheck Advisory: Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. 2026-01-14 7.7 CVE-2025-11224 https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/
GitLab Issue #573223
HackerOne Bug Bounty Report #3277291
 
glpi-project--glpi GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3. 2026-01-15 7.5 CVE-2025-64516 https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46
https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c
https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27
https://github.com/glpi-project/glpi/releases/tag/10.0.21
https://github.com/glpi-project/glpi/releases/tag/11.0.3
 
glpi-project--glpi GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3. 2026-01-15 7.5 CVE-2025-66417 https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9
 
Gotac--Police Statistics Database System Police Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality. 2026-01-16 9.8 CVE-2026-1019 https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html
https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html
 
Gotac--Police Statistics Database System Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. 2026-01-16 9.8 CVE-2026-1021 https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html
https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html
 
Gotac--Police Statistics Database System Police Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing Unauthenticated remote attacker to exploit Absolute Path Traversal to download arbitrary system files. 2026-01-16 7.5 CVE-2026-1018 https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html
https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html
 
Gotac--Statistics Database System Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. 2026-01-16 7.5 CVE-2026-1022 https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html
https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html
 
Gotac--Statistics Database System Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents. 2026-01-16 7.5 CVE-2026-1023 https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html
https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html
 
Grocerycrud--Grocery crud Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list endpoint to potentially extract or modify database information. 2026-01-15 8.2 CVE-2021-47811 ExploitDB-49985
Vendor Homepage
Software Download Page
VulnCheck Advisory: Grocery crud 1.6.4 - 'order_by' SQL Injection
 
h3js--h3 H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5. 2026-01-15 8.9 CVE-2026-23527 https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg
https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097
 
HCL Software--MyXalytics HCL MyXalytics v6.7 is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk 2026-01-16 7.4 CVE-2025-59870 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128115
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system and potentially result in denial-of-service conditions on affected devices. 2026-01-13 8.2 CVE-2025-37168 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) A stack overflow vulnerability exists in the AOS-10 web-based management interface of a Mobility Gateway. Successful exploitation could allow an authenticated malicious actor to execute arbitrary code as a privileged user on the underlying operating system. 2026-01-13 7.2 CVE-2025-37169 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. 2026-01-13 7.2 CVE-2025-37170 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. 2026-01-13 7.2 CVE-2025-37171 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. 2026-01-13 7.2 CVE-2025-37172 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) An improper input handling vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor with valid credentials to trigger unintended behavior on the affected system. 2026-01-13 7.2 CVE-2025-37173 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary commands as a privileged user on the underlying operating system. 2026-01-13 7.2 CVE-2025-37174 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary commands on the underlying operating system. 2026-01-13 7.2 CVE-2025-37175 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. 2026-01-14 7.2 CVE-2025-37181 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. 2026-01-14 7.2 CVE-2025-37182 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. 2026-01-14 7.2 CVE-2025-37183 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--Instant On A vulnerability in the router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets. 2026-01-13 7.5 CVE-2025-37165 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--Instant On A vulnerability affecting HPE Networking Instant On Access Points has been identified where a device processing a specially crafted packet could enter a non-responsive state, in some cases requiring a hard reset to re-establish services. A malicious actor could leverage this vulnerability to conduct a Denial-of-Service attack on a target network. 2026-01-13 7.5 CVE-2025-37166 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--Virtual Intranet Access (VIA) A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking Virtual Intranet Access (VIA) client. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges. 2026-01-13 7.8 CVE-2025-37186 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04994en_us&docLocale=en_US
 
Hikvision--DS-96xxxNI-Hx There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision NVR/DVR/CVR/IPC models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. 2026-01-13 8.8 CVE-2025-66177 https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/
 
Hikvision--DS-K1T331 There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. 2026-01-13 8.8 CVE-2025-66176 https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/
 
honojs--hono Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono's JWK/JWKS JWT verification middleware allowed the JWT header's alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4. 2026-01-13 8.2 CVE-2026-22817 https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4
https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f
 
honojs--hono Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono's JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. This vulnerability is fixed in 4.11.4. 2026-01-13 8.2 CVE-2026-22818 https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4
https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134
 
Httpdebugger--HTTPDebuggerPro HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system. 2026-01-15 7.8 CVE-2021-47762 ExploitDB-50545
Official Product Homepage
 
Huawei--HarmonyOS Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-01-14 8 CVE-2025-68955 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
https://consumer.huawei.com/en/support/bulletinwearables/2026/1/
 
Huawei--HarmonyOS Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-01-14 8 CVE-2025-68956 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
https://consumer.huawei.com/en/support/bulletinwearables/2026/1/
 
Huawei--HarmonyOS Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-01-14 8.4 CVE-2025-68957 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
https://consumer.huawei.com/en/support/bulletinwearables/2026/1/
 
Huawei--HarmonyOS Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-01-14 8 CVE-2025-68958 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
https://consumer.huawei.com/en/support/bulletinwearables/2026/1/
 
Huawei--HarmonyOS Multi-thread race condition vulnerability in the video framework module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-01-14 8.4 CVE-2025-68960 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
 
Huawei--HarmonyOS Double free vulnerability in the multi-mode input module. Impact: Successful exploitation of this vulnerability may affect the input function. 2026-01-14 7.8 CVE-2025-68968 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
 
I-Funbox--iFunbox iFunbox 4.2 contains an unquoted service path vulnerability in the Apple Mobile Device Service that allows local attackers to execute code with elevated privileges. Attackers can insert a malicious executable into the unquoted service path to run with LocalSystem privileges when the service restarts. 2026-01-15 7.8 CVE-2021-47803 ExploitDB-50040
iFunbox Official Homepage
VulnCheck Advisory: iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path
 
ilwebmaster21--WOW21 WOW21 5.0.1.9 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup. 2026-01-13 8.4 CVE-2022-50921 ExploitDB-50818
Archived Product Homepage
VulnCheck Advisory: WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path
 
ImpressCMS--ImpressCMS ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server. 2026-01-13 9.8 CVE-2022-50912 ExploitDB-50890
Official ImpressCMS Homepage
ImpressCMS GitHub Repository
VulnCheck Advisory: ImpressCMS 1.4.4 - Unrestricted File Upload
 
Inbit--Inbit Messenger Inbit Messenger 4.6.0 - 4.9.0 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by exploiting a stack overflow in the messenger's protocol. Attackers can send specially crafted XML packets to port 10883 with a malicious payload to trigger the vulnerability and execute commands with system privileges. 2026-01-13 9.8 CVE-2023-54329 ExploitDB-51127
Archived Software Download Page
Exploit Write-Up
VulnCheck Advisory: Inbit Messenger 4.9.0 - Unauthenticated Remote Command Execution (RCE)
 
Inbit--Inbit Messenger Inbit Messenger versions 4.6.0 to 4.9.0 contain a remote stack-based buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code by sending malformed network packets. Attackers can craft a specially designed payload targeting the messenger's network handler to overwrite the Structured Exception Handler (SEH) and execute shellcode on vulnerable Windows systems. 2026-01-13 9.8 CVE-2023-54330 ExploitDB-51126
Archived Software Download Page
Exploit Write-Up
VulnCheck Advisory: Inbit Messenger 4.9.0 - Unauthenticated Remote SEH Overflow
 
Infonetsoftware--Mediconta Mediconta 3.7.27 contains an unquoted service path vulnerability in the servermedicontservice that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\medicont3\ to inject malicious code that would execute with LocalSystem permissions during service startup. 2026-01-13 8.4 CVE-2023-54336 ExploitDB-51064
Vendor Homepage
VulnCheck Advisory: Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path
 
Insyde Software--InsydeH2O tools The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. 2026-01-14 7.8 CVE-2025-12050 https://www.insyde.com/security-pledge/sa-2025010/
 
Insyde Software--InsydeH2O tools The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. 2026-01-14 7.8 CVE-2025-12051 https://www.insyde.com/security-pledge/sa-2025010/
 
Insyde Software--InsydeH2O tools The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. 2026-01-14 7.8 CVE-2025-12052 https://www.insyde.com/security-pledge/sa-2025010/
 
Insyde Software--InsydeH2O tools The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. 2026-01-14 7.8 CVE-2025-12053 https://www.insyde.com/security-pledge/sa-2025010/
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2. 2026-01-13 8.8 CVE-2026-22861 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-vr49-3vf8-7j5h
https://github.com/InternationalColorConsortium/iccDEV/pull/475
https://github.com/InternationalColorConsortium/iccDEV/pull/476
https://github.com/InternationalColorConsortium/iccDEV/commit/fa9a364c01fc2e59eb2291e1f9b1c1359b7d5329
 
ITEC--TCQ ITeC ITeCProteccioAppServer contains an unquoted service path vulnerability that allows local attackers to execute code with elevated system privileges. Attackers can insert a malicious executable in the service path to gain elevated access during service restart or system reboot. 2026-01-13 8.4 CVE-2022-50913 ExploitDB-50902
Vendor Homepage
VulnCheck Advisory: TCQ - 'ITeCProteccioAppServer.exe' Unquoted Service Path
 
itsourcecode--Society Management System A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. 2026-01-18 7.3 CVE-2026-1119 VDB-341711 | itsourcecode Society Management System delete_activity.php sql injection
VDB-341711 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734290 | itsourcecode Society Management System V1.0 SQL injection
https://github.com/AriazzzZ/CVE/issues/1
https://itsourcecode.com/
 
IVT Corp--Bluetooth Application BlueSoleilCS BlueSoleilCS 5.4.277 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in 'C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe' to inject malicious executables and escalate privileges. 2026-01-13 8.4 CVE-2022-50928 ExploitDB-50761
Archived IVT Corporation Website
VulnCheck Advisory: Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path
 
jeroenpeters1986--Name Directory The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-14 7.2 CVE-2025-15283 https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9de67e-24f7-4c4a-b187-405597b838c3?source=cve
https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/shortcode.php?marks=38,41,69#L38
https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/admin.php?marks=927-928#L927
 
jokkedk--Webgrind Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute commands on the target system. 2026-01-13 9.8 CVE-2023-54339 ExploitDB-51074
Webgrind GitHub Repository
VulnCheck Advisory: Webgrind 1.1 - Remote Command Execution (RCE) via dataFile Parameter
 
jotron--StudyMD StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. 2026-01-16 7.2 CVE-2021-47842 ExploitDB-49832
StudyMD GitHub Repository
Proof of Concept Video
VulnCheck Advisory: StudyMD 0.3.2 - Persistent Cross-Site Scripting
 
Juniper Networks--Junos OS An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a DHCP client in one subnet to exhaust the address pools of other subnets, leading to a Denial of Service (DoS) on the downstream DHCP server. By default, the DHCP relay agent inserts its own Option 82 information when forwarding client requests, optionally replacing any Option 82 information provided by the client. When a specific DHCP DISCOVER is received in 'forward-only' mode with Option 82, the device should drop the message unless 'trust-option82' is configured. Instead, the DHCP relay forwards these packets to the DHCP server unmodified, which uses up addresses in the DHCP server's address pool, ultimately leading to address pool exhaustion. This issue affects Junos OS:  * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S12, * all versions of 22.2, * from 22.4 before 22.4R3-S8,  * from 23.2 before 23.2R2-S5,  * from 23.4 before 23.4R2-S6,  * from 24.2 before 24.2R2-S2,  * from 24.4 before 24.4R2,  * from 25.2 before 25.2R1-S1, 25.2R2. Junos OS Evolved: * all versions before 21.4R3-S12-EVO,  * all versions of 22.2-EVO, * from 22.4 before 22.4R3-S8-EVO,  * from 23.2 before 23.2R2-S5-EVO,  * from 23.4 before 23.4R2-S6-EVO,  * from 24.2 before 24.2R2-S2-EVO,  * from 24.4 before 24.4R2-EVO,  * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. 2026-01-15 7.4 CVE-2025-59960 https://supportportal.juniper.net/
https://kb.juniper.net/JSA103149
 
Juniper Networks--Junos OS A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). When an affected device receives a BGP update with a set of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer. This issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring: [ protocols bgp ... disable-4byte-as ] Established BGP sessions can be checked by executing: show bgp neighbor <IP address> | match "4 byte AS" This issue affects: Junos OS:  * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved:  * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. 2026-01-15 7.5 CVE-2025-60003 https://supportportal.juniper.net/
https://kb.juniper.net/JSA103166
 
Juniper Networks--Junos OS A Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows an unauthenticated network-based attacker sending specific SIP messages over TCP to crash the flow management process, leading to a Denial of Service (DoS). On SRX Series, and MX Series with MX-SPC3 or MS-MPC service cards, receipt of multiple SIP messages causes the SIP headers to be parsed incorrectly, eventually causing a continuous loop and leading to a watchdog timer expiration, crashing the flowd process on SRX Series and MX Series with MX-SPC3, or mspmand process on MX Series with MS-MPC. This issue only occurs over TCP. SIP messages sent over UDP cannot trigger this issue. This issue affects Junos OS on SRX Series and MX Series with MX-SPC3 and MS-MPC: * all versions before 21.2R3-S10,  * from 21.4 before 21.4R3-S12,  * from 22.4 before 22.4R3-S8,  * from 23.2 before 23.2R2-S5,  * from 23.4 before 23.4R2-S6,  * from 24.2 before 24.2R2-S3,  * from 24.4 before 24.4R2-S1,  * from 25.2 before 25.2R1-S1, 25.2R2. 2026-01-15 7.5 CVE-2026-21905 https://supportportal.juniper.net/JSA106004
https://kb.juniper.net/JSA106004
 
Juniper Networks--Junos OS An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a specific ICMP packet through a GRE tunnel to cause the PFE to crash and restart. When PowerMode IPsec (PMI) and GRE performance acceleration are enabled and the device receives a specific ICMP packet, a crash occurs in the SRX PFE, resulting in traffic loss. PMI is enabled by default, and GRE performance acceleration can be enabled by running the configuration command shown below. PMI is a mode of operation that provides IPsec performance improvements using Vector Packet Processing. Note that PMI with GRE performance acceleration is only supported on specific SRX platforms. This issue affects Junos OS on the SRX Series: * all versions before 21.4R3-S12,  * from 22.4 before 22.4R3-S8,  * from 23.2 before 23.2R2-S5,  * from 23.4 before 23.4R2-S5,  * from 24.2 before 24.2R2-S3,  * from 24.4 before 24.4R2-S1,  * from 25.2 before 25.2R1-S1, 25.2R2. 2026-01-15 7.5 CVE-2026-21906 https://supportportal.juniper.net/JSA106005
https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-powermode-ipsec-vpn.html
https://kb.juniper.net/JSA106005
 
Juniper Networks--Junos OS A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root. The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but was then referenced later in the same code path. Successful exploitation is outside the attacker's direct control due to the specific timing of the two events required to execute the vulnerable code path. This issue affects systems with 802.1X authentication port-based network access control (PNAC) enabled. This issue affects: Junos OS:  * from 23.2R2-S1 before 23.2R2-S5,  * from 23.4R2 before 23.4R2-S6,  * from 24.2 before 24.2R2-S3,  * from 24.4 before 24.4R2-S1,  * from 25.2 before 25.2R1-S2, 25.2R2;  Junos OS Evolved:  * from 23.2R2-S1 before 23.2R2-S5-EVO,  * from 23.4R2 before 23.4R2-S6-EVO,  * from 24.2 before 24.2R2-S3-EVO,  * from 24.4 before 24.4R2-S1-EVO,  * from 25.2 before 25.2R1-S2-EVO, 25.2R2-EVO. 2026-01-15 7.1 CVE-2026-21908 https://supportportal.juniper.net/JSA106007
https://kb.juniper.net/JSA106007
 
Juniper Networks--Junos OS An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP) a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted. The following reboot reason can be seen in the output of 'show chassis routing-engine' and as a log message:   reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump This issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP: * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S2, 25.2R2. This issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1. 2026-01-15 7.5 CVE-2026-21913 https://supportportal.juniper.net/JSA106014
https://kb.juniper.net/JSA106014
 
Juniper Networks--Junos OS An Improper Locking vulnerability in the GTP plugin of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos). If an SRX Series device receives a specifically malformed GPRS Tunnelling Protocol (GTP) Modify Bearer Request message, a lock is acquired and never released. This results in other threads not being able to acquire a lock themselves, causing a watchdog timeout leading to FPC crash and restart. This issue leads to a complete traffic outage until the device has automatically recovered. This issue affects Junos OS on SRX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S1, 25.2R2. 2026-01-15 7.5 CVE-2026-21914 https://supportportal.juniper.net/JSA106015
https://kb.juniper.net/JSA106015
 
Juniper Networks--Junos OS An Improper Validation of Syntactic Correctness of Input vulnerability in the Web-Filtering module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX device configured for UTM Web-Filtering receives a specifically malformed SSL packet, this will cause an FPC crash and restart. This issue affects Junos OS on SRX Series: * 23.2 versions from 23.2R2-S2 before 23.2R2-S5,  * 23.4 versions from 23.4R2-S1 before 23.4R2-S5, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R1-S3, 24.4R2. Earlier versions of Junos are also affected, but no fix is available. 2026-01-15 7.5 CVE-2026-21917 https://supportportal.juniper.net/JSA105996
https://kb.juniper.net/JSA105996
 
Juniper Networks--Junos OS A Double Free vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On all SRX and MX Series platforms, when during TCP session establishment a specific sequence of packets is encountered a double free happens. This causes flowd to crash and the respective FPC to restart. This issue affects Junos OS on SRX and MX Series: * all versions before 22.4R3-S7, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2. 2026-01-15 7.5 CVE-2026-21918 https://supportportal.juniper.net/JSA106018
https://kb.juniper.net/JSA106018
 
Juniper Networks--Junos OS An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device configured for DNS processing, receives a specifically formatted DNS request flowd will crash and restart, which causes a service interruption until the process has recovered. This issue affects Junos OS on SRX Series: * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R2. This issue does not affect Junos OS versions before 23.4R1. 2026-01-15 7.5 CVE-2026-21920 https://supportportal.juniper.net/JSA106020
https://kb.juniper.net/JSA106020
 
kalyan02--NanoCMS NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper input sanitization. 2026-01-13 8.8 CVE-2022-50898 ExploitDB-50997
NanoCMS GitHub Repository
NanoCMS Exploit Archive
VulnCheck Advisory: NanoCMS 0.4 - Remote Code Execution (RCE) (Authenticated)
 
kraftplugins--Demo Importer Plus The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0. 2026-01-17 7.5 CVE-2025-14478 https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b?source=cve
https://plugins.trac.wordpress.org/browser/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php#L88
https://plugins.trac.wordpress.org/browser/demo-importer-plus/tags/2.0.6/inc/importers/class-demo-importer-plus-sites-helper.php#L88
https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php
 
KYOCERA Document Solutions--Kyocera Command Center RX Kyocera Command Center RX ECOSYS M2035dn contains a directory traversal vulnerability that allows unauthenticated attackers to read sensitive system files by manipulating file paths under the /js/ path. Attackers can exploit the issue by sending requests like /js/../../../../.../etc/passwd%00.jpg (null-byte appended traversal) to access critical files such as /etc/passwd and /etc/shadow. 2026-01-13 7.5 CVE-2022-50932 ExploitDB-50738
Kyocera Command Center RX Official Product Page
VulnCheck Advisory: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)
 
LabRedesCefetRJ--WeGIA WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the id_memorando GET parameter before reflecting it into the HTML source (likely inside a <script> block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user's browser session. This vulnerability is fixed in 3.6.2. 2026-01-16 9.1 CVE-2026-23722 https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf
 
LabRedesCefetRJ--WeGIA WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2. 2026-01-16 7.2 CVE-2026-23723 https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xfmp-2hf9-gfjp
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
 
Laravel--Laravel Valet Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability that allows users to modify the valet command with root privileges. Attackers can edit the symlinked valet command to execute arbitrary code with root permissions without additional authentication. 2026-01-15 8.4 CVE-2021-47756 ExploitDB-50591
Laravel Valet Official Documentation
VulnCheck Advisory: Laravel Valet 2.0.3 - Local Privilege Escalation (macOS)
 
Leawo--Leawo Prof. Media Leawo Prof. Media 11.0.0.1 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized payload in the activation keycode field. Attackers can generate a 6000-byte buffer of repeated characters to trigger an application crash when pasted into the registration interface. 2026-01-15 7.5 CVE-2021-47797 ExploitDB-50153
Vendor Homepage
VulnCheck Advisory: Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)
 
lemonldap-ng--LemonLDAP::NG In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication. 2026-01-16 7.2 CVE-2025-31510 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3341
 
Lenovo--ThinkPlus FU100 A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint. 2026-01-14 7.8 CVE-2025-13455 https://iknow.lenovo.com.cn/detail/436983
 
Levelprograms--Kmaleon Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information. 2026-01-15 7.1 CVE-2021-47766 ExploitDB-50499
Archived Kmaleon Software Product Page
 
Litexmedia--Audio Conversion Wizard Audio Conversion Wizard v2.01 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory with a specially crafted registration code. Attackers can generate a payload that overwrites the application's memory stack, potentially enabling remote code execution through a carefully constructed input buffer. 2026-01-13 9.8 CVE-2022-50922 ExploitDB-50811
Audio Wizard Product Webpage
VulnCheck Advisory: Audio Conversion Wizard v2.01 - Buffer Overflow
 
Litexmedia--YouTube Video Grabber YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attackers can craft a malicious payload of 712 bytes with SEH manipulation to trigger a bind shell connection on a specified local port. 2026-01-15 8.4 CVE-2021-47775 ExploitDB-50471
Product Webpage
 
Macro-Expert--Macro Expert Macro Expert 4.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the improperly configured service path to inject malicious executables that will be run with LocalSystem permissions during service startup. 2026-01-15 7.8 CVE-2021-47780 ExploitDB-50431
Macro Expert Official Website
VulnCheck Advisory: Macro Expert 4.7 - Unquoted Service Path
 
Mailhog--Mailhog Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation. 2026-01-13 7.2 CVE-2022-50908 ExploitDB-50971
MailHog GitHub Repository
Shodan Search Results for MailHog
VulnCheck Advisory: Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)
 
Malavida--Cain & Abel Cain & Abel 4.9.56 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions. 2026-01-13 8.4 CVE-2022-50933 ExploitDB-50728
Official Software Download Page
VulnCheck Advisory: Cain & Abel 4.9.56 - Unquoted Service Path
 
MCPJam--inspector MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch. 2026-01-16 9.8 CVE-2026-23744 https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6
https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a
 
MegaTKC--Aero CMS Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system. 2026-01-13 8.2 CVE-2022-50895 ExploitDB-51022
Archived AeroCMS GitHub Repository
Vulnerability Research Repository
VulnCheck Advisory: Aero CMS 0.0.1 - SQL Injection
 
Merit LILIN--DH032 Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. 2026-01-12 8.8 CVE-2026-0854 https://www.twcert.org.tw/tw/cp-132-10624-6599c-1.html
https://www.twcert.org.tw/en/cp-139-10623-4f523-2.html
 
Merit LILIN--P2 Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. 2026-01-12 8.8 CVE-2026-0855 https://www.twcert.org.tw/tw/cp-132-10625-fac5c-1.html
https://www.twcert.org.tw/en/cp-139-10626-afbe2-2.html
 
metagauss--RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user. 2026-01-17 9.8 CVE-2025-15403 https://www.wordfence.com/threat-intel/vulnerabilities/id/68dd9f6f-ccee-4a27-bd21-2fb32b92cc62?source=cve
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/controllers/class_rm_options_controller.php#L562
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/class_rm_admin.php#L487
https://plugins.trac.wordpress.org/changeset/3440797/custom-registration-form-builder-with-submission-manager#file2
 
Microsoft--Azure Connected Machine Agent Stack-based buffer overflow in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-21224 Azure Connected Machine Agent Elevation of Privilege Vulnerability
 
Microsoft--Azure Core shared client library for Python Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network. 2026-01-13 7.5 CVE-2026-21226 Azure Core shared client library for Python Remote Code Execution Vulnerability
 
Microsoft--Microsoft 365 Apps for Enterprise Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to execute code locally. 2026-01-13 8.4 CVE-2026-20944 Microsoft Word Remote Code Execution Vulnerability
 
Microsoft--Microsoft 365 Apps for Enterprise Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally. 2026-01-13 7.8 CVE-2026-20949 Microsoft Excel Security Feature Bypass Vulnerability
 
Microsoft--Microsoft 365 Apps for Enterprise Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. 2026-01-13 7.8 CVE-2026-20956 Microsoft Excel Remote Code Execution Vulnerability
 
Microsoft--Microsoft Office 2019 Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. 2026-01-13 8.4 CVE-2026-20952 Microsoft Office Remote Code Execution Vulnerability
 
Microsoft--Microsoft Office 2019 Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. 2026-01-13 8.4 CVE-2026-20953 Microsoft Office Remote Code Execution Vulnerability
 
Microsoft--Microsoft Office 2019 Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. 2026-01-13 7.8 CVE-2026-20946 Microsoft Excel Remote Code Execution Vulnerability
 
Microsoft--Microsoft Power Apps Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network. 2026-01-16 8 CVE-2026-20960 Microsoft Power Apps Remote Code Execution Vulnerability
 
Microsoft--Microsoft SharePoint Enterprise Server 2016 Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. 2026-01-13 8.8 CVE-2026-20947 Microsoft SharePoint Server Remote Code Execution Vulnerability
 
Microsoft--Microsoft SharePoint Enterprise Server 2016 Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. 2026-01-13 8.8 CVE-2026-20963 Microsoft SharePoint Remote Code Execution Vulnerability
 
Microsoft--Microsoft SharePoint Enterprise Server 2016 Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. 2026-01-13 7.8 CVE-2026-20948 Microsoft Word Remote Code Execution Vulnerability
 
Microsoft--Microsoft SharePoint Enterprise Server 2016 Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. 2026-01-13 7.8 CVE-2026-20951 Microsoft SharePoint Server Remote Code Execution Vulnerability
 
Microsoft--Microsoft SharePoint Server 2019 Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally. 2026-01-13 7 CVE-2026-20943 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
 
Microsoft--Microsoft SQL Server 2022 (GDR) Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network. 2026-01-13 7.2 CVE-2026-20803 Microsoft SQL Server Elevation of Privilege Vulnerability
 
Microsoft--Office Online Server Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. 2026-01-13 7.8 CVE-2026-20950 Microsoft Excel Remote Code Execution Vulnerability
 
Microsoft--Office Online Server Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. 2026-01-13 7.8 CVE-2026-20955 Microsoft Excel Remote Code Execution Vulnerability
 
Microsoft--Office Online Server Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. 2026-01-13 7.8 CVE-2026-20957 Microsoft Excel Remote Code Execution Vulnerability
 
Microsoft--Windows 10 Version 1809 Improper input validation in Windows Server Update Service allows an unauthorized attacker to execute code over a network. 2026-01-13 8.1 CVE-2026-20856 Windows Server Update Service (WSUS) Remote Code Execution Vulnerability
 
Microsoft--Windows 10 Version 1809 Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. 2026-01-13 8.8 CVE-2026-20868 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
 
Microsoft--Windows 10 Version 1809 External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network. 2026-01-13 8 CVE-2026-20931 Windows Telephony Service Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally. 2026-01-13 7.7 CVE-2026-20804 Windows Hello Tampering Vulnerability
 
Microsoft--Windows 10 Version 1809 Time-of-check time-of-use (toctou) race condition in Windows Kernel Memory allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20809 Windows Kernel Memory Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Free of memory not on the heap in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20810 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally. 2026-01-13 7 CVE-2026-20814 DirectX Graphics Kernel Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Time-of-check time-of-use (toctou) race condition in Windows Installer allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20816 Windows Installer Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20822 Windows Graphics Component Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20826 Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Time-of-check time-of-use (toctou) race condition in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20831 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability 2026-01-13 7.8 CVE-2026-20832 Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally. 2026-01-13 7 CVE-2026-20836 DirectX Graphics Kernel Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally. 2026-01-13 7.8 CVE-2026-20837 Windows Media Remote Code Execution Vulnerability
 
Microsoft--Windows 10 Version 1809 Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. 2026-01-13 7.8 CVE-2026-20840 Windows NTFS Remote Code Execution Vulnerability
 
Microsoft--Windows 10 Version 1809 Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20843 Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Use after free in Windows Clipboard Server allows an unauthorized attacker to elevate privileges locally. 2026-01-13 7.4 CVE-2026-20844 Windows Clipboard Server Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. 2026-01-13 7.5 CVE-2026-20848 Windows SMB Server Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network. 2026-01-13 7.5 CVE-2026-20849 Windows Kerberos Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally. 2026-01-13 7.7 CVE-2026-20852 Windows Hello Tampering Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows WalletService allows an unauthorized attacker to elevate privileges locally. 2026-01-13 7.4 CVE-2026-20853 Windows WalletService Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20858 Windows Management Services Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20860 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20861 Windows Management Services Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Heap-based buffer overflow in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20864 Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20865 Windows Management Services Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20866 Windows Management Services Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20867 Windows Management Services Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Local Session Manager (LSM) allows an authorized attacker to elevate privileges locally. 2026-01-13 7 CVE-2026-20869 Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20873 Windows Management Services Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20874 Windows Management Services Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network. 2026-01-13 7.5 CVE-2026-20875 Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
 
Microsoft--Windows 10 Version 1809 Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20877 Windows Management Services Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20918 Windows Management Services Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. 2026-01-13 7.5 CVE-2026-20919 Windows SMB Server Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. 2026-01-13 7.5 CVE-2026-20921 Windows SMB Server Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20923 Windows Management Services Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20924 Windows Management Services Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. 2026-01-13 7.5 CVE-2026-20926 Windows SMB Server Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network. 2026-01-13 7.5 CVE-2026-20929 Windows HTTP.sys Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. 2026-01-13 7.5 CVE-2026-20934 Windows SMB Server Elevation of Privilege Vulnerability
 
Microsoft--Windows 10 Version 22H2 Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20940 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
 
Microsoft--Windows 11 Version 25H2 Untrusted pointer dereference in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20857 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
 
Microsoft--Windows 11 Version 25H2 Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20938 Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
 
Microsoft--Windows Admin Center in Azure Portal Improper verification of cryptographic signature in Windows Admin Center allows an authorized attacker to elevate privileges locally. 2026-01-13 7.5 CVE-2026-20965 Windows Admin Center Elevation of Privilege Vulnerability
 
Microsoft--Windows SDK Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. 2026-01-13 7 CVE-2026-21219 Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability
 
Microsoft--Windows Server 2019 Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network. 2026-01-13 7.5 CVE-2026-0386 Windows Deployment Services Remote Code Execution Vulnerability
 
Microsoft--Windows Server 2022 Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20811 Win32k Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2022 Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20817 Windows Error Reporting Service Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2022 Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20820 Windows Common Log File System Driver Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2022 Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. 2026-01-13 7 CVE-2026-20842 Microsoft DWM Core Library Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2022 Double free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. 2026-01-13 7 CVE-2026-20863 Win32k Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2022 Use after free in Desktop Windows Manager allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20871 Desktop Windows Manager Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2022 Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20920 Win32k Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2022 Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. 2026-01-13 7.8 CVE-2026-20922 Windows NTFS Remote Code Execution Vulnerability
 
Microsoft--Windows Server 2025 (Server Core installation) Concurrent execution using shared resource with improper synchronization ('race condition') in Printer Association Object allows an authorized attacker to elevate privileges locally. 2026-01-13 7 CVE-2026-20808 Windows File Explorer Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2025 (Server Core installation) Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. 2026-01-13 7 CVE-2026-20815 Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2025 (Server Core installation) Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. 2026-01-13 7 CVE-2026-20830 Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2025 (Server Core installation) Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network. 2026-01-13 7.5 CVE-2026-20854 Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
 
Microsoft--Windows Server 2025 (Server Core installation) Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20859 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2025 (Server Core installation) Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20870 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2025 (Server Core installation) Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. 2026-01-13 7.8 CVE-2026-20941 Host Process for Windows Tasks Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2025 (Server Core installation) Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. 2026-01-13 7 CVE-2026-21221 Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability
 
Millegpg--MilleGPG5 MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts. 2026-01-15 7.8 CVE-2021-47761 ExploitDB-50558
Vendor Homepage
 
mindsdb--mindsdb MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB's storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1. 2026-01-12 8.1 CVE-2025-68472 https://github.com/mindsdb/mindsdb/security/advisories/GHSA-qqhf-pm3j-96g7
 
MIT--Kerberos 5 In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash. 2026-01-16 7.1 CVE-2025-24528 https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0
https://github.com/krb5/krb5/compare/krb5-1.21.3-final...krb5-1.22-final
 
Modular DS--Modular DS Incorrect Privilege Assignment vulnerability in Modular DS allows Privilege Escalation.This issue affects Modular DS: from n/a through 2.5.1. 2026-01-14 10 CVE-2026-23550 https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-monitor-update-and-backup-multiple-websites-plugin-2-5-1-privilege-escalation-vulnerability?_s_id=cve
https://patchstack.com/articles/critical-privilege-escalation-vulnerability-in-modular-ds-plugin-affecting-40k-sites-exploited-in-the-wild/
https://help.modulards.com/en/article/modular-ds-security-release-modular-connector-252-dm3mv0/
 
Moeditor--Moeditor Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload specially crafted markdown files with embedded JavaScript that execute when opened, potentially enabling remote code execution on the victim's system. 2026-01-16 7.2 CVE-2021-47840 ExploitDB-49830
Moeditor Official Homepage
Proof of Concept Video
VulnCheck Advisory: Moeditor 0.2.0 - Persistent Cross-Site Scripting
 
Mp3-Avi-Mpeg-Wmv-Rm-To-Audio-Cd-Burner--Ether_MP3_CD_Burner Ether MP3 CD Burner 1.3.8 contains a buffer overflow vulnerability in the registration name field that allows remote code execution. Attackers can craft a malicious payload to overwrite SEH handlers and execute a bind shell on port 3110 by exploiting improper input validation. 2026-01-15 9.8 CVE-2021-47785 ExploitDB-50332
Software Download Link
VulnCheck Advisory: Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)
 
mrvladus--Errands Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. 2026-01-12 8.2 CVE-2025-71063 https://github.com/mrvladus/Errands/issues/401
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123738
https://github.com/mrvladus/Errands/releases/tag/46.2.10
https://github.com/mrvladus/Errands/commit/04e567b432083fc798ea2249363ea6c83ff01099
https://github.com/mrvladus/Errands/compare/46.2.9...46.2.10
 
n/a--EasyCMS A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-17 7.3 CVE-2026-1105 VDB-341697 | EasyCMS UserAction.class.php sql injection
VDB-341697 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731465 | https://github.com/TeamEasy/EasyCMS EasyCMS v1.6 SQL injection vulnerability
https://github.com/ueh1013/VULN/issues/15
 
N/A--Modular DS Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0. 2026-01-16 10 CVE-2026-23800 https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability?_s_id=cve
 
n8n--n8n Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode. If the instance is operating under the "External" execution mode (ex. n8n's official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact. 2026-01-18 8.5 CVE-2026-0863 https://research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/
https://github.com/n8n-io/n8n/commit/b73a4283cb14e0f27ce19692326f362c7bf3da02
 
National Oceanic and Atmospheric Administration (NOAA)--Live Access Server (LAS) Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24. 2026-01-15 9.8 CVE-2025-62193 url
url
url
url
url
url
url
 
Noteburner--NoteBurner NoteBurner 2.35 contains a buffer overflow vulnerability in the license code input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the 'Name' and 'Code' fields to trigger an application crash. 2026-01-15 9.8 CVE-2021-47798 ExploitDB-50154
Official Product Homepage
VulnCheck Advisory: NoteBurner 2.35 - Denial Of Service (DoS) (PoC)
 
Nsauditor--Backup Key Recovery Backup Key Recovery 2.2.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a large buffer of 256 repeated characters into the registration key field to trigger application instability and potential crash. 2026-01-15 7.5 CVE-2021-47813 ExploitDB-49966
Vendor Homepage
VulnCheck Advisory: Backup Key Recovery 2.2.7 - Denial of Service (PoC)
 
Nsauditor--NBMonitor NBMonitor 1.6.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a 256-character buffer into the registration key field to trigger an application crash and potential system instability. 2026-01-15 7.5 CVE-2021-47814 ExploitDB-49964
Vendor Homepage
VulnCheck Advisory: NBMonitor 1.6.8 - Denial of Service (PoC)
 
Nsauditor--Nsauditor Nsauditor 3.2.3 contains a denial of service vulnerability in the registration code input field that allows attackers to crash the application. Attackers can paste a large buffer of 256 repeated characters into the 'Key' field to trigger an application crash. 2026-01-15 7.5 CVE-2021-47815 ExploitDB-49965
Vendor Homepage
VulnCheck Advisory: Nsauditor 3.2.3 - Denial of Service (PoC)
 
NVIDIA--NSIGHT Graphics NVIDIA NSIGHT Graphics for Linux contains a vulnerability where an attacker could cause command injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and denial of service. 2026-01-14 7.8 CVE-2025-33206 https://nvd.nist.gov/vuln/detail/CVE-2025-33206
https://www.cve.org/CVERecord?id=CVE-2025-33206
https://nvidia.custhelp.com/app/answers/detail/a_id/5738
 
Odinesolutions--Odine Solutions GateKeeper Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. Attackers can exploit the vulnerability by sending crafted payloads to the /rass/api/v1/trafficCycle/ endpoint to manipulate PostgreSQL database queries and potentially extract sensitive information. 2026-01-15 8.2 CVE-2021-47782 ExploitDB-50381
Odine Solutions GateKeeper Product Homepage
VulnCheck Advisory: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection
 
OpenAgentPlatform--Dive Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim's machine. This vulnerability is fixed in 0.13.0. 2026-01-16 9.7 CVE-2026-23523 https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-pjj5-f3wm-f9m8
https://github.com/OpenAgentPlatform/Dive/commit/a5162ac9eff366d8ea1215b8a47139a81a55a779
 
OpenC3--cosmos OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2. 2026-01-13 10 CVE-2025-68271 https://github.com/OpenC3/cosmos/security/advisories/GHSA-w757-4qv9-mghp
 
Phoenix Contact--TC ROUTER 3002T-3G An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection'). 2026-01-13 8.8 CVE-2025-41717 https://certvde.com/de/advisories/VDE-2025-073
 
Phphtmledit--CuteEditor CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. Attackers can exploit the ServerMapPath() function by renaming uploaded HTML files using directory traversal sequences to write files outside the intended template directory. 2026-01-13 7.5 CVE-2021-47751 ExploitDB-50994
Vendor Homepage
VulnCheck Advisory: CuteEditor for PHP 6.6 - Directory Traversal
 
Phpkf--phpKF CMS phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter. 2026-01-15 9.8 CVE-2021-47753 ExploitDB-50610
Official Vendor Homepage
Software Download Page
 
pimcore--pimcore Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14. 2026-01-14 8.8 CVE-2026-23492 https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3
 
pimcore--pimcore Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14. 2026-01-15 8.6 CVE-2026-23493 https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h
https://github.com/pimcore/pimcore/pull/18918
https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601
https://github.com/pimcore/pimcore/releases/tag/v11.5.14
https://github.com/pimcore/pimcore/releases/tag/v12.3.1
 
Pjo2--Tftpd32_SE Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with system-level permissions. 2026-01-13 8.4 CVE-2023-54338 ExploitDB-51076
Vendor Homepage
VulnCheck Advisory: Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path
 
plugins360--All-in-One Video Gallery The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. 2026-01-16 8.8 CVE-2025-12957 https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2e1d91-03bd-4e47-b679-81c42414238b?source=cve
https://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery
 
Primera--PTPublisher PTPublisher 2.3.4 contains an unquoted service path vulnerability in the PTProtect service that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe' to inject malicious executables and gain system-level access. 2026-01-13 8.4 CVE-2022-50915 ExploitDB-50885
Primera Technology Official Homepage
VulnCheck Advisory: PTPublisher 2.3.4 - Unquoted Service Path
 
Private Internet Access--Private Internet Access Private Internet Access 3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. 2026-01-13 8.4 CVE-2022-50924 ExploitDB-50804
Vendor Homepage
Software Download Page
VulnCheck Advisory: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path
 
Progress Software--Flowmon ADS A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. 2026-01-13 8.8 CVE-2025-13774 https://community.progress.com/s/article/Flowmon-ADS-CVE-2025-13774
 
Progress Software--LoadMaster OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with "User Administration" permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters 2026-01-13 8.4 CVE-2025-13444 https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
 
Progress Software--LoadMaster OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with "User Administration" permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters 2026-01-13 8.4 CVE-2025-13447 https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
 
Projeqtor--ProjeQtOr Project Management ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter. 2026-01-15 9.8 CVE-2021-47819 ExploitDB-49919
ProjeQtOr Official Website
 
ProtonVPN--ProtonVPN ProtonVPN 1.26.0 contains an unquoted service path vulnerability in its WireGuard service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path by placing malicious executables in specific file system locations to gain elevated privileges during service startup. 2026-01-13 8.4 CVE-2022-50917 ExploitDB-50837
ProtonVPN Official Website
VulnCheck Advisory: ProtonVPN 1.26.0 - Unquoted Service Path
 
Prowise--Prowise Reflect Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send keyboard events through an exposed WebSocket on port 8082. Attackers can craft malicious web pages to inject keystrokes, opening applications and typing arbitrary text by sending specific WebSocket messages. 2026-01-13 9.8 CVE-2022-50925 ExploitDB-50796
Prowise Official Homepage
VulnCheck Advisory: Prowise Reflect v1.0.9 - Remote Keystroke Injection
 
pyasn1--pyasn1 pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. 2026-01-16 7.5 CVE-2026-23490 https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq
https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970
https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2
 
Pysoft--Active WebCam Active WebCam 11.5 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path by placing malicious executables in specific directory locations to gain administrative access. 2026-01-15 7.8 CVE-2021-47790 ExploitDB-50273
Software Download Page
Vendor Homepage
VulnCheck Advisory: Active WebCam 11.5 - Unquoted Service Path
 
Raimersoft--RarmaRadio RarmaRadio 2.72.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing network configuration fields with large character buffers. Attackers can generate a 100,000 character buffer and paste it into multiple network settings fields to trigger application instability and potential crash. 2026-01-16 7.5 CVE-2021-47821 ExploitDB-49906
Vendor Homepage
VulnCheck Advisory: RarmaRadio 2.72.8 - Denial of Service
 
Red Hat--Red Hat OpenShift Dev Spaces (RHOSDS) 3.22 A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333. 2026-01-13 9 CVE-2025-12548 RHSA-2025:22620
RHSA-2025:22623
RHSA-2025:22652
https://access.redhat.com/security/cve/CVE-2025-12548
RHBZ#2408850
 
Redragon--Redragon Gaming Mouse Redragon Gaming Mouse driver contains a kernel-level vulnerability that allows attackers to trigger a denial of service by sending malformed IOCTL requests. Attackers can send a crafted 2000-byte buffer with specific byte patterns to the REDRAGON_MOUSE device to crash the kernel driver. 2026-01-15 7.5 CVE-2021-47786 ExploitDB-50322
Vendor Download Page
Vulnerability Research Repository
VulnCheck Advisory: Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)
 
Remotemouse--Remote Mouse Remote Mouse 4.002 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the RemoteMouseService to inject malicious executables and gain administrative access. 2026-01-15 7.8 CVE-2021-47792 ExploitDB-50258
Official Vendor Homepage
VulnCheck Advisory: Remote Mouse 4.002 - Unquoted Service Path
 
Ribccs--Build Smart ERP Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database queries and potentially extract or modify database information. 2026-01-15 8.2 CVE-2021-47777 ExploitDB-50445
Build Smart ERP Vendor Homepage
 
risesoft-y9--Digital-Infrastructure A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-17 7.3 CVE-2026-1050 VDB-341603 | risesoft-y9 Digital-Infrastructure REST Authenticate Endpoint Y9PlatformUtil.java sql injection
VDB-341603 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731010 | risesoft-y9 Digital-Infrastructure <=9.6.7 SQL Injection
https://github.com/risesoft-y9/Digital-Infrastructure/issues/2
https://github.com/risesoft-y9/Digital-Infrastructure/issues/2#issue-3777863959
 
RocketChat--Rocket.Chat Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0. 2026-01-14 7.7 CVE-2026-23477 https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2
 
roxy-wi--roxy-wi Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2. 2026-01-15 7.5 CVE-2026-22265 https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47
https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee
https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2
 
Sandboxie--Sandboxie Plus Sandboxie-Plus 5.50.2 contains an unquoted service path vulnerability in the SbieSvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. 2026-01-13 8.4 CVE-2022-50920 ExploitDB-50819
Official Sandboxie-Plus Product Homepage
VulnCheck Advisory: Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path
 
Sandboxie-Plus--Sandboxie Sandboxie 5.49.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the container folder input field. Attackers can paste a large buffer of repeated characters into the Sandbox container folder setting to trigger an application crash. 2026-01-16 7.5 CVE-2021-47831 ExploitDB-49844
Sandboxie Official Homepage
VulnCheck Advisory: Sandboxie 5.49.7 - Denial of Service
 
SAP_SE--SAP Application Server for ABAP and SAP NetWeaver RFCSDK Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability. 2026-01-13 8.4 CVE-2026-0507 https://me.sap.com/notes/3675151
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted. 2026-01-13 8.1 CVE-2026-0511 https://me.sap.com/notes/3565506
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP HANA database SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability. 2026-01-13 8.8 CVE-2026-0492 https://me.sap.com/notes/3691059
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP Landscape Transformation SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. 2026-01-13 9.1 CVE-2026-0491 https://me.sap.com/notes/3697979
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP NetWeaver Application Server ABAP and ABAP Platform Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected. 2026-01-13 8.1 CVE-2026-0506 https://me.sap.com/notes/3688703
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP S/4HANA (Private Cloud and On-Premise) SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. 2026-01-13 9.1 CVE-2026-0498 https://me.sap.com/notes/3694242
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application. 2026-01-13 9.9 CVE-2026-0501 https://me.sap.com/notes/3687749
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP Wily Introscope Enterprise Manager (WorkStation) Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system. 2026-01-13 9.6 CVE-2026-0500 https://me.sap.com/notes/3668679
https://url.sap/sapsecuritypatchday
 
shopware--shopware Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1. 2026-01-14 7.2 CVE-2026-23498 https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf
https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475
 
SICK AG--Incoming Goods Suite A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources. 2026-01-15 8.3 CVE-2026-0713 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--Incoming Goods Suite A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. 2026-01-15 8.3 CVE-2026-22638 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--Incoming Goods Suite In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. 2026-01-15 8.3 CVE-2026-22643 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--Incoming Goods Suite An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01 2026-01-15 7.6 CVE-2026-0712 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--TDC-X401GL An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data. 2026-01-15 9.9 CVE-2026-22907 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
SICK AG--TDC-X401GL Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality. 2026-01-15 9.1 CVE-2026-22908 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
SICK AG--TDC-X401GL Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations. 2026-01-15 7.5 CVE-2026-22909 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
SICK AG--TDC-X401GL The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system. 2026-01-15 7.5 CVE-2026-22910 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
Siemens--Industrial Edge Cloud Device (IECD) Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has learned the identity of a legitimate user. 2026-01-13 10 CVE-2025-40805 https://cert-portal.siemens.com/productcert/html/ssa-014678.html
https://cert-portal.siemens.com/productcert/html/ssa-001536.html
 
Siemens--SIMATIC ET 200AL IM 157-1 PN A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants) (All versions < V1.3), SIMATIC ET 200SP IM 155-6 PN R1 (6ES7155-6AU00-0HM0) (All versions < V6.0.1), SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0) (All versions < V4.2.2), SIMATIC PN/MF Coupler (6ES7158-3MU10-0XA0) (All versions), SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0) (All versions < V6.0.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0) (All versions >= V4.2.0), SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0) (All versions < V6.0.0). Affected devices do not properly handle S7 protocol session disconnect requests. When receiving a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, the devices enter an improper session state. This could allow an attacker to cause the device to become unresponsive, leading to a denial-of-service condition that requires a power cycle to restore normal operation. 2026-01-13 7.5 CVE-2025-40944 https://cert-portal.siemens.com/productcert/html/ssa-674753.html
 
Siemens--TeleControl Server Basic A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges. 2026-01-13 8.8 CVE-2025-40942 https://cert-portal.siemens.com/productcert/html/ssa-192617.html
 
Skyjos--Owlfiles File Manager Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system directories on the device. 2026-01-13 7.5 CVE-2022-50890 ExploitDB-51036
Vendor Homepage
Official App Store Listing
VulnCheck Advisory: Owlfiles File Manager 12.0.1 - Path Traversal
 
SLIMS--Senayan Library Management System Senayan Library Management System 9.0.0 contains a SQL injection vulnerability in the 'class' parameter that allows attackers to inject malicious SQL queries. Attackers can exploit the vulnerability by submitting crafted payloads to manipulate database queries and potentially extract sensitive information. 2026-01-13 8.2 CVE-2022-50805 ExploitDB-51161
Senayan Library Management System Official Website
Vulnerability Research Repository
VulnCheck Advisory: Senayan Library Management System 9.0.0 - SQL Injection
 
Smartertools--SmarterTools SmarterTrack SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with their unique identifiers. 2026-01-15 7.5 CVE-2020-36926 ExploitDB-50328
SmarterTools Official Homepage
SmarterTrack Product Page
VulnCheck Advisory: SmarterTools SmarterTrack 7922 -Information Disclosure
 
Smartftp--SmartFTP Client SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client's interface. 2026-01-15 7.5 CVE-2021-47791 ExploitDB-50266
SmartFTP Official Homepage
SmartFTP Download Page
VulnCheck Advisory: SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service
 
SMCI--X12STW-F There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW-F . An attacker can update the system firmware with a specially crafted image. 2026-01-16 7.2 CVE-2025-12006 https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026
 
SMCI--X13SEM-F There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image. 2026-01-16 7.2 CVE-2025-12007 https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026
 
SMEWebify--WebErpMesv2 WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19. 2026-01-12 8.2 CVE-2026-22788 https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-pp68-5pc2-hv7w
https://github.com/SMEWebify/WebErpMesv2/commit/3a7ab1c95d1d1c8f7c62c84bc87b3666ecd2fa23
 
Softlink Education--Oliver Library Server Oliver Library Server v5 contains a file download vulnerability that allows unauthenticated attackers to access arbitrary system files through unsanitized input in the FileServlet endpoint. Attackers can exploit the vulnerability by manipulating the 'fileName' parameter to download sensitive files from the server's filesystem. 2026-01-15 9.8 CVE-2021-47755 ExploitDB-50599
Oliver Library Server Official Product Homepage
 
Splashtop--Splashtop Splashtop 8.71.12001.0 contains an unquoted service path vulnerability in the Splashtop Software Updater Service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Splashtop\Splashtop Software Updater\ to inject malicious executables and escalate privileges. 2026-01-13 8.4 CVE-2022-50693 ExploitDB-51182
Splashtop Official Homepage
VulnCheck Advisory: Splashtop 8.71.12001.0 - Unquoted Service Path
 
Splinterware--iDailyDiary iDailyDiary 4.30 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the preferences tab name field. Attackers can paste a 2,000,000 character buffer into the default diary tab name to trigger an application crash. 2026-01-16 7.5 CVE-2021-47824 ExploitDB-49898
Vendor Homepage
VulnCheck Advisory: iDailyDiary 4.30 - Denial of Service (PoC)
 
Spy-Emergency--Spy Emergency Spy Emergency 25.0.650 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted file paths in SpyEmergencyHealth.exe and SpyEmergencySrv.exe to inject malicious code during system startup or service restart. 2026-01-16 7.8 CVE-2021-47845 ExploitDB-49997
Vendor Homepage
VulnCheck Advisory: Spy Emergency 25.0.650 - Unquoted Service Path
 
stellarwp--Membership Plugin Restrict Content The Membership Plugin - Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership. 2026-01-16 8.2 CVE-2025-14844 https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7?source=cve
https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L848
https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L987
https://docs.stripe.com/api/setup_intents/object
https://cwe.mitre.org/data/definitions/639.html
https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php
 
strongSwan--strongSwan In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. 2026-01-16 8.1 CVE-2025-62291 https://github.com/strongswan/strongswan/releases
https://github.com/strongswan/strongswan/commits/master/src/libcharon/plugins/eap_mschapv2
https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html
 
suitenumerique--docs LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link. This vulnerability is fixed in 4.4.0. 2026-01-15 8.7 CVE-2026-22867 https://github.com/suitenumerique/docs/security/advisories/GHSA-4rwv-ghwh-9rv6
https://github.com/suitenumerique/docs/commit/e807237dbedbc189230296b81c3aeccc1c04fa77
https://github.com/suitenumerique/docs/releases/tag/v4.4.0
 
sumatrapdfreader--sumatrapdf SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution. 2026-01-14 8.6 CVE-2026-23512 https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv
https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673
 
Support--Brother BRPrint Auditor Brother BRPrint Auditor 3.0.7 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted file paths in BrAuSvc and BRPA_Agent services to inject malicious executables and escalate privileges on the system. 2026-01-15 7.8 CVE-2020-36929 ExploitDB-50005
Brother BRPrint Auditor Download Page (NL)
Brother BRPrint Auditor Download Page (FR)
VulnCheck Advisory: Brother BRPrint Auditor 3.0.7 - 'Multiple' Unquoted Service Path
 
sveltejs--devalue Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2. 2026-01-15 7.5 CVE-2026-22774 https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv
https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7
https://github.com/sveltejs/devalue/releases/tag/v5.6.2
 
sveltejs--devalue Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2. 2026-01-15 7.5 CVE-2026-22775 https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf
https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4
https://github.com/sveltejs/devalue/releases/tag/v5.6.2
 
Sylkat-Tools--AWebServer GhostBuilding AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladmin to potentially crash or render the service unresponsive. 2026-01-15 7.5 CVE-2021-47752 ExploitDB-50629
Vendor Homepage
Software Download Link
 
Syncbreeze--Sync Breeze Sync Breeze 13.6.18 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries located in 'Program Files' directories to inject malicious executables and escalate privileges. 2026-01-15 7.8 CVE-2021-47807 ExploitDB-50023
Vendor Homepage
VulnCheck Advisory: Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path
 
Sysax--Sysax Multi Server Sysax Multi Server 6.95 contains a denial of service vulnerability in the administrative password field that allows attackers to crash the application. Attackers can overwrite the password field with 800 bytes of repeated characters to trigger an application crash and disrupt server functionality. 2026-01-13 7.5 CVE-2023-54337 ExploitDB-51066
Vendor Homepage
VulnCheck Advisory: Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC)
 
Sysgauge--SysGauge SysGauge Server 7.9.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\SysGauge Server\bin\sysgaus.exe' to inject malicious executables and escalate privileges. 2026-01-15 7.8 CVE-2020-36930 ExploitDB-50009
Vendor Homepage
VulnCheck Advisory: SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path
 
Tagstoo--Tagstoo Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer. 2026-01-15 7.2 CVE-2021-47843 ExploitDB-49828
Tagstoo Official Homepage
Proof of Concept Video
 
Tdarr--Tdarr Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in its Help terminal that allows attackers to inject and chain arbitrary commands. Attackers can exploit the lack of input filtering by chaining commands like `--help; curl .py | python` to execute remote code without authentication. 2026-01-13 9.8 CVE-2022-50919 ExploitDB-50822
Official Vendor Homepage
VulnCheck Advisory: Tdarr 2.00.15 - Command Injection
 
TeamSpeak--TeamSpeak TeamSpeak 3.5.6 contains an insecure file permissions vulnerability that allows local attackers to replace executable files with malicious binaries. Attackers can replace system executables like ts3client_win32.exe with custom files to potentially gain SYSTEM or Administrator-level access. 2026-01-13 8.4 CVE-2022-50931 ExploitDB-50743
TeamSpeak Official Vendor Homepage
TeamSpeak Downloads Page
VulnCheck Advisory: TeamSpeak 3.5.6 - Insecure File Permissions
 
Telcel--FLAME II MODEM USB Flame II HSPA USB Modem contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Internet Telcel\ApplicationController.exe' to execute arbitrary code with elevated system privileges. 2026-01-13 9.8 CVE-2022-50935 ExploitDB-50708
Archived Telcel Flame II MODEM USB Product Page
VulnCheck Advisory: FLAME II MODEM USB - Unquoted Service Path
 
Telegram--Telegram Desktop Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized message payload. Attackers can generate a 9 million byte buffer and paste it into the messaging interface to trigger an application crash. 2026-01-15 7.5 CVE-2021-47793 ExploitDB-50247
Official Telegram Homepage
VulnCheck Advisory: Telegram Desktop 2.9.2 - Denial of Service (PoC)
 
Tenable--Nessus Agent A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. 2026-01-13 8.8 CVE-2025-36640 https://www.tenable.com/security/tns-2026-01
 
Termix-SSH--Termix Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0. 2026-01-12 8 CVE-2026-22804 https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35
 
Testlink--TestLink TestLink versions 1.16 through 1.19 contain an unauthenticated file download vulnerability in the attachmentdownload.php endpoint. Attackers can download arbitrary files by iterating file IDs through the 'id' parameter with 'skipCheck=1' to bypass access controls. 2026-01-15 9.8 CVE-2021-47760 ExploitDB-50578
Official TestLink Product Homepage
Archived Researcher Blog
 
The Browser Company of New York--Dia Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site. 2026-01-16 7.4 CVE-2025-15032 https://www.diabrowser.com/security/bulletins#CVE-2025-15032
 
Thecus--Thecus N4800Eco Nas Server Control Panel Thecus N4800Eco NAS Server Control Panel contains a command injection vulnerability that allows authenticated attackers to execute arbitrary system commands through user management endpoints. Attackers can inject commands via username and batch user creation parameters to execute shell commands with administrative privileges. 2026-01-16 8.8 CVE-2021-47816 ExploitDB-49926
Thecus Official Vendor Homepage
Thecus N4800Eco Product Page
Researcher Blog
VulnCheck Advisory: Thecus N4800Eco Nas Server Control Panel - Command Injection
 
Totalav--TotalAV TotalAV 5.15.69 contains an unquoted service path vulnerability in multiple system services running with LocalSystem privileges. Attackers can place malicious executables in specific unquoted path segments to potentially gain SYSTEM-level access by exploiting the service path configuration. 2026-01-15 7.8 CVE-2021-47787 ExploitDB-50314
TotalAV Official Homepage
VulnCheck Advisory: TotalAV 5.15.69 - Unquoted Service Path
 
tridenttechnolabs--Shipping Rate By Cities The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-01-14 7.5 CVE-2025-14770 https://www.wordfence.com/threat-intel/vulnerabilities/id/11e7e798-9fb9-4cff-a96f-a0003f203f5f?source=cve
https://plugins.trac.wordpress.org/browser/shipping-rate-by-cities/trunk/shiprate-cities-method-class.php#L372
 
Umbraco--Forms In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution. 2026-01-16 7.5 CVE-2025-68924 https://our.umbraco.com/packages/developer-tools/umbraco-forms/
https://github.com/advisories/GHSA-vrgw-pc9c-qrrc
https://www.nuget.org/packages/UmbracoForms
 
vaghasia3--News and Blog Designer Bundle The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. 2026-01-14 9.8 CVE-2025-14502 https://www.wordfence.com/threat-intel/vulnerabilities/id/e02683dc-0771-4bd5-bba3-2b5423da1c80?source=cve
https://plugins.trac.wordpress.org/browser/news-and-blog-designer-bundle/trunk/includes/class-nbdb-ajax.php#L31
 
vesparny--Marky Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. 2026-01-16 7.2 CVE-2021-47839 ExploitDB-49831
Marky GitHub Repository
Proof of Concept Video
VulnCheck Advisory: Marky 0.0.1 - Persistent Cross-Site Scripting
 
Vianeos--Vianeos OctoPUS Vianeos OctoPUS 5 contains a time-based blind SQL injection vulnerability in the 'login_user' parameter during authentication requests. Attackers can exploit this vulnerability by crafting malicious POST requests with specially constructed SQL payloads that trigger database sleep functions to extract information. 2026-01-15 8.2 CVE-2021-47801 ExploitDB-50078
Vendor Homepage
Software Product Page
VulnCheck Advisory: Vianeos OctoPUS 5 - 'login_user' SQLi
 
VIAVIWEB--VIAVIWEB Wallpaper Admin VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution vulnerability in the image upload functionality. Attackers can upload a malicious PHP file through the add_gallery_image.php endpoint to execute arbitrary code on the server. 2026-01-13 9.8 CVE-2022-50893 ExploitDB-51033
Vendor Homepage
VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 - Code Execution via Image Upload
 
VIAVIWEB--VIAVIWEB Wallpaper Admin VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. Attackers can send GET requests to edit_gallery_image.php with malicious img_id values to extract database information. 2026-01-13 9.8 CVE-2022-50894 ExploitDB-51033
Vendor Homepage
VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 SQL Injection via edit_gallery_image.php
 
VIAVIWEB--VIAVIWEB Wallpaper Admin VIAVIWEB Wallpaper Admin 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating login credentials. Attackers can exploit the login page by injecting 'admin' or 1=1-- - payload to gain unauthorized access to the administrative interface. 2026-01-13 8.2 CVE-2022-50892 ExploitDB-51033
Vendor Homepage
VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 - SQL Injection via Login Page
 
VIVE--VIVE Runtime Service VIVE Runtime Service 1.0.0.4 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific system directories to gain LocalSystem access during service startup. 2026-01-13 8.4 CVE-2022-50918 ExploitDB-50824
Official VIVE Homepage
VIVE Developer Downloads
VulnCheck Advisory: VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path
 
Wago--WAGO 750-8212 PFC200 WAGO 750-8212 PFC200 G2 2ETH RS firmware contains a privilege escalation vulnerability that allows attackers to manipulate user session cookies. Attackers can modify the cookie's 'name' and 'roles' parameters to elevate from ordinary user to administrative privileges without authentication. 2026-01-13 9.8 CVE-2022-50926 ExploitDB-50793
Official Vendor Homepage
VulnCheck Advisory: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation
 
Wbce--WBCE CMS WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload. 2026-01-13 8.8 CVE-2022-50936 ExploitDB-50707
WBCE CMS Official Website
WBCE CMS Downloads Page
WBCE CMS GitHub Repository
VulnCheck Advisory: WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)
 
WeblateOrg--wlc wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2. 2026-01-16 8.1 CVE-2026-23535 https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg
https://github.com/WeblateOrg/wlc/pull/1128
https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f
https://github.com/WeblateOrg/wlc/releases/tag/1.17.2
 
Websitebaker--WebsiteBaker WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve remote code execution on the server. 2026-01-15 8.8 CVE-2021-47788 ExploitDB-50310
WebsiteBaker Official Homepage
VulnCheck Advisory: WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)
 
WebSSH--WebSSH for iOS WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashREPL tool that allows attackers to crash the application by pasting malformed input. Attackers can trigger the vulnerability by copying a 300-character buffer of repeated 'A' characters into the mashREPL input field, causing the application to crash. 2026-01-16 7.5 CVE-2021-47827 ExploitDB-49883
WebSSH iOS App Store Page
VulnCheck Advisory: WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service
 
Weird-Solutions--BOOTP Turbo BOOTP Turbo 2.0.0.1253 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to execute arbitrary code with elevated LocalSystem privileges during system startup or reboot. 2026-01-16 7.8 CVE-2021-47828 ExploitDB-49851
Vendor Homepage
VulnCheck Advisory: BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path
 
Weird-Solutions--DHCP Broadband DHCP Broadband 4.1.0.1503 contains an unquoted service path vulnerability in its service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files\DHCP Broadband 4\dhcpt.exe' to inject malicious code that will execute during service startup with LocalSystem permissions. 2026-01-16 7.8 CVE-2021-47829 ExploitDB-49850
Vendor Homepage
VulnCheck Advisory: DHCP Broadband 4.1.0.1503 - 'dhcpt.exe' Unquoted Service Path
 
Wibu--WibuKey Runtime WibuKey Runtime 6.51 contains an unquoted service path vulnerability in the WkSvW32.exe service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe' to inject malicious executables and escalate privileges. 2026-01-15 7.8 CVE-2021-47810 ExploitDB-49999
Vendor Homepage
Software Download Page
VulnCheck Advisory: WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path
 
Wisecleaner--Wise Care Wise Care 365 5.6.7.568 contains an unquoted service path vulnerability in the WiseBootAssistant service running with LocalSystem privileges. Attackers can exploit this by inserting a malicious executable in the service path, which will execute with elevated system privileges when the service restarts. 2026-01-15 7.8 CVE-2021-47804 ExploitDB-50038
Official Vendor Homepage
VulnCheck Advisory: Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path
 
Wondershare--Wondershare Dr.Fone Wondershare Dr.Fone 12.0.18 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path to insert malicious code that will be executed with LocalSystem permissions during service startup. 2026-01-13 8.4 CVE-2022-50900 ExploitDB-50813
Vendor Homepage
VulnCheck Advisory: Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path
 
Wondershare--Wondershare Dr.Fone Wondershare Dr.Fone 11.4.9 contains an unquoted service path vulnerability in the DFWSIDService that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\ to inject malicious executables that would run with LocalSystem privileges. 2026-01-13 8.4 CVE-2022-50901 ExploitDB-50755
Vendor Homepage
VulnCheck Advisory: Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path
 
Wondershare--Wondershare FamiSafe Wondershare FamiSafe 1.0 contains an unquoted service path vulnerability in the FSService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Wondershare\FamiSafe\ to inject malicious code that would run with LocalSystem permissions during service startup. 2026-01-13 8.4 CVE-2022-50902 ExploitDB-50757
Vendor Homepage
VulnCheck Advisory: Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path
 
Wondershare--Wondershare MobileTrans Wondershare MobileTrans 3.5.9 contains an unquoted service path vulnerability in the ElevationService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path by placing malicious executables in specific filesystem locations that will be executed with LocalSystem permissions during service startup. 2026-01-13 8.4 CVE-2022-50903 ExploitDB-50756
Vendor Homepage
VulnCheck Advisory: Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path
 
Wondershare--Wondershare UBackit Wondershare UBackit 2.0.5 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the wsbackup service to inject malicious executables that would run with LocalSystem permissions during service startup. 2026-01-13 8.4 CVE-2022-50904 ExploitDB-50758
Vendor Homepage
VulnCheck Advisory: Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path
 
woosaai--Integration Opvius AI for WooCommerce The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files. 2026-01-14 9.8 CVE-2025-14301 https://www.wordfence.com/threat-intel/vulnerabilities/id/34612902-1a26-4759-bca6-b5aaffa25af4?source=cve
https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L41
https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L25
https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L79
https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L160
 
Wordpress--Social-Share-Buttons Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and potentially steal entire database contents. 2026-01-13 8.2 CVE-2023-54333 ExploitDB-51116
WP Plugin Webpage
Vulnerability Research Repository
VulnCheck Advisory: Social-Share-Buttons 2.2.3 - SQL Injection via project_id Parameter
 
WorkOrder--WorkOrder CMS WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. Attackers can inject malicious SQL queries using techniques like OR '1'='1' and stacked queries to access database information or execute administrative commands. 2026-01-13 8.2 CVE-2023-54340 ExploitDB-51038
WorkOrder CMS GitHub Repository
VulnCheck Advisory: WorkOrder CMS 0.1.0 - SQL Injection
 
Yenkee--Yenkee Hornet Gaming Mouse Yenkee Hornet Gaming Mouse driver GM312Fltr.sys contains a buffer overrun vulnerability that allows attackers to crash the system by sending oversized input. Attackers can exploit the driver by sending a 2000-byte buffer through DeviceIoControl to trigger a kernel-level system crash. 2026-01-15 7.5 CVE-2021-47789 ExploitDB-50311
Yenkee Vendor Webpage
Quadron Research Lab Kernel Driver Bugs Repository
VulnCheck Advisory: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC)
 
Yonyou--KSOA A vulnerability has been found in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_work.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 7.3 CVE-2026-1120 VDB-341712 | Yonyou KSOA HTTP GET Parameter del_work.jsp sql injection
VDB-341712 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734535 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/6
 
Yonyou--KSOA A vulnerability was found in Yonyou KSOA 9.0. This affects an unknown function of the file /worksheet/del_workplan.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 7.3 CVE-2026-1121 VDB-341713 | Yonyou KSOA HTTP GET Parameter del_workplan.jsp sql injection
VDB-341713 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734548 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/7
 
Yonyou--KSOA A vulnerability was determined in Yonyou KSOA 9.0. This impacts an unknown function of the file /worksheet/work_info.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 7.3 CVE-2026-1122 VDB-341714 | Yonyou KSOA HTTP GET Parameter work_info.jsp sql injection
VDB-341714 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734549 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/8
 
Yonyou--KSOA A vulnerability was identified in Yonyou KSOA 9.0. Affected is an unknown function of the file /worksheet/work_mod.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 7.3 CVE-2026-1123 VDB-341715 | Yonyou KSOA HTTP GET Parameter work_mod.jsp sql injection
VDB-341715 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734550 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/9
 
Yonyou--KSOA A security flaw has been discovered in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_report.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 7.3 CVE-2026-1124 VDB-341716 | Yonyou KSOA HTTP GET Parameter work_report.jsp sql injection
VDB-341716 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734551 | Yonyou KSOA v9.0 SQL Injection
https://github.com/LX-66-LX/cve/issues/10
 
zalando--skipper Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0. 2026-01-16 8.8 CVE-2026-23742 https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g
https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714
https://github.com/zalando/skipper/releases/tag/v0.23.0
 
Zeslecp--ZesleCP ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a specified listening host. 2026-01-15 8.8 CVE-2021-47794 ExploitDB-50233
ZesleCP Official Website
Exploit Demonstration Video
VulnCheck Advisory: ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)
 
Zohocorp--ManageEngine ADSelfService Plus Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations. 2026-01-13 9.1 CVE-2025-11250 https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-11250.html
 
Zohocorp--ManageEngine PAM360 Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality. 2026-01-13 8.1 CVE-2025-11669 https://www.manageengine.com/privileged-access-management/advisory/cve-2025-11669.html
 

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
1Panel-dev--1Panel 1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user's browser, potentially compromising session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17. 2026-01-18 6.4 CVE-2026-23525 https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-mg24-6h5c-9q42
 
A-Plus Video Technologies--AP-RM864P Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information. 2026-01-12 5.3 CVE-2026-0853 https://www.twcert.org.tw/tw/cp-132-10620-527f1-1.html
https://www.twcert.org.tw/en/cp-139-10621-55584-2.html
 
aankit--SpiceForms Form Builder The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-14 6.4 CVE-2025-12178 https://www.wordfence.com/threat-intel/vulnerabilities/id/d9a19e96-2ca4-4072-aa2e-ab01f1685911?source=cve
https://plugins.trac.wordpress.org/browser/spiceforms-form-builder/tags/1.0/spiceform.php#L135
 
abage--Sosh Share Buttons The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-14 4.3 CVE-2025-15377 https://www.wordfence.com/threat-intel/vulnerabilities/id/38b8b563-10a4-4343-b95a-7d09cf6fd729?source=cve
https://plugins.trac.wordpress.org/browser/sosh-share-buttons/tags/1.1.0/sosh.class.php#L138
 
Adobe--Illustrator Illustrator versions 29.8.3, 30.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 5.5 CVE-2026-21288 https://helpx.adobe.com/security/products/illustrator/apsb26-03.html
 
Adobe--InDesign Desktop InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 5.5 CVE-2026-21278 https://helpx.adobe.com/security/products/indesign/apsb26-02.html
 
Adobe--Substance3D - Designer Substance3D - Designer versions 15.0.3 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 5.5 CVE-2026-21308 https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html
 
Adobe--Substance3D - Modeler Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 5.5 CVE-2026-21300 https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html
 
Adobe--Substance3D - Modeler Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 5.5 CVE-2026-21301 https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html
 
Adobe--Substance3D - Modeler Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 5.5 CVE-2026-21302 https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html
 
Adobe--Substance3D - Modeler Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2026-01-13 5.5 CVE-2026-21303 https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html
 
adoncreatives--Testimonials Creator The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-14 4.4 CVE-2025-14379 https://www.wordfence.com/threat-intel/vulnerabilities/id/3af18a17-81a0-4720-b222-153ab4ddf7d9?source=cve
https://wordpress.org/plugins/testimonials-creator/
 
akinloluwami--outray Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5. 2026-01-14 5.9 CVE-2026-22819 https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g
https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6
 
aliasvault--aliasvault AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3. 2026-01-14 6.1 CVE-2026-22694 https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q
https://github.com/aliasvault/aliasvault/issues/1440
https://github.com/aliasvault/aliasvault/pull/1441
https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d
https://github.com/aliasvault/aliasvault/releases/tag/0.25.3
 
Altium--Altium Live A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST requests. The injected content is rendered verbatim when support cases are viewed by other users, including support staff with elevated privileges, allowing execution of arbitrary JavaScript in the victim's browser context. 2026-01-15 6.1 CVE-2026-1011 https://www.altium.com/platform/security-compliance/security-advisories
 
AmauriC--tarteaucitron.js tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0. 2026-01-13 4.4 CVE-2026-22809 https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm
https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52
 
aplazopayment--Aplazo Payment Gateway The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status. 2026-01-14 5.3 CVE-2025-15512 https://www.wordfence.com/threat-intel/vulnerabilities/id/97b327cc-7a72-4cc3-a4db-a693469f6917?source=cve
https://plugins.trac.wordpress.org/browser/aplazo-payment-gateway/tags/1.4.2/includes/module/class-aplazo-module.php#L206
 
Arunna--Arunna Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form. 2026-01-15 5.3 CVE-2021-47754 ExploitDB-50608
Archived Researcher Blog
Arunna GitHub Repository
 
Automattic--Jetpack Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page. 2026-01-13 6.1 CVE-2023-54332 ExploitDB-51104
Jetpack WordPress Plugin Homepage
VulnCheck Advisory: Jetpack 11.4 - Cross Site Scripting (XSS)
 
avahi--avahi Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. 2026-01-12 6.5 CVE-2025-68468 https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52
https://github.com/avahi/avahi/issues/683
https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a
 
avahi--avahi Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. 2026-01-12 6.5 CVE-2025-68471 https://github.com/avahi/avahi/security/advisories/GHSA-56rf-42xr-qmmg
https://github.com/avahi/avahi/issues/678
https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1
 
avahi--avahi Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. 2026-01-12 5.5 CVE-2025-68276 https://github.com/avahi/avahi/security/advisories/GHSA-mhf3-865v-g5rc
https://github.com/avahi/avahi/pull/806
https://github.com/avahi/avahi/commit/ede7048475c5d47d53890e3bc1350dda8e0b3688
 
Awesome Motive--YouTube Feed Pro The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube. 2026-01-17 5.9 CVE-2025-12002 https://www.wordfence.com/threat-intel/vulnerabilities/id/e9f31ec5-c376-45b1-9ffe-35c80b89b60d?source=cve
https://smashballoon.com/youtube-feed/
https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1047
https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1038
https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L25
https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L339
https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L383
 
awesomesupport--Awesome Support WordPress HelpDesk & Support Plugin The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce. 2026-01-16 6.5 CVE-2025-12641 https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a8e4ca-c16b-4e9d-8ad2-5a671fdbc49a?source=cve
https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L36
https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L66
https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-user.php#L1686
https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/themes/default/registration.php#L183
https://plugins.trac.wordpress.org/changeset/3435609/awesome-support/trunk/includes/functions-user.php?contextall=1
 
axllent--mailpit Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue. 2026-01-18 5.3 CVE-2026-23829 https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c
https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534
https://github.com/axllent/mailpit/releases/tag/v1.28.3
 
B2Evolution--b2evolution b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpage. 2026-01-15 5.3 CVE-2021-47800 ExploitDB-50081
Official Vendor Homepage
Software Download Page
B2Evolution GitHub Repository
VulnCheck Advisory: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)
 
bastillion-io--Bastillion A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-17 4.7 CVE-2026-1063 VDB-341631 | bastillion-io Bastillion Public Key Management System AuthKeysKtrl.java command injection
VDB-341631 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731303 | bastillion-io Bastillion <=4.0.1 Command Injection
https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report1.md
 
bastillion-io--Bastillion A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-17 4.7 CVE-2026-1064 VDB-341632 | bastillion-io Bastillion System Management SystemKtrl.java command injection
VDB-341632 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731308 | bastillion-io Bastillion SSH Key Manager <=4.0.1 Command Injection
https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report2.md
 
bdthemes--Spin Wheel Interactive spinning wheel that offers coupons The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes. 2026-01-17 5.3 CVE-2026-0808 https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d7-bcb3f1d026b7?source=cve
https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-ajax.php#L73
https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-swp-ajax.php#L73
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437726%40spin-wheel&new=3437726%40spin-wheel&sfp_email=&sfph_mail=
 
BlackBerry Ltd--QNX Software Development Platform Null pointer dereference in the MsgRegisterEvent() system call could allow an attacker with local access and code execution abilities to crash the QNX Neutrino kernel. 2026-01-13 6.2 CVE-2025-8090 https://support.blackberry.com/pkb/s/article/141027
 
bplugins--Team Section Block Showcase Team Members with Layout Options The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-17 6.4 CVE-2026-0833 https://www.wordfence.com/threat-intel/vulnerabilities/id/6348b119-a0dc-40ef-ae62-1de86dcefac7?source=cve
https://plugins.trac.wordpress.org/browser/team-section/trunk/build/render.php#L3
https://plugins.trac.wordpress.org/browser/team-section/tags/1.1.0/build/render.php#L3
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436953%40team-section&new=3436953%40team-section&sfp_email=&sfph_mail=
 
brechtvds--WP Recipe Maker The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to. 2026-01-16 4.3 CVE-2025-15527 https://www.wordfence.com/threat-intel/vulnerabilities/id/96f77fdc-4e91-43c0-8bc6-7bb202945c7d?source=cve
https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L48
https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L86
https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L172
https://plugins.trac.wordpress.org/changeset/3415263/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php?contextall=1&old=3402554&old_path=%2Fwp-recipe-maker%2Ftrunk%2Fincludes%2Fpublic%2Fapi%2Fclass-wprm-api-utilities.php
 
BYVoid--OpenCC A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. Patch name: 345c9a50ab07018f1b4439776bad78a0d40778ec. To fix this issue, it is recommended to deploy a patch. 2026-01-18 5.3 CVE-2025-15536 VDB-341708 | BYVoid OpenCC MaxMatchSegmentation.cpp MaxMatchSegmentation heap-based overflow
VDB-341708 | CTI Indicators (IOB, IOC, IOA)
Submit #733347 | BYVoid OpenCC ver.1.1.9 and master-branch Heap-based Buffer Overflow
https://github.com/BYVoid/OpenCC/issues/997
https://github.com/BYVoid/OpenCC/pull/1005
https://github.com/oneafter/1222/blob/main/repro
https://github.com/BYVoid/OpenCC/commit/345c9a50ab07018f1b4439776bad78a0d40778ec
 
cakephp--cakephp CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1. 2026-01-16 5.4 CVE-2026-23643 https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5
https://github.com/cakephp/cakephp/issues/19172
https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f
https://bakery.cakephp.org/2026/01/14/cakephp_5212.html
https://github.com/cakephp/cakephp/releases/tag/5.2.12
https://github.com/cakephp/cakephp/releases/tag/5.3.1
 
cbutlerjr--WP-Members Membership Plugin The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-15 5.4 CVE-2025-14448 https://www.wordfence.com/threat-intel/vulnerabilities/id/89d1fa00-4757-4f86-bddb-a6a2dbcf9625?source=cve
https://plugins.trac.wordpress.org/changeset/3418471/wp-members
 
Celestialsoftware--AbsoluteTelnet AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating DialUp connection and license name fields. Attackers can generate a 1000-character payload and paste it into specific input fields to trigger application crashes and force unexpected termination. 2026-01-15 6.2 CVE-2021-47764 ExploitDB-50511
Vendor Homepage
 
Celestialsoftware--AbsoluteTelnet AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating username and error report fields. Attackers can trigger the crash by inserting 1000 characters into the username or email address fields, causing the application to become unresponsive. 2026-01-15 6.2 CVE-2021-47765 ExploitDB-50510
Vendor Homepage
 
Chamilo--LMS A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 5.4 CVE-2026-1106 VDB-341698 | Chamilo LMS Legal Consent SocialController.php deleteLegal improper authorization
VDB-341698 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731510 | Chamilo LMS <= v2.0.0 Beta 1 SocialController IDOR - Legal Consent Data Manipulat
https://note-hxlab.wetolink.com/share/w92t1Q0a74Gj
 
cijliu--librtsp A security vulnerability has been detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The affected element is the function rtsp_rely_dumps. The manipulation leads to buffer overflow. An attack has to be approached locally. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 5.3 CVE-2026-1108 VDB-341700 | cijliu librtsp rtsp_rely_dumps buffer overflow
VDB-341700 | CTI Indicators (IOB, IOC, IOA)
Submit #732598 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow
https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_rely_dumps/librtsp_rtsp_rely_dumps.md
 
cijliu--librtsp A vulnerability was detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The impacted element is the function rtsp_parse_request. The manipulation results in buffer overflow. Attacking locally is a requirement. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 5.3 CVE-2026-1109 VDB-341701 | cijliu librtsp rtsp_parse_request buffer overflow
VDB-341701 | CTI Indicators (IOB, IOC, IOA)
Submit #732599 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow
https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_parse_request/librtsp_rtsp_parse_request.md
 
cijliu--librtsp A flaw has been found in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. This affects the function rtsp_parse_method. This manipulation causes buffer overflow. It is possible to launch the attack on the local host. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 5.3 CVE-2026-1110 VDB-341702 | cijliu librtsp rtsp_parse_method buffer overflow
VDB-341702 | CTI Indicators (IOB, IOC, IOA)
Submit #732603 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow
https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_parse_method/librtsp_rtsp_parse_method.md
 
Cinspiration--RDP Manager RDP Manager 4.9.9.3 contains a denial of service vulnerability in connection input fields that allows local attackers to crash the application. Attackers can add oversized entries in Verbindungsname and Server fields to permanently freeze and crash the software, potentially requiring full reinstallation. 2026-01-15 6.2 CVE-2021-47771 ExploitDB-50484
Archived Software Download Page
Vulnerability-Lab Disclosure
 
Cisco--Cisco Evolved Programmable Network Manager (EPNM) A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. 2026-01-15 4.8 CVE-2026-20075 cisco-sa-epnm-pi-stored-xss-GEkX8yWK
 
Cisco--Cisco Identity Services Engine Software A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. 2026-01-15 4.8 CVE-2026-20047 cisco-sa-ise-xss-964cdxW5
 
Cisco--Cisco Identity Services Engine Software A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. 2026-01-15 4.8 CVE-2026-20076 cisco-sa-ise-xss-9TDh2kx
 
codepeople--CP Image Store with Slideshow The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server. 2026-01-13 4.3 CVE-2026-0684 https://www.wordfence.com/threat-intel/vulnerabilities/id/28e48604-2aaf-4e02-9b1e-cebf5f0bfcf7?source=cve
https://plugins.trac.wordpress.org/browser/cp-image-store/tags/1.1.9/cp-image-store.php#L826
https://plugins.trac.wordpress.org/changeset/3434716/
 
ConnectWise--PSA In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values. 2026-01-16 6.5 CVE-2026-0696 https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix
 
creativemindssolutions--CM E-Mail Blacklist Simple email filtering for safer registration The CM E-Mail Blacklist - Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-17 4.4 CVE-2026-0691 https://www.wordfence.com/threat-intel/vulnerabilities/id/821f4ea9-bc25-4d65-9058-5b77c4f1b230?source=cve
https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/backend/views/settings/email_blacklist.phtml#L67
https://plugins.trac.wordpress.org/browser/cm-email-blacklist/tags/1.6.2/backend/views/settings/email_blacklist.phtml#L67
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440158%40cm-email-blacklist&new=3440158%40cm-email-blacklist&sfp_email=&sfph_mail=
 
crushpics--Crush.pics Image Optimizer Image Compression and Optimization The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings. 2026-01-14 4.3 CVE-2025-14482 https://www.wordfence.com/threat-intel/vulnerabilities/id/5e71bf15-aee0-4efc-a1c6-faad9f6e4f38?source=cve
https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L66
https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L193
https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L30
 
cubewp1211--CubeWP Framework The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-17 6.4 CVE-2025-8615 https://www.wordfence.com/threat-intel/vulnerabilities/id/efc2baf0-38d9-44be-b439-3585b2f1d4a5?source=cve
https://wordpress.org/plugins/cubewp-framework/#developers
https://plugins.trac.wordpress.org/changeset/3362001#file10
 
cubewp1211--CubeWP Framework The CubeWP - All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. 2026-01-17 5.3 CVE-2025-12129 https://www.wordfence.com/threat-intel/vulnerabilities/id/2006dc4c-ec1a-45ab-94a3-1f86d80e70ca?source=cve
https://plugins.trac.wordpress.org/changeset/3422640/cubewp-framework/trunk/cube/classes/class-cubewp-rest-api.php
 
cyberlord92--Integrate Dynamics 365 CRM The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-17 4.4 CVE-2026-0725 https://www.wordfence.com/threat-intel/vulnerabilities/id/6b16028a-0b69-422b-9471-32ea6edb93a0?source=cve
https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/trunk/Wrappers/class-templatewrapper.php#L491
https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.1.1/Wrappers/class-templatewrapper.php#L491
https://plugins.trac.wordpress.org/changeset/3438502/
 
Dell--SupportAssist OS Recovery, Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Tampering. 2026-01-13 6.6 CVE-2025-46684 https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456
 
dfieldfl--WP Allowed Hosts The WP Allowed Hosts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allowed-hosts' parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-14 4.4 CVE-2026-0734 https://www.wordfence.com/threat-intel/vulnerabilities/id/700e9d1c-a178-4033-8607-652178860211?source=cve
https://plugins.trac.wordpress.org/browser/wp-allow-hosts/trunk/allowed-hosts.php#L170
https://plugins.trac.wordpress.org/browser/wp-allow-hosts/tags/1.0.8/allowed-hosts.php#L170
 
e107--e107 CMS e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed. 2026-01-13 4.8 CVE-2022-50906 ExploitDB-50910
Official Vendor Homepage
Software Download Page
VulnCheck Advisory: e107 CMS v3.2.1 - Admin Upload Restriction Bypass + Stored XSS
 
Elastic--Kibana Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs. 2026-01-13 6.5 CVE-2026-0530 https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521
 
Elastic--Kibana Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users. 2026-01-13 6.5 CVE-2026-0531 https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522
 
Elastic--Kibana Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed. 2026-01-13 6.5 CVE-2026-0543 https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-08/384523
 
Elastic--Metricbeat Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data. 2026-01-13 6.5 CVE-2026-0528 https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519
 
Elastic--Packetbeat Improper Validation of Array Index (CWE-129) in Packetbeat's MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This requires an attacker to send a malformed payload to a monitored network interface where MongoDB protocol parsing is enabled. 2026-01-14 6.5 CVE-2026-0529 https://discuss.elastic.co/t/packetbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-02/384520
 
electric-studio--Electric Studio Download Counter The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-14 4.4 CVE-2026-0741 https://www.wordfence.com/threat-intel/vulnerabilities/id/a22bba3e-423a-4231-833b-c0be57a3bf7b?source=cve
https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/trunk/electric-studio-download-counter.php#L186
https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/tags/2.4/electric-studio-download-counter.php#L186
https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/trunk/electric-studio-download-counter.php#L202
https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/tags/2.4/electric-studio-download-counter.php#L202
 
EnterpriseDB--Postgres Enterprise Manager (PEM) PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu. 2026-01-16 6.5 CVE-2026-0949 https://www.enterprisedb.com/docs/security/advisories/cve20260949/
 
espressif--esp-usb Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length. Because this value is not validated before being copied into a fixed-size stack buffer, an attacker can overflow the buffer and corrupt memory. This vulnerability is fixed in 2.4.0. 2026-01-12 6.8 CVE-2025-68622 https://github.com/espressif/esp-usb/security/advisories/GHSA-g65h-9ggq-9827
https://github.com/espressif/esp-usb/commit/77a38b15a17f6e3c7aeb620eb4aeaf61d5194cc0
https://components.espressif.com/components/espressif/usb_host_uvc/versions/2.4.0/changelog
 
espressif--esp-usb Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immediate use-after-free when processing attacker-controlled Report Descriptor lengths. This vulnerability is fixed in 1.1.0. 2026-01-12 6.8 CVE-2025-68656 https://github.com/espressif/esp-usb/security/advisories/GHSA-2pm2-62mr-c9x7
https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660
https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog
 
espressif--esp-usb Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0. 2026-01-12 6.4 CVE-2025-68657 https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv
https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b
https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog
 
floattechnologies--Float Payment Gateway The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed. 2026-01-14 5.3 CVE-2025-15513 https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve
https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477
 
Fortinet--FortiClientEMS An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiClientEMS 7.4.3 through 7.4.4, FortiClientEMS 7.4.0 through 7.4.1, FortiClientEMS 7.2.0 through 7.2.10, FortiClientEMS 7.0 all versions may allow an authenticated attacker with at least read-only admin permission to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. 2026-01-13 6.8 CVE-2025-59922 https://fortiguard.fortinet.com/psirt/FG-IR-25-735
 
Fortinet--FortiVoice An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 allows a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests. 2026-01-13 5.7 CVE-2025-58693 https://fortiguard.fortinet.com/psirt/FG-IR-25-778
 
GeoNetwork--GeoNetwork Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests. 2026-01-13 6.5 CVE-2022-50899 ExploitDB-50982
GeoNetwork Official Homepage
VulnCheck Advisory: Geonetwork 4.2.0 - XML External Entity (XXE)
 
Geovision--GeoVision Geowebserver GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. Attackers can exploit the WebStrings.srf endpoint by manipulating path traversal and injection parameters to access system files and execute malicious scripts. 2026-01-15 6.2 CVE-2021-47795 ExploitDB-50211
GeoVision Cyber Security Page
VulnCheck Advisory: GeoVision Geowebserver 5.3.3 - Local FIle Inclusion
 
Gotac--Police Statistics Database System Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory. 2026-01-16 5.3 CVE-2026-1020 https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html
https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html
 
gothamdev--Gotham Block Extra Light The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. 2026-01-14 6.5 CVE-2025-15020 https://www.wordfence.com/threat-intel/vulnerabilities/id/b194b241-d8f4-430c-b00c-d84190026bad?source=cve
https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/premium/ghostban.php?marks=56#L56
 
gothamdev--Gotham Block Extra Light The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-14 4.4 CVE-2025-15021 https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c36899-3c7b-41b6-a38d-86c8834b4c03?source=cve
https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/gothamblock.php?marks=463,470,495,500,504,519,564,578#L463
 
guillaumev--LinkedIn SC The LinkedIn SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkedin_sc_date_format', 'linkedin_sc_api_key', and 'linkedin_sc_secret_key' parameters in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. 2026-01-14 4.4 CVE-2026-0812 https://www.wordfence.com/threat-intel/vulnerabilities/id/1c4fd888-aeaf-4451-a151-8f884bc22f0b?source=cve
https://plugins.trac.wordpress.org/browser/linkedin-sc/tags/1.1.9/linkedin-sc.php#L164
https://plugins.trac.wordpress.org/browser/linkedin-sc/trunk/linkedin-sc.php#L164
 
gurayyarar--SnipCommand SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into command snippets. Attackers can execute arbitrary code by embedding malicious JavaScript that triggers remote command execution through file or title inputs. 2026-01-16 6.1 CVE-2021-47841 ExploitDB-49829
SnipCommand GitHub Repository
Proof of Concept Video
VulnCheck Advisory: SnipCommand 0.1.0 - Persistent Cross-Site Scripting
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. Successful exploit could allow an authenticated malicious actor to execute commands with the privileges of the impacted mechanism. 2026-01-13 6.5 CVE-2025-37176 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. 2026-01-13 6.5 CVE-2025-37177 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process. 2026-01-13 5.3 CVE-2025-37178 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process. 2026-01-13 5.3 CVE-2025-37179 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity of secured access to the system. 2026-01-14 6.5 CVE-2025-37184 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US
 
Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface and thereby make unauthorized arbitrary configuration changes to the host. 2026-01-14 5.5 CVE-2025-37185 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US
 
Huawei--HarmonyOS Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2026-01-14 6.2 CVE-2025-68959 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinwearables/2026/1/
https://consumer.huawei.com/en/support/bulletinvision/2026/1/
 
Huawei--HarmonyOS Data verification vulnerability in the HiView module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-01-14 6.2 CVE-2025-68964 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
https://consumer.huawei.com/en/support/bulletinwearables/2026/1/
https://consumer.huawei.com/en/support/bulletinvision/2026/1/
 
Huawei--HarmonyOS Multi-thread race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-01-14 6.8 CVE-2025-68969 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
 
Huawei--HarmonyOS Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2026-01-14 6.1 CVE-2025-68970 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinwearables/2026/1/
https://consumer.huawei.com/en/support/bulletinvision/2026/1/
 
Huawei--HarmonyOS Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-01-14 5.1 CVE-2025-68961 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
 
Huawei--HarmonyOS Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. 2026-01-14 5.1 CVE-2025-68962 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
 
Huawei--HarmonyOS Man-in-the-middle attack vulnerability in the Clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2026-01-14 5.7 CVE-2025-68963 https://consumer.huawei.com/en/support/bulletin/2026/1//
 
Huawei--HarmonyOS Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2026-01-14 5.1 CVE-2025-68966 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
https://consumer.huawei.com/en/support/bulletinvision/2026/1/
 
Huawei--HarmonyOS Vulnerability of improper permission control in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2026-01-14 5.7 CVE-2025-68967 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
 
Huawei--HarmonyOS Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. 2026-01-14 4.7 CVE-2025-68965 https://consumer.huawei.com/en/support/bulletin/2026/1//
https://consumer.huawei.com/en/support/bulletinlaptops/2026/1//
https://consumer.huawei.com/en/support/bulletinvision/2026/1/
 
Istio--Istio Istio through 1.28.2 allows iptables rule injection for changing firewall behavior via the traffic.sidecar.istio.io/excludeInterfaces annotation. NOTE: the reporter's position is "this doesn't represent a security vulnerability (pod creators can already exclude sidecar injection entirely)." 2026-01-15 4.1 CVE-2026-23766 https://github.com/istio/istio/issues/58781
https://github.com/istio/istio/pull/58785
 
itsourcecode--Society Management System A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. 2026-01-18 6.3 CVE-2026-1118 VDB-341710 | itsourcecode Society Management System add_activity.php sql injection
VDB-341710 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #734289 | itsourcecode Society Management System V1.0 SQL injection
https://github.com/AriazzzZ/CVE/issues/2
https://itsourcecode.com/
 
jackdewey--Community Events The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter. 2026-01-17 5.3 CVE-2025-14029 https://www.wordfence.com/threat-intel/vulnerabilities/id/098c3f4c-b6bc-462a-98ef-30e6a68d74cf?source=cve
https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L160
https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L160
https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L64
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437116%40community-events&new=3437116%40community-events&sfp_email=&sfph_mail=
 
jersou--Markdown Explorer Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access. 2026-01-16 6.1 CVE-2021-47836 ExploitDB-49826
Markdown Explorer GitHub Repository
Proof of Concept Video
VulnCheck Advisory: Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting
 
jokkedk--Webgrind Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. The application does not sufficiently encode user-controlled inputs, allowing attackers to execute arbitrary JavaScript in victim's browsers by crafting malicious URLs. 2026-01-13 6.1 CVE-2023-54341 ExploitDB-51074
Webgrind GitHub Repository
VulnCheck Advisory: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) via file Parameter
 
Juniper Networks--Junos OS An Improper Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS allows an unauthenticated, network-adjacent attacker sending a specifically malformed ICMP packet to cause an FPC to crash and restart, resulting in a Denial of Service (DoS). When an ICMP packet is received with a specifically malformed IP header value, the FPC receiving the packet crashes and restarts. Due to the specific type of malformed packet, adjacent upstream routers would not forward the packet, limiting the attack surface to adjacent networks. This issue only affects ICMPv4. ICMPv6 is not vulnerable to this issue. This issue affects Junos OS:  * all versions before 21.2R3-S9,  * from 21.4 before 21.4R3-S10,  * from 22.2 before 22.2R3-S7,  * from 22.3 before 22.3R3-S4,  * from 22.4 before 22.4R3-S5,  * from 23.2 before 23.2R2-S3,  * from 23.4 before 23.4R2-S3,  * from 24.2 before 24.2R1-S2, 24.2R2. 2026-01-15 6.5 CVE-2026-0203 https://supportportal.juniper.net/JSA104294
https://kb.juniper.net/JSA104294
 
Juniper Networks--Junos OS A Stack-based Buffer Overflow vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS allows a network-based attacker, authenticated with low privileges to cause a Denial-of-Service (DoS). Subscribing to telemetry sensors at scale causes all FPC connections to drop, resulting in an FPC crash and restart. The issue was not seen when YANG packages for the specific sensors were installed. This issue affects Junos OS:  * all versions before 22.4R3-S7, * 23.2 version before 23.2R2-S4, * 23.4 versions before 23.4R2. 2026-01-15 6.5 CVE-2026-21903 https://supportportal.juniper.net/JSA106022
https://kb.juniper.net/JSA106022
 
Juniper Networks--Junos OS A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition. Memory usage can be monitored through the use of the 'show task memory detail' command. For example: user@junos> show task memory detail | match ted-infra   TED-INFRA-COOKIE           25   1072     28   1184     229 user@junos> show task memory detail | match ted-infra   TED-INFRA-COOKIE           31   1360     34   1472     307 This issue affects: Junos OS:  * from 23.2 before 23.2R2,  * from 23.4 before 23.4R1-S2, 23.4R2,  * from 24.1 before 24.1R2;  Junos OS Evolved:  * from 23.2 before 23.2R2-EVO,  * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO,  * from 24.1 before 24.1R2-EVO. This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO. 2026-01-15 6.5 CVE-2026-21909 https://supportportal.juniper.net/JSA106008
https://kb.juniper.net/JSA106008
 
Juniper Networks--Junos OS An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on EX4k Series and QFX5k Series platforms allows an unauthenticated network-adjacent attacker flapping an interface to cause traffic between VXLAN Network Identifiers (VNIs) to drop, leading to a Denial of Service (DoS). On all EX4k and QFX5k platforms, a link flap in an EVPN-VXLAN configuration Link Aggregation Group (LAG) results in Inter-VNI traffic dropping when there are multiple load-balanced next-hop routes for the same destination. This issue is only applicable to systems that support EVPN-VXLAN Virtual Port-Link Aggregation Groups (VPLAG), such as the QFX5110, QFX5120, QFX5200, EX4100, EX4300, EX4400, and EX4650. Service can only be restored by restarting the affected FPC via the 'request chassis fpc restart slot <slot-number>' command. This issue affects Junos OS on EX4k and QFX5k Series:  * all versions before 21.4R3-S12,  * all versions of 22.2 * from 22.4 before 22.4R3-S8,  * from 23.2 before 23.2R2-S5,  * from 23.4 before 23.4R2-S5,  * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2. 2026-01-15 6.5 CVE-2026-21910 https://supportportal.juniper.net/JSA106009
https://kb.juniper.net/JSA106009
 
Juniper Networks--Junos OS A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS). When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which - depending on the process - can cause a complete outage until the system has recovered. This issue affects:  Junos OS:  * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-EVO. 2026-01-15 6.5 CVE-2026-21921 https://supportportal.juniper.net/JSA106021
https://kb.juniper.net/JSA106021
 
Juniper Networks--Junos OS An Untrusted Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with low privileges to cause a Denial-of-Service (DoS). When the command 'show route < ( receive-protocol | advertising-protocol ) bgp > detail' is executed, and at least one of the routes in the intended output has specific attributes, this will cause an rpd crash and restart. 'show route ... extensive' is not affected. This issue affects: Junos OS:  * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO,  * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. 2026-01-15 5.5 CVE-2025-59959 https://supportportal.juniper.net/
https://kb.juniper.net/JSA103148
 
Juniper Networks--Junos OS An Incorrect Permission Assignment for Critical Resource vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to write to the Unix socket used to manage the jdhcpd process, resulting in complete control over the resource. This vulnerability allows any low-privileged user logged into the system to connect to the Unix socket and issue commands to manage the DHCP service, in essence, taking administrative control of the local DHCP server or DHCP relay. This issue affects: Junos OS: * all versions before 21.2R3-S10, * all versions of 22.2, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R1-S1, 25.2R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. 2026-01-15 5.5 CVE-2025-59961 https://supportportal.juniper.net/
https://kb.juniper.net/JSA103150
 
Juniper Networks--Junos OS A NULL Pointer Dereference vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS on MX, SRX and EX Series allows a local attacker with low privileges to cause a Denial-of-Service (DoS). When a user executes the 'show chassis' command with specifically crafted options, chassisd will crash and restart. Due to this all components but the Routing Engine (RE) in the chassis are reinitialized, which leads to a complete service outage, which the system automatically recovers from. This issue affects: Junos OS on MX, SRX and EX Series:  * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2. 2026-01-15 5.5 CVE-2025-60007 https://supportportal.juniper.net/
https://kb.juniper.net/JSA103173
 
Juniper Networks--Junos OS An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an availability impact for downstream devices. When an affected device receives a specific optional, transitive BGP attribute over an existing BGP session, it will be erroneously modified before propagation to peers. When the attribute is detected as malformed by the peers, these peers will most likely terminate the BGP sessions with the affected devices and thereby cause an availability impact due to the resulting routing churn. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5 * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved:  * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. 2026-01-15 5.8 CVE-2025-60011 https://supportportal.juniper.net/
https://kb.juniper.net/JSA103161
 
Juniper Networks--Junos OS A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in the method to collect FPC Ethernet firmware statistics of Juniper Networks Junos OS on MX10k Series allows a local, low-privileged attacker executing the 'show system firmware' CLI command to cause an LC480 or LC2101 line card to reset. On MX10k Series systems with LC480 or LC2101 line cards, repeated execution of the 'show system firmware' CLI command can cause the line card to crash and restart. Additionally, some time after the line card crashes, chassisd may also crash and restart, generating a core dump.This issue affects Junos OS on MX10k Series:  * all versions before 21.2R3-S10,  * from 21.4 before 21.4R3-S9,  * from 22.2 before 22.2R3-S7,  * from 22.4 before 22.4R3-S6,  * from 23.2 before 23.2R2-S2,  * from 23.4 before 23.4R2-S3,  * from 24.2 before 24.2R2. 2026-01-15 5.5 CVE-2026-21912 https://supportportal.juniper.net/JSA106011
https://kb.juniper.net/JSA106011
 
Juniper Networks--Junos OS Evolved An Incorrect Calculation vulnerability in the Layer 2 Control Protocol Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage. When the issue is seen, the following log message will be generated: op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP, This issue affects Junos OS Evolved:  * all versions before 21.4R3-S7-EVO,  * from 22.2 before 22.2R3-S4-EVO,  * from 22.3 before 22.3R3-S3-EVO,  * from 22.4 before 22.4R3-S2-EVO,  * from 23.2 before 23.2R2-S1-EVO,  * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO. 2026-01-15 6.5 CVE-2026-21911 https://supportportal.juniper.net/JSA106010
https://kb.juniper.net/JSA106010
 
Juniper Networks--Junos Space A Use of a Broken or Risky Cryptographic Algorithm vulnerability in the TLS/SSL server of Juniper Networks Junos Space allows the use of static key ciphers (ssl-static-key-ciphers), reducing the confidentiality of on-path traffic communicated across the connection. These ciphers also do not support Perfect Forward Secrecy (PFS), affecting the long-term confidentiality of encrypted communications.This issue affects all versions of Junos Space before 24.1R5. 2026-01-15 5.9 CVE-2026-21907 https://supportportal.juniper.net/JSA106006
https://kb.juniper.net/JSA106006
 
Juniper Networks--Paragon Automation (Pathfinder, Planner, Insights) A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's failure to set appropriate X-Frame-Options and X-Content-Type HTTP headers. This vulnerability allows an attacker to trick users into interacting with the interface under the attacker's control.  This issue affects all versions of Paragon Automation (Pathfinder, Planner, Insights) before 24.1.1. 2026-01-15 6.1 CVE-2025-52987 https://supportportal.juniper.net/
https://kb.juniper.net/JSA103145
 
kalcaddle--kodbox A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-17 6.3 CVE-2026-1066 VDB-341665 | kalcaddle kodbox Compression zip command injection
VDB-341665 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731436 | kalcaddle kodbox <=1.61.10 Command Injection
https://github.com/DReazer/CV3/blob/main/Krce.md
 
keesiemeijer--Related Posts by Taxonomy The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'related_posts_by_tax' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-16 6.4 CVE-2026-0916 https://www.wordfence.com/threat-intel/vulnerabilities/id/0582fe7d-884c-4019-837a-861d36ccc842?source=cve
https://plugins.trac.wordpress.org/browser/related-posts-by-taxonomy/tags/2.7.6/includes/functions.php#L259
 
kimai--kimai Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue. 2026-01-18 6.8 CVE-2026-23626 https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg
https://github.com/kimai/kimai/pull/5757
https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f
https://github.com/kimai/kimai/releases/tag/2.46.0
 
kiwicommerce--PDF Resume Parser The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials. 2026-01-14 5.3 CVE-2025-14464 https://www.wordfence.com/threat-intel/vulnerabilities/id/8a84bcc2-23e0-4624-89a4-7bbb1b34c498?source=cve
https://plugins.trac.wordpress.org/browser/pdf-resume-parser/trunk/pdf-resume-parser.php#L309
https://plugins.trac.wordpress.org/browser/pdf-resume-parser/tags/1.0/pdf-resume-parser.php#L309
 
kunzemarketing--Kunze Law The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Additional presence of a path traversal vulnerability in the shortcode name allows writing malicious HTML files to arbitrary writable locations on the server. 2026-01-14 4.4 CVE-2025-15486 https://www.wordfence.com/threat-intel/vulnerabilities/id/f7957619-e562-4043-920d-275c58684328?source=cve
https://plugins.trac.wordpress.org/browser/kunze-law/tags/2.1/kunze-law.php#L406
https://plugins.trac.wordpress.org/browser/kunze-law/tags/2.1/kunze-law.php#L531
 
Laborator--Kalium 3 | Creative WordPress & WooCommerce Theme The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attackers to use the theme an an open mail relay and send email to arbitrary email addresses on the server's behalf. 2026-01-15 5.3 CVE-2025-12895 https://www.wordfence.com/threat-intel/vulnerabilities/id/0e65a794-1901-4e54-be4f-9422fe444057?source=cve
https://themeforest.net/item/kalium-creative-theme-for-professionals/10860525
https://documentation.laborator.co/kb/kalium/kalium-changelog/
 
LabRedesCefetRJ--WeGIA WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the "Atendido" selection dropdown. This vulnerability is fixed in 3.6.2. 2026-01-16 4.3 CVE-2026-23724 https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
 
LabRedesCefetRJ--WeGIA WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame-ancestors directive is not configured. Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental interaction with sensitive workflows. This vulnerability is fixed in 3.6.2. 2026-01-16 4.3 CVE-2026-23731 https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-99qp-hjvh-c59q
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
 
Lenovo--ThinkPad L13 Gen 6 BIOS A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as "On" in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode. 2026-01-14 6.5 CVE-2026-0421 https://support.lenovo.com/us/en/product_security/LEN-210688
 
Lenovo--ThinkPlus FU100 A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive. 2026-01-14 6.8 CVE-2025-13453 https://iknow.lenovo.com.cn/detail/436983
 
Lenovo--ThinkPlus FU100 A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information. 2026-01-14 4.7 CVE-2025-13454 https://iknow.lenovo.com.cn/detail/436983
 
Lenovo--Vantage An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges. 2026-01-14 5.5 CVE-2025-13154 https://support.lenovo.com/us/en/product_security/LEN-208293
 
linknacional--Rede Ita for WooCommerce Payment PIX, Credit Card and Debit The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed. 2026-01-16 5.3 CVE-2026-0939 https://www.wordfence.com/threat-intel/vulnerabilities/id/722c666b-913f-4289-82e6-30aa0a3abc2b?source=cve
https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L45
https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L460
https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L710
 
linknacional--Rede Ita for WooCommerce Payment PIX, Credit Card and Debit The Rede Itaú for WooCommerce - Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.2. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders. 2026-01-16 5.3 CVE-2026-0942 https://www.wordfence.com/threat-intel/vulnerabilities/id/4927c060-f2b2-4916-b049-1442bba63e98?source=cve
https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L42
https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L58
 
lobehub--lobe-chat LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue. 2026-01-18 6.4 CVE-2026-23733 https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443
 
logiceverest--Shipping Rates by City for WooCommerce The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'cities' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-01-14 4.9 CVE-2026-0678 https://www.wordfence.com/threat-intel/vulnerabilities/id/4ada476b-6978-4c38-a5d3-67266a709a3e?source=cve
https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/trunk/shipping-method-class.php#L154
https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/tags/1.0.3/shipping-method-class.php#L154
 
lottiefile--LottieFiles Lottie block for Gutenberg The LottieFiles - Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the `/wp-json/lottiefiles/v1/settings/` REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site owner's LottieFiles.com account credentials including their API access token and email address when the 'Share LottieFiles account with other WordPress users' option is enabled. 2026-01-14 5.3 CVE-2026-0717 https://www.wordfence.com/threat-intel/vulnerabilities/id/19b159ca-4b41-48b4-880d-9b9dc44b3463?source=cve
https://plugins.trac.wordpress.org/browser/lottiefiles/tags/3.0.0/src/common.php?marks=21,122#L21
 
lwj--flow A security vulnerability has been detected in lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641. This affects the function uploadFile of the file \flow-master\flow-front-rest\src\main\java\com\dragon\flow\web\resource\flow\FormResource.java of the component SVG File Handler. The manipulation of the argument File leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-18 6.3 CVE-2026-1126 VDB-341718 | lwj flow SVG File FormResource.java uploadFile unrestricted upload
VDB-341718 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735122 | https://gitee.com/lwj/flow flowable 1.0 Arbitrary File Upload
https://gitee.com/lwj/flow/issues/IDIQSE
 
mailerlite--MailerLite WooCommerce integration The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history. 2026-01-16 6.5 CVE-2026-1000 https://www.wordfence.com/threat-intel/vulnerabilities/id/e20deec4-f40c-4bd3-91f7-6a9d643a5520?source=cve
https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/WooMailerLite.php#L127
https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/admin/controllers/WooMailerLiteAdminSettingsController.php#L231
https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/migrations/WooMailerLiteMigration.php#L33
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3415073%40woo-mailerlite%2Ftrunk&old=3399626%40woo-mailerlite%2Ftrunk&sfp_email=&sfph_mail=
 
makesweat--Makesweat The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-14 4.4 CVE-2025-13627 https://www.wordfence.com/threat-intel/vulnerabilities/id/88dec08d-cb27-4ea8-853e-0c12dd0a6ab6?source=cve
https://it.wordpress.org/plugins/makesweat/
https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L64
https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L64
https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L85
https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L85
 
mallsop--List Site Contributors The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-14 6.1 CVE-2026-0594 https://www.wordfence.com/threat-intel/vulnerabilities/id/026a2e0d-4d30-4133-9118-055026aa9f4a?source=cve
https://plugins.trac.wordpress.org/browser/list-site-contributors/trunk/list-site-contributors.php#L435
https://plugins.trac.wordpress.org/browser/list-site-contributors/tags/1.1.8/list-site-contributors.php#L435
 
Mattermost--Mattermost Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops. 2026-01-16 6.8 CVE-2025-14435 https://mattermost.com/security-updates
 
memsource--Phrase TMS Integration for WordPress The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files. 2026-01-17 4.3 CVE-2025-12168 https://www.wordfence.com/threat-intel/vulnerabilities/id/396f2426-7bc4-4221-bc48-920bec5af6e5?source=cve
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426034%40memsource-connector&new=3426034%40memsource-connector&sfp_email=&sfph_mail=
 
metagauss--EventPrime Events Calendar, Bookings and Tickets The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0. 2026-01-13 5.3 CVE-2025-14507 https://www.wordfence.com/threat-intel/vulnerabilities/id/4b170ed1-72ee-40b6-9882-e978d630f6bb?source=cve
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.php#L447
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.php#L651
https://plugins.trac.wordpress.org/changeset/3422587/
https://plugins.trac.wordpress.org/changeset/3432454/
 
Microsoft--Microsoft SharePoint Enterprise Server 2016 Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network. 2026-01-13 5.4 CVE-2026-20958 Microsoft SharePoint Information Disclosure Vulnerability
 
Microsoft--Microsoft SharePoint Enterprise Server 2016 Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. 2026-01-13 4.6 CVE-2026-20959 Microsoft SharePoint Server Spoofing Vulnerability
 
Microsoft--Windows 10 Version 1809 Improper input validation in Windows LDAP - Lightweight Directory Access Protocol allows an authorized attacker to perform tampering over a network. 2026-01-13 6.5 CVE-2026-20812 LDAP Tampering Vulnerability
 
Microsoft--Windows 10 Version 1809 Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an unauthorized attacker to disclose information locally. 2026-01-13 6.2 CVE-2026-20821 Remote Procedure Call Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to perform spoofing over a network. 2026-01-13 6.5 CVE-2026-20847 Microsoft Windows File Explorer Spoofing Vulnerability
 
Microsoft--Windows 10 Version 1809 External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. 2026-01-13 6.5 CVE-2026-20872 NTLM Hash Disclosure Spoofing Vulnerability
 
Microsoft--Windows 10 Version 1809 External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. 2026-01-13 6.5 CVE-2026-20925 NTLM Hash Disclosure Spoofing Vulnerability
 
Microsoft--Windows 10 Version 1809 Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system's certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees. Certificate Authority (CA) Location Purpose Expiration Date Microsoft Corporation KEK CA 2011 KEK Signs updates to the DB and DBX 06/24/2026 Microsoft Corporation UEFI CA 2011 DB Signs 3rd party boot loaders, Option ROMs, etc. 06/27/2026 Microsoft Windows Production PCA 2011 DB Signs the Windows Boot Manager 10/19/2026 For more information see this CVE and Windows Secure Boot certificate expiration and CA updates. 2026-01-13 6.4 CVE-2026-21265 Secure Boot Certificate Expiration Security Feature Bypass Vulnerability
 
Microsoft--Windows 10 Version 1809 Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20805 Desktop Window Manager Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20823 Windows File Explorer Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Protection mechanism failure in Windows Remote Assistance allows an unauthorized attacker to bypass a security feature locally. 2026-01-13 5.5 CVE-2026-20824 Windows Remote Assistance Security Feature Bypass Vulnerability
 
Microsoft--Windows 10 Version 1809 Exposure of sensitive information to an unauthorized actor in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20827 Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Out-of-bounds read in Windows TPM allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20829 TPM Trustlet Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20839 Windows Client-Side Caching (CSC) Service Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Exposure of sensitive information to an unauthorized actor in Windows Management Services allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20862 Windows Management Services Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to deny service over a network. 2026-01-13 5.3 CVE-2026-20927 Windows SMB Server Denial of Service Vulnerability
 
Microsoft--Windows 10 Version 1809 Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20932 Windows File Explorer Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20937 Windows File Explorer Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20939 Windows File Explorer Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Improper access control in Windows Hyper-V allows an authorized attacker to disclose information locally. 2026-01-13 4.4 CVE-2026-20825 Windows Hyper-V Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Out-of-bounds read in Windows Internet Connection Sharing (ICS) allows an unauthorized attacker to disclose information with a physical attack. 2026-01-13 4.6 CVE-2026-20828 Windows rndismp6.sys Information Disclosure Vulnerability
 
Microsoft--Windows 10 Version 1809 Absolute path traversal in Windows Shell allows an unauthorized attacker to perform spoofing with a physical attack. 2026-01-13 4.6 CVE-2026-20834 Windows Spoofing Vulnerability
 
Microsoft--Windows 10 Version 1809 Out-of-bounds read in Windows NDIS allows an authorized attacker to disclose information with a physical attack. 2026-01-13 4.3 CVE-2026-20936 Windows NDIS Information Disclosure Vulnerability
 
Microsoft--Windows 11 Version 25H2 Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an unauthorized attacker to disclose information locally. 2026-01-13 6.2 CVE-2026-20935 Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability
 
Microsoft--Windows 11 Version 25H2 Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20819 Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability
 
Microsoft--Windows 11 Version 25H2 Use of uninitialized resource in Dynamic Root of Trust for Measurement (DRTM) allows an authorized attacker to disclose information locally. 2026-01-13 4.4 CVE-2026-20962 Dynamic Root of Trust for Measurement (DRTM) Information Disclosure Vulnerability
 
Microsoft--Windows Server 2019 Insertion of sensitive information into log file in Windows Kernel allows an unauthorized attacker to disclose information locally. 2026-01-13 6.2 CVE-2026-20818 Windows Kernel Information Disclosure Vulnerability
 
Microsoft--Windows Server 2019 Use of a broken or risky cryptographic algorithm in Windows Kerberos allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20833 Windows Kerberos Information Disclosure Vulnerability
 
Microsoft--Windows Server 2022 Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20838 Windows Kernel Information Disclosure Vulnerability
 
Microsoft--Windows Server 2025 (Server Core installation) Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally. 2026-01-13 6.2 CVE-2026-20851 Capability Access Management Service (camsvc) Information Disclosure Vulnerability
 
Microsoft--Windows Server 2025 (Server Core installation) Heap-based buffer overflow in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. 2026-01-13 6.7 CVE-2026-20876 Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
 
Microsoft--Windows Server 2025 (Server Core installation) Out-of-bounds read in Capability Access Management Service (camsvc) allows an authorized attacker to disclose information locally. 2026-01-13 5.5 CVE-2026-20835 Capability Access Management Service (camsvc) Information Disclosure Vulnerability
 
monetizemore--Advanced Ads  Ad Manager & AdSense The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-01-17 4.9 CVE-2025-12984 https://www.wordfence.com/threat-intel/vulnerabilities/id/729e8a06-abaa-4468-8a80-1e5c6cbace92?source=cve
https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-placement-list-table.php#L254
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429511%40advanced-ads&new=3429511%40advanced-ads&sfp_email=&sfph_mail=
 
mPDF--mPDF mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications. 2026-01-13 6.2 CVE-2022-50897 ExploitDB-50995
Official mPDF Project Homepage
VulnCheck Advisory: mPDF 7.0 - Local File Inclusion
 
n/a--EyouCMS A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 6.3 CVE-2026-1107 VDB-341699 | EyouCMS Member Avatar Diyajax.php check_userinfo unrestricted upload
VDB-341699 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731540 | Hainan Zanzan Network Technology Co. Eyoucms <=1.7.1 causing code execution due to file inclusion
https://github.com/24-2021/vul3/blob/main/Eyoucms/Eyoucms%3D1.7.1%20check_userinfo%20api%20viewfile%20exists%2C%20causing%20code%20execution%20due%20to%20file%20inclusion.md
https://github.com/24-2021/vul3/blob/main/Eyoucms/Eyoucms%3D1.7.1%20check_userinfo%20api%20viewfile%20exists%2C%20causing%20code%20execution%20due%20to%20file%20inclusion.md#poc
 
n/a--Mapnik A security vulnerability has been detected in Mapnik up to 4.2.0. This issue affects the function mapnik::dbf_file::string_value of the file plugins/input/shape/dbfile.cpp. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-18 5.3 CVE-2025-15537 VDB-341709 | Mapnik dbfile.cpp string_value heap-based overflow
VDB-341709 | CTI Indicators (IOB, IOC, IOA)
Submit #733348 | mapnik Mapnik v4.2.0 and master-branch Heap-based Buffer Overflow
https://github.com/mapnik/mapnik/issues/4543
https://github.com/oneafter/1218/blob/main/repro
 
n/a--net.sourceforge.plantuml:plantuml Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG. 2026-01-16 6.1 CVE-2026-0858 https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230
https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd
https://github.com/plantuml/plantuml/releases/tag/v1.2026.0
 
n/a--Open5GS A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 98f76e98df35cd6a35e868aa62715db7f8141ac1. A patch should be applied to remediate this issue. 2026-01-16 5.3 CVE-2025-15528 VDB-341595 | Open5GS GTPv2 Bearer Response denial of service
VDB-341595 | CTI Indicators (IOB, IOC, TTP)
Submit #728128 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4225
https://github.com/open5gs/open5gs/issues/4225#issue-3769531006
https://github.com/open5gs/open5gs/commit/98f76e98df35cd6a35e868aa62715db7f8141ac1
 
n/a--Open5GS A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named b19cf6a2dbf5d30811be4488bf059c865bd7d1d2. To fix this issue, it is recommended to deploy a patch. 2026-01-16 5.3 CVE-2025-15529 VDB-341596 | Open5GS s5c-handler.c sgwc_s5c_handle_create_session_response denial of service
VDB-341596 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #728130 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4226
https://github.com/open5gs/open5gs/issues/4226#issue-3769595366
https://github.com/open5gs/open5gs/commit/b19cf6a2dbf5d30811be4488bf059c865bd7d1d2
 
n/a--Open5GS A vulnerability was determined in Open5GS up to 2.7.6. This affects the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c. Executing a manipulation can lead to reachable assertion. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The issue report is flagged as already-fixed. 2026-01-17 5.3 CVE-2025-15530 VDB-341597 | Open5GS s11-handler.c assertion
VDB-341597 | CTI Indicators (IOB, IOC, IOA)
Submit #728987 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4231
https://github.com/open5gs/open5gs/issues/4231#issue-3774187007
 
n/a--Open5GS A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. The manipulation leads to reachable assertion. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The issue report is flagged as already-fixed. 2026-01-17 5.3 CVE-2025-15531 VDB-341598 | Open5GS context.c sgwc_bearer_add assertion
VDB-341598 | CTI Indicators (IOB, IOC, IOA)
Submit #729339 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4233
https://github.com/open5gs/open5gs/issues/4233#issue-3776216182
 
n/a--Open5GS A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. The manipulation results in resource consumption. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The patch is identified as c7c131f8d2cb1195ada5e0e691b6868ebcd8a845. It is best practice to apply a patch to resolve this issue. 2026-01-17 5.3 CVE-2025-15532 VDB-341599 | Open5GS Timer resource consumption
VDB-341599 | CTI Indicators (IOB, IOC, TTP)
Submit #729354 | Open5GS SGWC v2.7.6 Denial of Service
Submit #729357 | Open5GS SGWC v2.7.6 Denial of Service (Duplicate)
https://github.com/open5gs/open5gs/issues/4220
https://github.com/open5gs/open5gs/issues/4221
https://github.com/open5gs/open5gs/issues/4220#issue-3766066853
https://github.com/open5gs/open5gs/commit/c7c131f8d2cb1195ada5e0e691b6868ebcd8a845
 
n/a--Open5GS A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: b4707272c1caf6a7d4dca905694ea55557a0545f. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed. 2026-01-18 5.3 CVE-2025-15539 VDB-341732 | Open5GS sgwc s11-handler.c sgwc_s11_handle_downlink_data_notification_ack denial of service
VDB-341732 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #735339 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4230
https://github.com/open5gs/open5gs/issues/4230#issue-3774173079
https://github.com/open5gs/open5gs/commit/b4707272c1caf6a7d4dca905694ea55557a0545f
 
n8n-io--n8n n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node's IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0. 2026-01-13 5.3 CVE-2025-68949 https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp
https://github.com/n8n-io/n8n/issues/23399
https://github.com/n8n-io/n8n/pull/23399
https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5
 
naa986--Payment Button for PayPal The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation. If email sending is enabled, the plugin will also trigger purchase receipt emails to any email address supplied in the request, leading to order database corruption and unauthorized outgoing emails without any real PayPal transaction taking place. 2026-01-17 5.3 CVE-2025-14463 https://www.wordfence.com/threat-intel/vulnerabilities/id/814e50de-3690-4adf-bc01-a63cd71bd1cf?source=cve
https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/wp-paypal.php#L70
https://plugins.trac.wordpress.org/browser/wp-paypal/tags/1.2.3.41/wp-paypal.php#L70
https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/wp-paypal-checkout.php#L249
https://plugins.trac.wordpress.org/browser/wp-paypal/tags/1.2.3.41/wp-paypal-checkout.php#L249
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3431974%40wp-paypal&new=3431974%40wp-paypal&sfp_email=&sfph_mail=
 
netcashpaynow--Netcash WooCommerce Payment Gateway The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed. 2026-01-14 5.3 CVE-2025-14880 https://www.wordfence.com/threat-intel/vulnerabilities/id/6ca11df6-83e3-48b5-84b8-3f3e4f75ac4a?source=cve
https://plugins.trac.wordpress.org/browser/netcash-pay-now-payment-gateway-for-woocommerce/tags/4.1.3/includes/class-wc-gateway-paynow.php#L1127
 
ninjateam--WP Duplicate Page The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders. 2026-01-13 5.4 CVE-2025-14001 https://www.wordfence.com/threat-intel/vulnerabilities/id/60830ed8-3ab8-44e8-899c-7032a187da8b?source=cve
https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L54
https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L79
https://plugins.trac.wordpress.org/changeset/3432233/
 
nofearinc--WP-CRM System Manage Clients and Projects The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. 2026-01-14 5.4 CVE-2025-14854 https://www.wordfence.com/threat-intel/vulnerabilities/id/da607df4-1dbb-4b1e-ace6-b339cf9e8512?source=cve
https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-functions.php?marks=942-975#L942
https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-dashboard-task-list.php?marks=177-190#L177
 
NSecsoft--NSecKrnl NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver. 2026-01-13 4.7 CVE-2025-68947 url
url
url
url
url
 
obridgeacademy--WPBlogSyn The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-14 4.3 CVE-2025-14389 https://www.wordfence.com/threat-intel/vulnerabilities/id/141137a4-609f-4ea9-beba-d37b48144c29?source=cve
https://plugins.trac.wordpress.org/browser/wpblogsync/tags/1.0/blogsync.php#L14
 
Open Asset Import Library--Assimp A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128. 2026-01-18 5.3 CVE-2025-15538 VDB-341727 | Open Asset Import Library Assimp LWOMaterial.cpp FindUVChannels use after free
VDB-341727 | CTI Indicators (IOB, IOC, IOA)
Submit #735232 | Open Asset Import Library Assimp 6.0.2 Use After Free
https://github.com/assimp/assimp/issues/6258
https://github.com/assimp/assimp/issues/6258#issuecomment-3070999530
https://github.com/user-attachments/files/21216542/assimp_poc10.zip
 
opencryptoki--opencryptoki openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service. 2026-01-13 6.6 CVE-2026-22791 https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-26f5-3mwq-4wm7
https://github.com/opencryptoki/opencryptoki/commit/785d7577e1477d12fbe235554e7e7b24f2de34b7
https://github.com/opencryptoki/opencryptoki/commit/e37e9127deeeb7bf3c3c4d852c594256c57ec3a8
 
OpenSC project--pam_pkcs11 In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass. 2026-01-16 6.7 CVE-2025-24531 https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-7mf6-rg36-qgch
https://github.com/OpenSC/pam_pkcs11/releases
https://www.openwall.com/lists/oss-security/2025/02/06/3
 
opensourcepos--opensourcepos Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission "Configuration: Change OSPOS's Configuration" can inject a malicious JavaScript payload into the Company Name field when updating Information in Configuration. The malicious payload is stored and later triggered when a user accesses /sales/complete. First select Sales, and choose New Item to create an item, then click on Completed . Due to insufficient input validation and output encoding, the payload is rendered and executed in the user's browser, resulting in a stored XSS vulnerability. This vulnerability is fixed in 3.4.2. 2026-01-13 4.3 CVE-2025-68658 https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-32r8-8r9r-9chw
https://github.com/opensourcepos/opensourcepos/commit/849439c71eaa4c15857fb7c603297261c2ddc26d
 
paultgoodchild--Shield: Blocks Bots, Protects Users, and Prevents Security Breaches The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user. 2026-01-16 4.3 CVE-2025-15370 https://www.wordfence.com/threat-intel/vulnerabilities/id/d777014a-5397-4062-af39-7ea86589a0d0?source=cve
https://plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/ActionRouter/Actions/MfaGoogleAuthToggle.php
https://plugins.trac.wordpress.org/changeset/3438647/wp-simple-firewall
 
payhere--PayHere Payment Gateway Plugin for WooCommerce The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold. 2026-01-14 5.3 CVE-2025-15475 https://www.wordfence.com/threat-intel/vulnerabilities/id/e0c92241-0bef-4f87-8478-4d805435f09d?source=cve
https://plugins.trac.wordpress.org/browser/payhere-payment-gateway/tags/2.3.9/gateway/class-wcgatewaypayhere.php#L709
 
perfitdev--Perfit WooCommerce The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter. 2026-01-14 5.3 CVE-2025-14173 https://www.wordfence.com/threat-intel/vulnerabilities/id/cb141b46-2585-4b58-8d91-0cdb275348a1?source=cve
https://plugins.trac.wordpress.org/browser/perfit-woocommerce/trunk/includes/class-wcp-settings-tab.php#L102
https://plugins.trac.wordpress.org/browser/perfit-woocommerce/tags/1.0.1/includes/class-wcp-settings-tab.php#L102
 
Phpwcms--Phpwcms Phpwcms 1.9.30 contains a file upload vulnerability that allows authenticated attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG payloads through the multiple file upload feature to potentially execute cross-site scripting attacks on the platform. 2026-01-15 5.4 CVE-2021-47783 ExploitDB-50363
Official Product Homepage
VulnCheck Advisory: Phpwcms 1.9.30 - Arbitrary File Upload
 
pimcore--pimcore Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1. 2026-01-15 5.4 CVE-2026-23496 https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r
https://github.com/pimcore/web2print-tools/pull/108
https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1
https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2
https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1
 
pimcore--pimcore Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14. 2026-01-15 4.3 CVE-2026-23494 https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf
https://github.com/pimcore/pimcore/pull/18893
https://github.com/pimcore/pimcore/releases/tag/v11.5.14
https://github.com/pimcore/pimcore/releases/tag/v12.3.1
 
pimcore--pimcore Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16. 2026-01-15 4.3 CVE-2026-23495 https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f
https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3
 
pnggroup--libpng LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54. 2026-01-12 6.1 CVE-2026-22695 https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp
https://github.com/pnggroup/libpng/issues/778
https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
https://github.com/pnggroup/libpng/commit/e4f7ad4ea2
 
pnggroup--libpng LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. 2026-01-12 6.8 CVE-2026-22801 https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8
 
prasannasp--Short Link The Short Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'short_link_post_title' and 'short_link_page_title' parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. 2026-01-14 4.4 CVE-2026-0813 https://www.wordfence.com/threat-intel/vulnerabilities/id/8623d2cc-dcdd-4453-9a86-669bdd44eae1?source=cve
https://plugins.trac.wordpress.org/browser/short-link/tags/1.0/short-link.php#L118
https://plugins.trac.wordpress.org/browser/short-link/trunk/short-link.php#L118
 
radykal--Fancy Product Designer The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. 2026-01-16 5.3 CVE-2025-15526 https://www.wordfence.com/threat-intel/vulnerabilities/id/9b39b4ce-3885-4ea4-8cf0-84e66e7f6a12?source=cve
https://support.fancyproductdesigner.com/support/discussions/topics/13000036024
 
raysan5--raylib A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. Executing a manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. This patch is called 5a3391fdce046bc5473e52afbd835dd2dc127146. Applying a patch is advised to resolve this issue. 2026-01-18 5.3 CVE-2025-15533 VDB-341705 | raysan5 raylib rtext.c GenImageFontAtlas heap-based overflow
VDB-341705 | CTI Indicators (IOB, IOC, IOA)
Submit #733341 | raysan5 raylib 909f040 Heap-based Buffer Overflow
Submit #733342 | raysan5 raylib 909f040 Heap-based Buffer Overflow (Duplicate)
https://github.com/raysan5/raylib/issues/5433
https://github.com/raysan5/raylib/pull/5450
https://github.com/oneafter/1224/blob/main/hbf2
https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146
 
raysan5--raylib A vulnerability was identified in raysan5 raylib up to 909f040. Affected by this issue is the function LoadFontData of the file src/rtext.c. The manipulation leads to integer overflow. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The identifier of the patch is 5a3391fdce046bc5473e52afbd835dd2dc127146. It is suggested to install a patch to address this issue. 2026-01-18 5.3 CVE-2025-15534 VDB-341706 | raysan5 raylib rtext.c LoadFontData integer overflow
VDB-341706 | CTI Indicators (IOB, IOC, IOA)
Submit #733343 | raysan5 raylib 909f040 Integer Overflow
https://github.com/raysan5/raylib/issues/5436
https://github.com/raysan5/raylib/pull/5450
https://github.com/oneafter/1224/blob/main/segv1
https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146
 
rebelcode--RSS Aggregator RSS Import, News Feeds, Feed to Post, and Autoblogging The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'className' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-16 6.1 CVE-2025-14375 https://www.wordfence.com/threat-intel/vulnerabilities/id/3d2dde13-2940-478e-8e2b-baf60003754a?source=cve
https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence. 2026-01-14 6.5 CVE-2025-14242 RHSA-2026:0605
RHSA-2026:0606
RHSA-2026:0608
https://access.redhat.com/security/cve/CVE-2025-14242
RHBZ#2419826
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. 2026-01-15 5.9 CVE-2026-0990 https://access.redhat.com/security/cve/CVE-2026-0990
RHBZ#2429959
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in libsoup's WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup's WebSocket support with this configuration may be impacted. 2026-01-13 4.8 CVE-2026-0716 https://access.redhat.com/security/cve/CVE-2026-0716
RHBZ#2427896
https://gitlab.gnome.org/GNOME/libsoup/-/issues/476
 
rndsand81--Stopwords for comments The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for_comments' and 'delete_stopwords_for_comments' functions. This makes it possible for unauthenticated attackers to add or delete stopwords via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-14 4.3 CVE-2025-15376 https://www.wordfence.com/threat-intel/vulnerabilities/id/dd8c45c7-dbb2-46ab-8e50-e02062587b00?source=cve
https://plugins.trac.wordpress.org/browser/stopwords-for-comments/trunk/functions.php?marks=151,170#L151
 
roxnor--GetGenie AI Content Writer with Keyword Research & SEO Tracking Tools The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user is authorized to delete a specific post. This makes it possible for authenticated attackers, with Author-level access and above, to delete any post on the WordPress site, including posts authored by other users. 2026-01-16 4.3 CVE-2026-1003 https://www.wordfence.com/threat-intel/vulnerabilities/id/38ec647a-3c0c-4d3c-ba34-64c17803867b?source=cve
https://plugins.trac.wordpress.org/browser/getgenie/trunk/app/Api/GetGenieChat.php#L153
https://plugins.trac.wordpress.org/changeset/3436920/
 
saadiqbal--Quick Contact Form The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details. 2026-01-17 5.8 CVE-2025-12718 https://www.wordfence.com/threat-intel/vulnerabilities/id/dc7ba538-a7ee-48c8-996c-b8db1934fdeb?source=cve
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433286%40quick-contact-form&new=3433286%40quick-contact-form&sfp_email=&sfph_mail=
 
sablab--Internal Link Builder The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-14 4.4 CVE-2025-14725 https://www.wordfence.com/threat-intel/vulnerabilities/id/1febe071-b296-4958-a9e8-9be9391f2390?source=cve
https://plugins.trac.wordpress.org/browser/internal-link-builder/trunk/InternalLinkBuilder.php#L133
 
Sanluan--PublicCMS A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 5.4 CVE-2026-1112 VDB-341704 | Sanluan PublicCMS Trade Address Deletion Endpoint TradeAddressController.java delete improper authorization
VDB-341704 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #732771 | publiccms PublicCMS <= V5.202506.d Insecure Direct Object Reference (IDOR)
https://github.com/AnalogyC0de/public_exp/issues/4
 
Sanluan--PublicCMS A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of the argument path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-18 4.7 CVE-2026-1111 VDB-341703 | Sanluan PublicCMS Task Template Management TaskTemplateAdminController.java save path traversal
VDB-341703 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #732726 | publiccms PublicCMS <= V5.202506.d Remote Code Execution (RCE)
https://github.com/AnalogyC0de/public_exp/issues/2
 
SAP_SE--Business Server Pages Application (Product Designer Web UI) SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application. 2026-01-13 4.3 CVE-2026-0497 https://me.sap.com/notes/3677111
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP Business Connector Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability. 2026-01-13 6.1 CVE-2026-0514 https://me.sap.com/notes/3666061
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability. 2026-01-13 6.4 CVE-2026-0503 https://me.sap.com/notes/3681523
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application. 2026-01-13 6.6 CVE-2026-0496 https://me.sap.com/notes/3565506
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application. 2026-01-13 5.1 CVE-2026-0495 https://me.sap.com/notes/3565506
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability. 2026-01-13 4.3 CVE-2026-0493 https://me.sap.com/notes/3655229
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted. 2026-01-13 4.3 CVE-2026-0494 https://me.sap.com/notes/3655227
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP NetWeaver Enterprise Portal SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability. 2026-01-13 6.1 CVE-2026-0499 https://me.sap.com/notes/3687372
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP Supplier Relationship Management (SICF Handler in SRM Catalog) Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted. 2026-01-13 4.7 CVE-2026-0513 https://me.sap.com/notes/3638716
https://url.sap/sapsecuritypatchday
 
SchedMD--Slurm In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting system can allow a Coordinator to promote a user to Administrator. 2026-01-16 4.2 CVE-2025-43904 https://www.schedmd.com/security-policy/
https://lists.schedmd.com/mailman3/hyperkitty/list/slurm-announce@lists.schedmd.com/message/B73QHKW6TKE2T5KDWVPIWNE5H4KWX667/
 
Schlix--Schlix CMS Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into category titles. Attackers can create a new contact category with a script payload that will execute when the page is viewed by other users. 2026-01-16 6.4 CVE-2021-47834 ExploitDB-49837
Vendor Homepage
VulnCheck Advisory: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)
 
searchwiz--SearchWiz The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in post titles that will execute whenever a user performs a search and views the search results page. 2026-01-14 6.4 CVE-2026-0694 https://www.wordfence.com/threat-intel/vulnerabilities/id/3e60a315-7f74-4d81-b6d2-ad3d40d489ef?source=cve
https://plugins.trac.wordpress.org/browser/searchwiz/trunk/public/class-sw-ajax.php#L616
https://plugins.trac.wordpress.org/browser/searchwiz/tags/1.0.0/public/class-sw-ajax.php#L616
 
shoheitanaka--PAYGENT for WooCommerce The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint. 2026-01-17 5.3 CVE-2025-14078 https://www.wordfence.com/threat-intel/vulnerabilities/id/9de42bd9-a1d2-48f2-a594-4013a9490e25?source=cve
https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/trunk/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199
https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/tags/2.4.2/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433179%40woocommerce-for-paygent-payment-main&new=3433179%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432342%40woocommerce-for-paygent-payment-main&new=3432342%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail=
 
SICK AG--Incoming Goods Suite The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. 2026-01-15 6.8 CVE-2026-22637 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--Incoming Goods Suite An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance. 2026-01-15 5.5 CVE-2026-22640 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--Incoming Goods Suite This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. 2026-01-15 5 CVE-2026-22641 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--Incoming Goods Suite Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access. 2026-01-15 5.3 CVE-2026-22644 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--Incoming Goods Suite The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components. 2026-01-15 5.3 CVE-2026-22645 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--Incoming Goods Suite Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 2026-01-15 4.3 CVE-2026-22639 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--Incoming Goods Suite An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL 2026-01-15 4.2 CVE-2026-22642 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--Incoming Goods Suite Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal structure and discover other, more critical vulnerabilities. 2026-01-15 4.3 CVE-2026-22646 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf
 
SICK AG--TDC-X401GL Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device. 2026-01-15 5.3 CVE-2026-22911 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
SICK AG--TDC-X401GL Improper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users. 2026-01-15 4.3 CVE-2026-22912 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
SICK AG--TDC-X401GL Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data. 2026-01-15 4.3 CVE-2026-22913 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
SICK AG--TDC-X401GL An attacker with limited permissions may still be able to write files to specific locations on the device, potentially leading to system manipulation. 2026-01-15 4.3 CVE-2026-22914 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
SICK AG--TDC-X401GL An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information. 2026-01-15 4.3 CVE-2026-22915 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
SICK AG--TDC-X401GL An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration. 2026-01-15 4.3 CVE-2026-22916 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
SICK AG--TDC-X401GL Improper input handling in a system endpoint may allow attackers to overload resources, causing a denial of service. 2026-01-15 4.3 CVE-2026-22917 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
SICK AG--TDC-X401GL An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data. 2026-01-15 4.3 CVE-2026-22918 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
sigstore--fulcio Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5. 2026-01-12 5.8 CVE-2026-22772 https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr
https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d
 
Skyjos--Owlfiles File Manager Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to execute arbitrary JavaScript in users' browsers. 2026-01-13 6.2 CVE-2022-50891 ExploitDB-51036
Vendor Homepage
Official App Store Listing
VulnCheck Advisory: Owlfiles File Manager 12.0.1 Cross-Site Scripting via HTTP Server
 
SMEWebify--WebErpMesv2 WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19. 2026-01-12 5.4 CVE-2026-22789 https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4
https://github.com/SMEWebify/WebErpMesv2/commit/c9e7f4a85aeb774a0ea4b61ad57a51b941166b69
 
smings--LEAV Last Email Address Validator The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-16 4.3 CVE-2025-14853 https://www.wordfence.com/threat-intel/vulnerabilities/id/93db56df-d21b-4788-84b2-7b28641b5a7a?source=cve
https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L66
https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L2183
https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L257
 
smub--All in One SEO Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic The All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token. 2026-01-16 4.3 CVE-2025-14384 https://www.wordfence.com/threat-intel/vulnerabilities/id/f47d53e1-42ac-425e-a6f2-901a6d26845d?source=cve
https://plugins.trac.wordpress.org/changeset/3435276/all-in-one-seo-pack
 
socialchampio--SocialChamp with WordPress The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-14 4.3 CVE-2025-14846 https://www.wordfence.com/threat-intel/vulnerabilities/id/bdbb660b-19aa-4c68-865c-0a51b85d1e5a?source=cve
https://plugins.trac.wordpress.org/browser/auto-post-to-social-media-wp-to-social-champ/tags/1.3.3/admin/class-wp-socialchamp-settings-init.php#L157
 
softwarepub--hermes hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1. 2026-01-12 5.9 CVE-2026-22798 https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23
https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1
https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514
 
specialk--User Submitted Posts Enable Users to Submit Posts from the Front End The User Submitted Posts - Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-16 6.4 CVE-2026-0913 https://www.wordfence.com/threat-intel/vulnerabilities/id/85bf7a1b-3c54-40c9-8f19-fcb9dd478a0e?source=cve
https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20251210/library/shortcode-access.php#L20
https://plugins.trac.wordpress.org/changeset/3439027/
 
Spring--CLI VSCode Extension The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine. 2026-01-14 6.8 CVE-2026-22718 https://spring.io/security/cve-2026-22718
 
stylemix--Cost Calculator Builder The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order's payment status as "completed" without actual payment. 2026-01-16 5.3 CVE-2025-14757 https://www.wordfence.com/threat-intel/vulnerabilities/id/b8415e5f-17a4-425c-ac28-5dd886d1bcf1?source=cve
https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBOrderController.php#L408
https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBAjaxAction.php#L98
https://plugins.trac.wordpress.org/changeset/3437516/cost-calculator-builder/trunk/includes/classes/CCBOrderController.php?old=3426823&old_path=cost-calculator-builder%2Ftrunk%2Fincludes%2Fclasses%2FCCBOrderController.php
 
sweetdaisy86--RepairBuddy Repair Shop CRM & Booking Plugin for WordPress The RepairBuddy - Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes. 2026-01-17 5.3 CVE-2026-0820 https://www.wordfence.com/threat-intel/vulnerabilities/id/1b2ad299-03b1-4b9e-a241-d2ad2d85c3ac?source=cve
https://plugins.trac.wordpress.org/browser/computer-repair-shop/trunk/lib/includes/classes/class-wcrb_signature.php#L562
https://plugins.trac.wordpress.org/browser/computer-repair-shop/tags/4.1116/lib/includes/classes/class-wcrb_signature.php#L562
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436356%40computer-repair-shop&new=3436356%40computer-repair-shop&sfp_email=&sfph_mail=
 
Syed Balkhi--WPForms WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser. 2026-01-13 6.1 CVE-2020-36919 ExploitDB-51152
WPForms Lite Plugin Homepage
VulnCheck Advisory: WPForms 1.7.8 - Cross-Site Scripting (XSS)
 
techknowprime--Responsive Accordion Slider The Responsive Accordion Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resp_accordion_silder_save_images' function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify any slider's image metadata including titles, descriptions, alt text, and links. 2026-01-14 4.3 CVE-2026-0635 https://www.wordfence.com/threat-intel/vulnerabilities/id/55cfb2c6-ca3f-45b7-8cd9-a5a1c3783ae0?source=cve
https://plugins.trac.wordpress.org/browser/responsive-accordion-slider/tags/1.2.2/includes/admin/class-ras-admin.php#L101
 
Testa--Testa Testa 3.5.1 contains a reflected cross-site scripting vulnerability in the login.php redirect parameter that allows attackers to inject malicious scripts. Attackers can craft a specially encoded payload in the redirect parameter to execute arbitrary JavaScript in victim's browser context. 2026-01-13 6.1 CVE-2022-50896 ExploitDB-51023
Archived Product Homepage
VulnCheck Advisory: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)
 
thimpress--Thim Blocks The Gutenberg Thim Blocks - Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php. 2026-01-17 6.5 CVE-2025-13725 https://www.wordfence.com/threat-intel/vulnerabilities/id/80de464f-a4b0-4aaf-8869-f8d29a422bdb?source=cve
https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92
https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92
https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97
https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3424998%40thim-blocks&new=3424998%40thim-blocks&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3419638%40thim-blocks&new=3419638%40thim-blocks&sfp_email=&sfph_mail=
 
thimpress--WP Hotel Booking The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce. 2026-01-17 5.3 CVE-2025-14075 https://www.wordfence.com/threat-intel/vulnerabilities/id/1fc4eaec-b5d8-4707-9260-bac02a4b1866?source=cve
https://plugins.trac.wordpress.org/browser/wp-hotel-booking/trunk/includes/class-wphb-ajax.php#L192
https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L192
https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L36
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429399%40wp-hotel-booking&new=3429399%40wp-hotel-booking&sfp_email=&sfph_mail=
 
thundernest--ImportExportTools NG ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials. 2026-01-15 6.1 CVE-2021-47768 ExploitDB-50496
ImportExportTools NG GitHub Repository
Thunderbird Addon Page
Vulnerability-Lab Disclosure
 
torstenbulk--DK PDF WordPress PDF Generator The DK PDF - WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. 2026-01-16 5 CVE-2025-14793 https://www.wordfence.com/threat-intel/vulnerabilities/id/b062f72a-542c-4212-af83-4faefbf69bd7?source=cve
https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/Frontend/WordPressIntegration.php?marks=22-25#L22
https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/PDF/Generator.php?marks=24-56#L24
https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/modules/PDF/DocumentBuilder.php#L213
https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/templates/dkpdf-index.php#L134
 
traefik--traefik Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7. 2026-01-15 5.9 CVE-2026-22045 https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq
https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d
https://github.com/traefik/traefik/releases/tag/v2.11.35
https://github.com/traefik/traefik/releases/tag/v3.6.7
 
treeverse--lakeFS lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0. 2026-01-15 6.5 CVE-2025-68671 https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f
https://github.com/treeverse/lakeFS/issues/9599
https://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2bd8
 
Ttyplus--MTPutty MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH credentials. 2026-01-15 6.2 CVE-2021-47759 ExploitDB-50574
Official MTPutty Product Homepage
 
Ubeeinteractive--Ubee EVW327 Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user's consent. 2026-01-16 5.3 CVE-2021-47820 ExploitDB-49920
Ubee Interactive Official Homepage
VulnCheck Advisory: Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF)
 
umbraco--Umbraco Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts. 2026-01-15 5.3 CVE-2021-47776 ExploitDB-50462
Umbraco Official Homepage
Umbraco CMS Release Notes
 
Vertiv--Cyclades Serial Console Server Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration to gain root access by manipulating system binaries and leveraging unrestricted sudo permissions. 2026-01-13 6.2 CVE-2022-50927 ExploitDB-50773
Vertiv Official Homepage
VulnCheck Advisory: Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation
 
VideoLAN--VLC media player mmstu.c in VideoLAN VLC media player before 3.0.22 allows an out-of-bounds read and denial of service via a crafted 0x01 response from an MMS server. 2026-01-16 4.8 CVE-2025-51602 https://www.videolan.org/security/sb-vlc3022.html
https://code.videolan.org/videolan/vlc/-/issues/29146
 
Visual-Tools--Visual Tools DVR VX16 Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount commands to bind a shell, enabling unauthorized system-level privileges. 2026-01-15 6.2 CVE-2021-47799 ExploitDB-50104
Official Vendor Homepage
 
vk011--Real Post Slider Lite The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-14 4.4 CVE-2026-0680 https://www.wordfence.com/threat-intel/vulnerabilities/id/324fd823-8ec9-4187-8694-6160bad8e093?source=cve
https://plugins.trac.wordpress.org/browser/real-post-slider-lite/trunk/real-post-slider-lite.php#L130
https://plugins.trac.wordpress.org/browser/real-post-slider-lite/tags/2.4/real-post-slider-lite.php#L130
 
webbu--WMF Mobile Redirector The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-14 4.4 CVE-2026-0739 https://www.wordfence.com/threat-intel/vulnerabilities/id/037b5c2c-510a-4fa5-b489-cb0478603be2?source=cve
https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L55
https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L55
https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L62
https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L62
 
WeblateOrg--wlc wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers. 2026-01-12 5.3 CVE-2026-22251 https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766
https://github.com/WeblateOrg/wlc/pull/1098
https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797
 
Wireshark Foundation--Wireshark IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service 2026-01-14 5.3 CVE-2026-0959 https://www.wireshark.org/security/wnpa-sec-2026-02.html
GitLab Issue #20939
 
Wireshark Foundation--Wireshark BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service 2026-01-14 5.5 CVE-2026-0961 https://www.wireshark.org/security/wnpa-sec-2026-01.html
GitLab Issue #20880
 
Wireshark Foundation--Wireshark SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service 2026-01-14 5.3 CVE-2026-0962 https://www.wireshark.org/security/wnpa-sec-2026-03.html
GitLab Issue #20945
 
Wireshark Foundation--Wireshark HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service 2026-01-14 4.7 CVE-2026-0960 https://www.wireshark.org/security/wnpa-sec-2026-04.html
GitLab Issue #20944
 
wpcenter--AffiliateX Amazon Affiliate Plugin The AffiliateX - Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store arbitrary JavaScript that executes whenever an AffiliateX block renders on the site. 2026-01-15 6.4 CVE-2025-13859 https://www.wordfence.com/threat-intel/vulnerabilities/id/36d57b8d-7e62-413b-8ea9-87963b8cd469?source=cve
https://plugins.trac.wordpress.org/changeset/3420957/affiliatex/trunk/includes/functions/AjaxFunctions.php
https://plugins.trac.wordpress.org/changeset/3420957/affiliatex/trunk/includes/helpers/class-affiliatex-helpers.php
 
wpchill--Filr Secure document library The Filr - Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type. 2026-01-17 4.4 CVE-2025-14632 https://www.wordfence.com/threat-intel/vulnerabilities/id/c16c3a8d-bae1-4729-86c8-ec13481ff187?source=cve
https://plugins.trac.wordpress.org/browser/filr-protection/trunk/src/class-filr-uploader.php#L14
https://plugins.trac.wordpress.org/browser/filr-protection/tags/1.2.10/src/class-filr-uploader.php#L14
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425333%40filr-protection&new=3425333%40filr-protection&sfp_email=&sfph_mail=
 
wpdevelop--Booking Calendar The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users. 2026-01-16 4.3 CVE-2025-14982 https://www.wordfence.com/threat-intel/vulnerabilities/id/161d92e3-d255-4967-9449-be263a46bec8?source=cve
https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L150
https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L722
https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L918
https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L158
https://plugins.trac.wordpress.org/browser/booking/trunk/core/wpbc-activation.php#L661
https://plugins.trac.wordpress.org/browser/booking/trunk/core/any/class-admin-menu.php#L22
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432649%40booking%2Ftrunk&old=3416518%40booking%2Ftrunk&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking&old=3436482&new_path=%2Fbooking&new=3436482&sfp_email=&sfph_mail=
 
wpdevteam--Essential Addons for Elementor Popular Elementor Templates & Widgets The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted. 2026-01-16 5.3 CVE-2026-1004 https://www.wordfence.com/threat-intel/vulnerabilities/id/06ef9a21-e2b9-40c7-9de5-cff175fa10a5?source=cve
https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L820
https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L64
https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L65
https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L832
https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L1439
https://github.com/WPDevelopers/essential-addons-for-elementor-lite/commit/4e43db06bcf12870cc3b185ed59b3fe2cd227945
 
wpswings--Wallet System for WooCommerce Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances. 2026-01-17 6.5 CVE-2025-14450 https://www.wordfence.com/threat-intel/vulnerabilities/id/466a5315-fc05-4b96-9dfd-17862fc406c5?source=cve
https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/trunk/includes/class-wallet-system-ajaxhandler.php#L140
https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/tags/2.7.2/includes/class-wallet-system-ajaxhandler.php#L140
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435898%40wallet-system-for-woocommerce&new=3435898%40wallet-system-for-woocommerce&sfp_email=&sfph_mail=
 
xiweicheng--TMS A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used. 2026-01-17 6.3 CVE-2026-1061 VDB-341629 | xiweicheng TMS FileController.java upload unrestricted upload
VDB-341629 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731240 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Unrestricted Upload
https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md
 
xiweicheng--TMS A flaw has been found in xiweicheng TMS up to 2.28.0. This affects the function Summary of the file src/main/java/com/lhjz/portal/util/HtmlUtil.java. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used. 2026-01-17 6.3 CVE-2026-1062 VDB-341630 | xiweicheng TMS HtmlUtil.java summary server-side request forgery
VDB-341630 | CTI Indicators (IOB, IOC, IOA)
Submit #731241 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Server-Side Request Forgery
Submit #731242 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Server-Side Request Forgery (Duplicate)
https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%881%EF%BC%89.md
https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%882%EF%BC%89.md
 
Xmind--Xmind Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse interactions or file opening. 2026-01-16 6.1 CVE-2021-47844 ExploitDB-49827
Official Xmind Product Homepage
Proof of Concept Video
VulnCheck Advisory: Xmind 2020 - Persistent Cross-Site Scripting
 
YouPHPTube--YouPHPTube YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. Attackers can exploit the path traversal flaw in locale/function.php to include and view PHP files outside the intended directory by using directory traversal sequences. 2026-01-13 6.2 CVE-2021-47749 ExploitDB-51101
Archived YouPHPTube Homepage
VulnCheck Advisory: YouPHPTube <= 7.8 - Directory Traversal
 
YouPHPTube--YouPHPTube YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page. 2026-01-13 6.1 CVE-2021-47750 ExploitDB-51101
Archived YouPHPTube Homepage
VulnCheck Advisory: YouPHPTube <= 7.8 - Cross-Site Scripting
 
zealopensource--User Registration Using Contact Form 7 The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets. 2026-01-17 5.3 CVE-2025-12825 https://www.wordfence.com/threat-intel/vulnerabilities/id/b49978c1-9254-4229-8d32-e12896301f3d?source=cve
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433276%40user-registration-using-contact-form-7&new=3433276%40user-registration-using-contact-form-7&sfp_email=&sfph_mail=
 
Zippy--Zstore Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context. 2026-01-13 6.1 CVE-2023-53985 ExploitDB-51207
Zstore/Zippy-CRM Product Homepage
Zstore/Zippy-CRM GitHub Repository
Vulnerability Reproduction Repository
VulnCheck Advisory: Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)
 
zitadel--zitadel ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6. 2026-01-15 5.3 CVE-2026-23511 https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r
https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2
https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d
https://github.com/zitadel/zitadel/releases/tag/v3.4.6
https://github.com/zitadel/zitadel/releases/tag/v4.9.1
 
Zohocorp--ManageEngine ADManager Plus Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module 2026-01-13 5.5 CVE-2025-9435 https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-9435.html
 

Back to top

Low Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
andy_moyle--Church Admin The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. 2026-01-17 2.2 CVE-2026-0682 https://www.wordfence.com/threat-intel/vulnerabilities/id/77227fc5-7c38-476d-af4c-4b2ad3dd8420?source=cve
https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/sermon-podcast.php#L1181
https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/sermon-podcast.php#L1181
https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/functions.php#L6297
https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/functions.php#L6297
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440847%40church-admin&new=3440847%40church-admin&sfp_email=&sfph_mail=
 
bestpractical--Request Tracker Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. 2026-01-16 2.6 CVE-2025-61873 https://docs.bestpractical.com/release-notes/rt/index.html
 
Fortinet--FortiSandbox A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext endpoints only via crafted HTTP requests. 2026-01-13 3.4 CVE-2025-67685 https://fortiguard.fortinet.com/psirt/FG-IR-25-783
 
glenwpcoder--Drag and Drop Multiple File Upload for Contact Form 7 The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled. 2026-01-15 3.7 CVE-2025-14457 https://www.wordfence.com/threat-intel/vulnerabilities/id/1a182243-b24a-4c46-8b65-6b38d8509a51?source=cve
https://plugins.trac.wordpress.org/changeset/3428236/drag-and-drop-multiple-file-upload-contact-form-7
 
Lenovo--Tab M11 TB330FU TB330XU A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled. 2026-01-14 3.2 CVE-2025-14058 https://support.lenovo.com/us/en/product_security/LEN-207951
 
Mattermost--Mattermost Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens 2026-01-16 3.1 CVE-2025-14822 https://mattermost.com/security-updates
 
n/a--LigeroSmart A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. This manipulation of the argument TicketID causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-17 3.5 CVE-2026-1048 VDB-341600 | LigeroSmart index.pl cross site scripting
VDB-341600 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #729399 | LigeroSmart 6.1.26 Cross Site Scripting
https://github.com/LigeroSmart/ligerosmart/issues/279
https://github.com/LigeroSmart/ligerosmart/issues/279#issue-3775562926
 
n/a--LigeroSmart A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument TicketID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-17 3.5 CVE-2026-1049 VDB-341601 | LigeroSmart index.pl cross site scripting
VDB-341601 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #729402 | LigeroSmart 6.1.26 Cross Site Scripting
https://github.com/LigeroSmart/ligerosmart/issues/280
https://github.com/LigeroSmart/ligerosmart/issues/280#issue-3776580352
 
nicbarker--clay A security flaw has been discovered in nicbarker clay up to 0.14. This affects the function Clay__MeasureTextCached in the library clay.h. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-18 3.3 CVE-2025-15535 VDB-341707 | nicbarker clay clay.h Clay__MeasureTextCached null pointer dereference
VDB-341707 | CTI Indicators (IOB, IOC, IOA)
Submit #733346 | nicbarker clay v0.14 and master-branch Memory Corruption
https://github.com/nicbarker/clay/issues/566
https://github.com/oneafter/1215/blob/main/repro
 
nodejs--undici Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0. 2026-01-14 3.7 CVE-2026-22036 https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
 
Red Hat--Red Hat Build of Keycloak A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable. 2026-01-15 3.7 CVE-2026-0976 https://access.redhat.com/security/cve/CVE-2026-0976
RHBZ#2429869
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk. 2026-01-15 3.7 CVE-2026-0989 https://access.redhat.com/security/cve/CVE-2026-0989
RHBZ#2429933
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition. 2026-01-15 2.9 CVE-2026-0992 https://access.redhat.com/security/cve/CVE-2026-0992
RHBZ#2429975
 
SAP_SE--NW AS Java UME User Mapping The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application. 2026-01-13 3 CVE-2026-0510 https://me.sap.com/notes/3593356
https://url.sap/sapsecuritypatchday
 
SAP_SE--SAP Identity Management Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability. 2026-01-13 3.8 CVE-2026-0504 https://me.sap.com/notes/3657998
https://url.sap/sapsecuritypatchday
 
SICK AG--TDC-X401GL An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data. 2026-01-15 3.8 CVE-2026-22919 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
SICK AG--TDC-X401GL The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks. 2026-01-15 3.7 CVE-2026-22920 https://sick.com/psirt
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
 
THM-Health--PILOS PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminated without explicit intent or confirmation. This vulnerability is fixed in 4.10.0. 2026-01-12 2.4 CVE-2026-22800 https://github.com/THM-Health/PILOS/security/advisories/GHSA-r24c-9p4j-rqw9
https://github.com/THM-Health/PILOS/commit/d9ab9bb7ac0a8581c25e24cb7db2152d40be4d1b
 
WeblateOrg--wlc wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0. 2026-01-12 2.5 CVE-2026-22250 https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh
https://github.com/WeblateOrg/wlc/pull/1097
https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3
 

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
AbhishekMali21--AbhishekMali21 Multiple SQL Injection vulnerabilities exist in AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 via the 'name' parameter in (1) member_search.php, (2) trainer_search.php, and (3) gym_search.php, and via the 'id' parameter in (4) payment_search.php. An unauthenticated remote attacker can exploit these issues to inject malicious SQL commands, leading to unauthorized data extraction, authentication bypass, or modification of database contents. 2026-01-12 not yet calculated CVE-2025-67146 https://github.com/AbhishekMali21/GYM-MANAGEMENT-SYSTEM/issues/4
 
AbhishekMali21--AbhishekMali21 Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the 'name', 'email', and 'comment' parameters in (1) submit_contact.php, the 'username' and 'pass_key' parameters in (2) secure_login.php, and the 'login_id', 'pwfield', and 'login_key' parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level. 2026-01-12 not yet calculated CVE-2025-67147 https://github.com/amansuryawanshi/Gym-Management-System-PHP/issues/3
 
Absolute Security--Secure Access CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure Access Server prior to 14.20. An attacker can send a specially crafted packet to a server and cause the server to crash 2026-01-17 not yet calculated CVE-2026-0517 https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0517
 
Absolute Security--Secure Access CVE-2026-0518 is a cross-site scripting vulnerability in versions of Secure Access prior to 14.20. An attacker with administrative privileges can interfere with another administrator's use of the console. 2026-01-17 not yet calculated CVE-2026-0518 https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0518
 
Absolute Security--Secure Access In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system. 2026-01-17 not yet calculated CVE-2026-0519 https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0519
 
Acora--Acora A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack. 2026-01-12 not yet calculated CVE-2025-63314 http://ddsn.com
http://acora.com
https://github.com/padayali-JD/CVE-2025-63314
 
adonisjs--lucid @adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6. 2026-01-13 not yet calculated CVE-2026-22814 https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f
 
Airth--Airth An issue in AIRTH SMART HOME AQI MONITOR Bootloader v.1.005 allows a physically proximate attacker to obtain sensitive information via the UART port of the BK7231N controller (Wi-Fi and BLE module) on the device is open to access 2026-01-14 not yet calculated CVE-2025-67399 http://airth.com
https://github.com/rupeshsurve04/CVE-2025-67399/blob/main/AIRTH_SMART_HOME_AQI_MONITOR_CVE-2025-67399.pdf
 
akinloluwami--outray Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5. 2026-01-14 not yet calculated CVE-2026-22820 https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7
https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581
 
alextselegidis--easyappointments Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover. 2026-01-15 not yet calculated CVE-2026-23622 https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj
 
AltumCode--AltumCode Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file 2026-01-12 not yet calculated CVE-2025-66939 https://66biolinks.com/
https://gist.github.com/Waqar-Arain/2a21b135a04e7804c124688ea1085875
 
AMD--AMD EPYC 9004 Series Processors Write what were condition within AMD CPUs may allow an admin-privileged attacker to modify the configuration of the CPU pipeline potentially resulting in the corruption of the stack pointer inside an SEV-SNP guest. 2026-01-16 not yet calculated CVE-2025-29943 https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3027.html
 
anomalyco--opencode OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10. 2026-01-12 not yet calculated CVE-2026-22813 https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp
 
Anycomment--Anycomment Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section 2026-01-15 not yet calculated CVE-2025-67025 https://bdu.fstec.ru/vul/2023-08900
https://anycomment.io/site/changelog
 
Apache Software Foundation--Apache Airflow In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue 2026-01-16 not yet calculated CVE-2025-68438 https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff
 
Apache Software Foundation--Apache Airflow In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue 2026-01-16 not yet calculated CVE-2025-68675 https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
 
Apache Software Foundation--Apache bRPC Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually. 2026-01-16 not yet calculated CVE-2025-60021 https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m
 
Apache Software Foundation--Apache Camel Neo4j Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0. 2026-01-14 not yet calculated CVE-2025-66169 https://camel.apache.org/security/CVE-2025-66169.html
 
Apple--iOS and iPadOS The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An app may be able to corrupt coprocessor memory. 2026-01-16 not yet calculated CVE-2024-44238 https://support.apple.com/en-us/121563
 
Apple--iOS and iPadOS This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. A user may be able to view restricted content from the lock screen. 2026-01-16 not yet calculated CVE-2024-54556 https://support.apple.com/en-us/121563
 
Apple--iOS and iPadOS A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. 2026-01-16 not yet calculated CVE-2025-24089 https://support.apple.com/en-us/122066
 
Apple--iOS and iPadOS A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. 2026-01-16 not yet calculated CVE-2025-24090 https://support.apple.com/en-us/122066
 
Apple--macOS This issue was addressed with improved permissions checking. This issue is fixed in macOS Sequoia 15.1. An app may be able to access user-sensitive data. 2026-01-16 not yet calculated CVE-2024-44210 https://support.apple.com/en-us/121564
 
Apple--macOS A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. 2026-01-16 not yet calculated CVE-2025-43508 https://support.apple.com/en-us/125634
 
Apple--Xcode A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. An app may be able to bypass Privacy preferences. 2026-01-16 not yet calculated CVE-2025-31186 https://support.apple.com/en-us/122380
 
Arm--Neoverse-N2 In certain Arm CPUs, a CPP RCTX instruction executed on one Processing Element (PE) may inhibit TLB invalidation when a TLBI is issued to the PE, either by the same PE or another PE in the shareability domain. In this case, the PE may retain stale TLB entries which should have been invalidated by the TLBI. 2026-01-14 not yet calculated CVE-2025-0647 https://developer.arm.com/documentation/111546
 
Assaf Parag--Poll, Survey & Quiz Maker Plugin by Opinion Stage Poll, Survey & Quiz Maker Plugin by Opinion Stage Wordpress plugin versions prior to 19.6.25 contain a stored cross-site scripting (XSS) vulnerability via multiple parameters due to insufficient input validation and output escaping. An unauthenticated attacker can inject arbitrary script into content that executes when a victim views an affected page. 2026-01-16 not yet calculated CVE-2019-25297 https://wpscan.com/vulnerability/4ed1edd6-3813-44a3-bee7-f07c1774b679/
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-polls-by-opinionstage/poll-survey-quiz-maker-plugin-by-opinion-stage-19625-unauthenticated-stored-cross-site-scripting
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-poll-survey-form-quiz-maker-by-opinionstage-cross-site-scripting-19-6-24/
https://wordpress.org/plugins/social-polls-by-opinionstage/
https://plugins.trac.wordpress.org/changeset/2158590/social-polls-by-opinionstage
https://web.archive.org/web/20191020011448/https://www.pluginvulnerabilities.com/2019/09/16/hackers-may-already-be-targeting-this-persistent-xss-vulnerability-in-poll-survey-form-quiz-maker-by-opinionstage/
https://www.vulncheck.com/advisories/poll-survey-and-quiz-maker-plugin-by-opinion-stage-stored-xss
 
Automai--Automai An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges 2026-01-12 not yet calculated CVE-2025-46066 https://www.automai.com/
https://gist.github.com/ZeroBreach-GmbH/4e325d09d08e16efb506076da2184f42
 
Automai--Automai An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges and obtain sensitive information via a crafted js file 2026-01-12 not yet calculated CVE-2025-46067 https://www.automai.com/
https://gist.github.com/ZeroBreach-GmbH/98204cff0065e611cf9e9acc3be59e03
 
Automai--Automai An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism 2026-01-12 not yet calculated CVE-2025-46068 https://www.automai.com/
https://gist.github.com/ZeroBreach-GmbH/00ea6cce1299e1d999b5d1faac4248f1
 
Automai--Automai An issue in Automai BotManager v.25.2.0 allows a remote attacker to execute arbitrary code via the BotManager.exe component 2026-01-12 not yet calculated CVE-2025-46070 https://www.automai.com/
https://gist.github.com/ZeroBreach-GmbH/776dd7e927d9b2f8ef10807abe124f8e
 
bee interactive--Livewire Filemanager Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed. 2026-01-16 not yet calculated CVE-2025-14894 https://github.com/livewire-filemanager/filemanager
https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager
 
Bluspark Global--BLUVOYIX The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform. 2026-01-14 not yet calculated CVE-2026-22236 https://blusparkglobal.com/bluvoyix/
 
Bluspark Global--BLUVOYIX The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability could allow the attacker to cause damage to the targeted platform by abusing internal functionality. 2026-01-14 not yet calculated CVE-2026-22237 https://blusparkglobal.com/bluvoyix/
 
Bluspark Global--BLUVOYIX The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user. 2026-01-14 not yet calculated CVE-2026-22238 https://blusparkglobal.com/bluvoyix/
 
Bluspark Global--BLUVOYIX The vulnerability exists in BLUVOYIX due to design flaws in the email sending API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable email sending API. Successful exploitation of this vulnerability could allow the attacker to send unsolicited emails to anyone on behalf of the company. 2026-01-14 not yet calculated CVE-2026-22239 https://blusparkglobal.com/bluvoyix/
 
Bluspark Global--BLUVOYIX The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password. 2026-01-14 not yet calculated CVE-2026-22240 https://blusparkglobal.com/bluvoyix/
 
Broadcom--DX NetOps Spectrum Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Path Traversal.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. 2026-01-12 not yet calculated CVE-2025-69267 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756
 
Broadcom--DX NetOps Spectrum Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Reflected XSS.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. 2026-01-12 not yet calculated CVE-2025-69268 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756
 
Broadcom--DX NetOps Spectrum Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows OS Command Injection.This issue affects DX NetOps Spectrum: 23.3.6 and earlier. 2026-01-12 not yet calculated CVE-2025-69269 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756
 
Broadcom--DX NetOps Spectrum Information Exposure Through Query Strings in GET Request vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Session Hijacking.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. 2026-01-12 not yet calculated CVE-2025-69270 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756
 
Broadcom--DX NetOps Spectrum Insufficiently Protected Credentials vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. 2026-01-12 not yet calculated CVE-2025-69271 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756
 
Broadcom--DX NetOps Spectrum Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier. 2026-01-12 not yet calculated CVE-2025-69272 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756
 
Broadcom--DX NetOps Spectrum Improper Authentication vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Authentication Bypass.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. 2026-01-12 not yet calculated CVE-2025-69273 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756
 
Broadcom--DX NetOps Spectrum Authorization Bypass Through User-Controlled Key vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Privilege Escalation.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. 2026-01-12 not yet calculated CVE-2025-69274 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756
 
Broadcom--DX NetOps Spectrum Dependency on Vulnerable Third-Party Component vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows DOM-Based XSS.This issue affects DX NetOps Spectrum: 24.3.9 and earlier. 2026-01-12 not yet calculated CVE-2025-69275 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756
 
Broadcom--DX NetOps Spectrum Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. 2026-01-12 not yet calculated CVE-2025-69276 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756
 
calcom--cal.com Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7. 2026-01-13 not yet calculated CVE-2026-23478 https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg
 
Chainlit--Chainlit Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product. 2026-01-14 not yet calculated CVE-2025-68492 https://github.com/Chainlit/chainlit/releases
https://jvn.jp/en/jp/JVN34964581/
 
Chamillo--Chamillo An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks. 2026-01-16 not yet calculated CVE-2025-69581 https://github.com/chamilo/chamilo-lms
https://github.com/Rivek619/CVE-2025-69581
 
Changjetong Information Technology Co., Ltd.--T+ Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation on 2023-08-19 (UTC). 2026-01-15 not yet calculated CVE-2023-7334 https://www.chanjetvip.com/product/goods/detail?id=6077e91b70fa071069139f62
https://www.freebuf.com/articles/web/381731.html
https://blog.csdn.net/qq_53003652/article/details/134031230
https://blog.csdn.net/u010025272/article/details/131553591
https://github.com/MD-SEC/MDPOCS/blob/main/ChangJieTongTPlus_GetStoreWarehouseByStore_Rce_Poc.py
https://www.vulncheck.com/advisories/changjetong-tplus-getstorewarehousebystore-deserialization-rce
 
cursor--cursor Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3. 2026-01-14 not yet calculated CVE-2026-22708 https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w
 
Cyber Cafe--Cyber Cafe A stored cross-site scripting (XSS) vulnerability exists in Cyber Cafe Management System v1.0. An authenticated attacker can inject arbitrary JavaScript code into the username parameter via the add-users.php endpoint. The injected payload is stored and executed in the victim s browser when the affected page is accessed. 2026-01-15 not yet calculated CVE-2025-70890 https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70890
 
Cyber Cafe--Cyber Cafe A stored cross-site scripting (XSS) vulnerability exists in Phpgurukul Cyber Cafe Management System v1.0 within the user management module. The application does not properly sanitize or encode user-supplied input submitted via the uadd parameter in the add-users.php endpoint. An authenticated attacker can inject arbitrary JavaScript code that is persistently stored in the database. The malicious payload is triggered when a privileged user clicks the View button on the view-allusers.php page. 2026-01-15 not yet calculated CVE-2025-70891 https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql
https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70891
 
Cyber Cafe--Cyber Cafe Phpgurukul Cyber Cafe Management System v1.0 contains a SQL Injection vulnerability in the user management module. The application fails to properly validate user-supplied input in the username parameter of the add-users.php endpoint. 2026-01-15 not yet calculated CVE-2025-70892 https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70892
 
Cyber Cafe--Cyber Cafe A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. The application fails to properly sanitize user-supplied input provided via the adminname parameter, allowing authenticated attackers to inject arbitrary SQL expressions. 2026-01-15 not yet calculated CVE-2025-70893 https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70893
 
dask--distributed Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0. 2026-01-16 not yet calculated CVE-2026-23528 https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2
https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa
 
DataDog--guarddog GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1. 2026-01-13 not yet calculated CVE-2026-22870 https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v
https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b
 
DataDog--guarddog GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1. 2026-01-13 not yet calculated CVE-2026-22871 https://github.com/DataDog/guarddog/security/advisories/GHSA-xg9w-vg3g-6m68
https://github.com/DataDog/guarddog/commit/9aa6a725b2c71d537d3c18d1c15621395ebb879c
 
defenseunicorns--pepr Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the "getting started" experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5. 2026-01-16 not yet calculated CVE-2026-23634 https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q
https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5
 
denoland--deno Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0. 2026-01-15 not yet calculated CVE-2026-22863 https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v
https://github.com/denoland/deno/releases/tag/v2.6.0
 
Drupal--Facebook Pixel Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. 2026-01-14 not yet calculated CVE-2025-14557 https://www.herodevs.com/vulnerability-directory/cve-2025-14557
https://d7es.tag1.com/security-advisories/facebook-pixel-less-critical-cross-site-scripting
 
Drupal--Flag Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. 2026-01-14 not yet calculated CVE-2025-14556 https://www.herodevs.com/vulnerability-directory/cve-2025-14556
https://d7es.tag1.com/security-advisories/flag-moderately-critical-cross-site-scripting-backdrop-sa-contrib-2025-011
 
Eclipse Vert.x--Eclipse Vert.x The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false); 2026-01-15 not yet calculated CVE-2026-1002 https://github.com/eclipse-vertx/vert.x/pull/5895
 
eigent-ai--eigent Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases. 2026-01-13 not yet calculated CVE-2026-22869 https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp
https://github.com/eigent-ai/eigent/pull/836
https://github.com/eigent-ai/eigent/pull/837
https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5
 
eKoopmans--html2pdf.js html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0. 2026-01-14 not yet calculated CVE-2026-22787 https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc
https://github.com/eKoopmans/html2pdf.js/issues/865
https://github.com/eKoopmans/html2pdf.js/pull/877
https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b
https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0
 
Emaintenance--Crazy Bubble Tea In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data. This issue was fixed in version 915 (Android) and 7.4.1 (iOS). 2026-01-14 not yet calculated CVE-2025-14317 https://crazybubble.pl/aplikacja-crazy-bubble/
https://cert.pl/posts/2026/01/CVE-2025-14317
 
emlog--emlog Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise. 2026-01-12 not yet calculated CVE-2026-22799 https://github.com/emlog/emlog/security/advisories/GHSA-p837-mrw9-5x5j
https://github.com/emlog/emlog/commit/429b02fda842254b9b9b39303e9161999c180560
 
Enhancesoft--osTicket Enhancesoft osTicket versions 1.18.3 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled. 2026-01-12 not yet calculated CVE-2026-22200 https://github.com/osTicket/osTicket/releases/tag/v1.18.3
https://github.com/osTicket/osTicket/commit/c59b067
https://www.vulncheck.com/advisories/osticket-pdf-export-arbitrary-file-read
 
Entrust Corporation--Instant Financial Issuance (IF) Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host. 2026-01-15 not yet calculated CVE-2026-23746 https://www.entrust.com/products/issuance-systems/instant/financial-card
https://trustedcare.entrust.com/s/article/E26-001-NET-Remoting-Vulnerabilities-in-the-Smart-Card-Controller-Service-of-the-Instant-Financial-Issuance-On-Premise-Software
https://www.vulncheck.com/advisories/entrust-ifi-smartcardcontroller-service-net-remoting-rce
 
Eptura Archibuss--Eptura Archibus In Eptura Archibus 2024.03.01.109, the "Run script" and "Server File" components of the "Database Update Wizard" are vulnerable to directory traversal. 2026-01-13 not yet calculated CVE-2025-25652 https://eptura.com/our-platform/archibus/
https://packetstorm.news/files/id/213675
 
Eramba-Eramba A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me. The response includes sensitive user session data (ID, name, email, access groups), which is accessible to the attacker's JavaScript. This flaw enables full session hijack and data exfiltration without user interaction. Eramba versions 3.23.3 and earlier were tested and appear unaffected. The vulnerability is present in default installations, requiring no custom configuration. 2026-01-13 not yet calculated CVE-2025-55462 http://eramba.com
https://discussions.eramba.org/t/release-3-28-0/7860
 
esm-dev--esm.sh esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue. 2026-01-18 not yet calculated CVE-2026-23644 https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq
https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16
https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093
https://pkg.go.dev/vuln/GO-2025-4138
 
ethereum--go-ethereum go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. 2026-01-13 not yet calculated CVE-2026-22862 https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mr7q-c9w9-wh4h
https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2
 
ethereum--go-ethereum go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. 2026-01-13 not yet calculated CVE-2026-22868 https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mq3p-rrmp-79jg
https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2
 
Flare Camera--Blurams A vulnerability in the boot process of Blurams Flare Camera version 24.1114.151.929 and earlier allows a physically proximate attacker to hijack the boot mechanism and gain a bootloader shell via the UART interface. This is achieved by inducing a read error from the SPI flash memory during the boot, by shorting a data pin of the IC to ground. An attacker can then dump the entire firmware, leading to the disclosure of sensitive information including cryptographic keys and user configurations. 2026-01-14 not yet calculated CVE-2025-65396 http://blurams.com
http://flare.com
https://lessonsec.com/cve/cve-2025-65396/
 
Flare Camera--Blurams An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file system. The vulnerability can be triggered by providing a maliciously crafted auth.ini file on the device's SD card. 2026-01-14 not yet calculated CVE-2025-65397 http://blurams.com
http://flare.com
https://lessonsec.com/cve/cve-2025-65397/
 
flipped-aurora--gin-vue-admin Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../). An attacker with file upload privileges could exploit this vulnerability. 2026-01-12 not yet calculated CVE-2026-22786 https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-3558-j79f-vvm6
https://github.com/flipped-aurora/gin-vue-admin/commit/2242f5d6e133e96d1b359ac019bf54fa0e975dd5
 
frappe--lms Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages. 2026-01-14 not yet calculated CVE-2026-23497 https://github.com/frappe/lms/security/advisories/GHSA-78mq-3whw-69j5
https://github.com/frappe/lms/commit/e7ccf0a711d0e0ab5e6b28b7a1e4e0510b6b9543
 
FreeImage--FreeImage FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE(). 2026-01-14 not yet calculated CVE-2025-70968 https://github.com/MiracleWolf/FreeimageCrash/tree/main
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1. 2026-01-14 not yet calculated CVE-2026-22851 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8g87-6pvc-wh99
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1. 2026-01-14 not yet calculated CVE-2026-22852 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR's NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1. 2026-01-14 not yet calculated CVE-2026-22853 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1. 2026-01-14 not yet calculated CVE-2026-22854 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1. 2026-01-14 not yet calculated CVE-2026-22855 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1. 2026-01-14 not yet calculated CVE-2026-22856 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w842-c386-fxhv
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1. 2026-01-14 not yet calculated CVE-2026-22857 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1. 2026-01-14 not yet calculated CVE-2026-22858 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1
 
FreeRDP--FreeRDP FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1. 2026-01-14 not yet calculated CVE-2026-22859 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-56f5-76qv-2r36
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1
 
Google--Android In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation. 2026-01-15 not yet calculated CVE-2025-36911 https://source.android.com/security/bulletin/pixel/2026-01-01
 
Google--Google Devices In cpm_fwtp_msg_handler of cpm/google/lib/tracepoint/cpm_fwtp_ipc.c, there is a possible memory overwrite due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2026-01-16 not yet calculated CVE-2025-48647 https://source.android.com/docs/security/bulletin/pixel/2026/2026-01-01
 
Google--Keras Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape. 2026-01-15 not yet calculated CVE-2026-0897 https://github.com/keras-team/keras/pull/21880
 
GPAC--GPAC GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function. 2026-01-15 not yet calculated CVE-2025-70298 https://github.com/zakkanijia/POC/blob/main/dmx_ogg/GPAC_oggdmx_parse_tags_offbyone.md
 
GPAC--GPAC A heap overflow in the avi_parse_input_file() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file. 2026-01-15 not yet calculated CVE-2025-70299 https://github.com/zakkanijia/POC/blob/main/gpac_avi/GPAC_AVI_indx_heap_overflow.md
 
GPAC--GPAC A heap overflow in the ghi_dmx_declare_opid_bin() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2026-01-15 not yet calculated CVE-2025-70302 https://github.com/zakkanijia/POC/blob/main/gpac_ghi/ghi.md
 
GPAC--GPAC A heap overflow in the uncv_parse_config() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. 2026-01-15 not yet calculated CVE-2025-70303 https://github.com/zakkanijia/POC/blob/main/gpac_uncv/GPAC_UNCV_CPAT.md
 
GPAC--GPAC A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. 2026-01-15 not yet calculated CVE-2025-70304 https://github.com/zakkanijia/POC/blob/main/gpac_vobsub/GPAC_vobsub.md
 
GPAC--GPAC A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file. 2026-01-15 not yet calculated CVE-2025-70305 https://github.com/zakkanijia/POC/blob/main/gpac_saf/GPAC_SAF.md
 
GPAC--GPAC A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. 2026-01-15 not yet calculated CVE-2025-70307 https://github.com/zakkanijia/POC/blob/main/gpac_boxDump/GPAC_tx3g.md
 
GPAC--GPAC An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file. 2026-01-15 not yet calculated CVE-2025-70308 https://github.com/zakkanijia/POC/blob/main/gpac_gsf/GPAC_gsf.md
 
GPAC--GPAC A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file. 2026-01-15 not yet calculated CVE-2025-70309 https://github.com/zakkanijia/POC/blob/main/gpac_rawpcm/GPAC_RFPCM.md
 
GPAC--GPAC A heap overflow in the vorbis_to_intern() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .ogg file. 2026-01-15 not yet calculated CVE-2025-70310 https://github.com/zakkanijia/POC/blob/main/gpac_dec_vorbis/GPAC_VORBIS.md
 
gradle--gradle Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors. 2026-01-16 not yet calculated CVE-2026-22816 https://github.com/gradle/gradle/security/advisories/GHSA-w78c-w6vf-rw82
https://github.com/gradle/gradle/commit/e5707d0d8fce3d768c9c489004700d78eab1773a
 
gradle--gradle Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors. 2026-01-16 not yet calculated CVE-2026-22865 https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv
 
graphql-hive--graphql-modules GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1. 2026-01-16 not yet calculated CVE-2026-23735 https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7
https://github.com/graphql-hive/graphql-modules/issues/2613
https://github.com/graphql-hive/graphql-modules/pull/2521
https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568
 
Home Security System--D3D D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on the 433 MHz sensor communication channel. The system does not implement rolling codes, message authentication, or anti-replay protection, allowing an attacker within RF range to record valid alarm/control frames and replay them to trigger false alarms. 2026-01-12 not yet calculated CVE-2025-65552 http://d3d.com
https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65552
 
Home Security System--D3D D3D Wi-Fi Home Security System ZX-G12 v2.1.17 is susceptible to RF jamming on the 433 MHz alarm sensor channel. An attacker within RF range can transmit continuous interference to block sensor transmissions, resulting in missed alarms and loss of security monitoring. The device lacks jamming detection or mitigations, creating a denial-of-service condition that may lead to undetected intrusions or failure to trigger safety alerts. 2026-01-12 not yet calculated CVE-2025-65553 http://d3d.com
https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65553
 
https://github.com/linrunner--TLP A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power profile in use as well as the daemon's log settings.This issue affects TLP: from 1.9 before 1.9.1. 2026-01-14 not yet calculated CVE-2025-67859 https://security.opensuse.org/2026/01/07/tlp-polkit-authentication-bypass.html
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67859
 
https://github.com/ShadowBlip--inputplumber Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005. 2026-01-14 not yet calculated CVE-2025-14338 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-14338
https://security.opensuse.org/2026/01/09/inputplumber-lack-of-dbus-auth.html
 
https://github.com/ShadowBlip--inputplumber Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session. 2026-01-14 not yet calculated CVE-2025-66005 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66005
https://security.opensuse.org/2026/01/09/inputplumber-lack-of-dbus-auth.html
 
Hubert Imoveis--Hubert Imoveis An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. 2026-01-13 not yet calculated CVE-2025-65783 http://hub.com
http://hubert.com
https://github.com/carlos-artmann/vulnerability-research/tree/main/CVE-2025-65783
 
Hubert Imoveis--Hubert Imoveis Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-level privileges to access other users' information via a crafted API request. 2026-01-13 not yet calculated CVE-2025-65784 http://hub.com
http://hubert.com
https://github.com/carlos-artmann/vulnerability-research/tree/main/CVE-2025-65784
 
HumanSignal--label-studio Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users' browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim's API token or call token reset endpoints - enabling full account takeover and unauthorized API access. 2026-01-12 not yet calculated CVE-2026-22033 https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch
https://github.com/HumanSignal/label-studio/pull/9084
https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505
 
Imagination Technologies--Graphics DDK Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal resource caused scenario where potential for use after free was present. 2026-01-13 not yet calculated CVE-2025-10865 https://www.imaginationtech.com/gpu-driver-vulnerabilities/
 
Imagination Technologies--Graphics DDK Intermediate register values of secure workloads can be exfiltrated in workloads scheduled from applications running in the non-secure environment of a platform. 2026-01-13 not yet calculated CVE-2025-25176 https://www.imaginationtech.com/gpu-driver-vulnerabilities/
 
Imagination Technologies--Graphics DDK Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory. 2026-01-13 not yet calculated CVE-2025-58409 https://www.imaginationtech.com/gpu-driver-vulnerabilities/
 
Imagination Technologies--Graphics DDK Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. Improper resource management and reference counting on an internal resource caused scenario where potential write use after free was present. 2026-01-13 not yet calculated CVE-2025-58411 https://www.imaginationtech.com/gpu-driver-vulnerabilities/
 
Imaster--MEMS Events CRM Imaster's MEMS Events CRM contains an SQL injection vulnerability in'keyword' parameter in '/memsdemo/exchange_offers.php'. 2026-01-12 not yet calculated CVE-2025-41005 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products
 
Imaster--MEMS Events CRM Imaster's MEMS Events CRM contains an SQL injection vulnerability in 'phone' parameter in '/memsdemo/login.php'. 2026-01-12 not yet calculated CVE-2025-41006 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products
 
Imaster--Patient Record Management System Imaster's Patient Record Management System contains a stored Cross-Site Scripting (XSS) vulnerability in the endpoint '/projects/hospital/admin/edit_patient.php'. By injecting a malicious script into the 'firstname' parameter, the JavaScript code is stored and executed every time a user accesses the patient list, allowing an attacker to execute arbitrary JavaScript in a victim's browser. 2026-01-12 not yet calculated CVE-2025-41003 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products
 
Imaster--Patient Record Management System Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint '/projects/hospital/admin/complaints.php' through the 'id' parameter. 2026-01-12 not yet calculated CVE-2025-41004 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products
 
InvoicePlane--InvoicePlane An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes. 2026-01-15 not yet calculated CVE-2025-67082 https://github.com/InvoicePlane/InvoicePlane
https://www.helx.io/blog/advisory-invoice-plane/
 
InvoicePlane--InvoicePlane Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration. 2026-01-15 not yet calculated CVE-2025-67083 https://github.com/InvoicePlane/InvoicePlane
https://www.helx.io/blog/advisory-invoice-plane/
 
InvoicePlane--InvoicePlane File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE). 2026-01-15 not yet calculated CVE-2025-67084 https://github.com/InvoicePlane/InvoicePlane
https://www.helx.io/blog/advisory-invoice-plane/
 
ippprint--Sagemcom Buffer Overflow in the ippprint (Internet Printing Protocol) service in Sagemcom F@st 3686 MAGYAR_4.121.0 allows remote attacker to execute arbitrary code by sending a crafted HTTP request. 2026-01-12 not yet calculated CVE-2025-29329 http://sagemcom.com
http://fst.com
https://github.com/SilverS3c/Sagemcom-fast-3686-ippprint
 
isaacs--node-tar node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3. 2026-01-16 not yet calculated CVE-2026-23745 https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
 
Itflow--Itflow An SQL injection vulnerability in Itflow through 25.06 has been identified in the "role_id" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing on integer parameter. 2026-01-15 not yet calculated CVE-2025-67081 https://github.com/itflow-org/itflow
https://www.helx.io/blog/advisory-itflow/
 
KACE--KACE Quest KACE Desktop Authority through 11.3.1 has Insecure Permissions on the Named Pipes used for inter-process communication 2026-01-12 not yet calculated CVE-2025-67813 https://quest.com
https://support.quest.com/kb/4381743/quest-kace-desktop-authority-insecure-named-pipe-permissions-cve-2025-67813
 
kashipara--kashipara A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword parameters in a POST HTTP request. 2026-01-12 not yet calculated CVE-2025-51567 https://github.com/0xBhushan/Writeups/blob/main/CVE/Kashipara/Online%20Exam%20System/SQL%20Injection-Profile%20Update.pdf
 
LabRedesCefetRJ--WeGIA WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2. 2026-01-16 not yet calculated CVE-2026-23725 https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-c85q-4fwg-99gw
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
 
LabRedesCefetRJ--WeGIA WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. 2026-01-16 not yet calculated CVE-2026-23726 https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-h7qx-j7g3-7fx3
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
 
LabRedesCefetRJ--WeGIA WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. 2026-01-16 not yet calculated CVE-2026-23727 https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pmq9-8p4w-m4f3
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
 
LabRedesCefetRJ--WeGIA WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. 2026-01-16 not yet calculated CVE-2026-23728 https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jf25-p56f-wpgh
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
 
LabRedesCefetRJ--WeGIA WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarDescricao and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. 2026-01-16 not yet calculated CVE-2026-23729 https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w88p-v7h6-m728
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
 
LabRedesCefetRJ--WeGIA WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. 2026-01-16 not yet calculated CVE-2026-23730 https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6gx4-6gwv-cxc3
https://github.com/LabRedesCefetRJ/WeGIA/pull/1333
https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2
 
LangChain AI--LangChain LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition. 2026-01-12 not yet calculated CVE-2024-58340 https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb
https://www.langchain.com/
https://github.com/langchain-ai/langchain
https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos
 
Lemonsoft--WordPress add-on Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1. 2026-01-13 not yet calculated CVE-2025-9427 https://lemondoc.atlassian.net/wiki/spaces/LEMONSHOP/pages/754909038/Versiohistoria+-+Lemonsoft+integration+lis+osa
 
Libsndfile--Libsndfile Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file. 2026-01-14 not yet calculated CVE-2025-56226 https://github.com/libsndfile/libsndfile/issues/1089
https://gist.github.com/Sisyphus-wang/f9e6e017b7d478bebee6e8187672abc8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: hfsplus: Verify inode mode when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted. According to [1], the permissions field was treated as reserved in Mac OS 8 and 9. According to [2], the reserved field was explicitly initialized with 0, and that field must remain 0 as long as reserved. Therefore, when the "mode" field is not 0 (i.e. no longer reserved), the file must be S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/ S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0. 2026-01-13 not yet calculated CVE-2025-68767 https://git.kernel.org/stable/c/6f768724aabd5b321c5b8f15acdca11e4781cf32
https://git.kernel.org/stable/c/d92333c7a35856e419500e7eed72dac1afa404a5
https://git.kernel.org/stable/c/001f44982587ad462b3002ee40c75e8df67d597d
https://git.kernel.org/stable/c/05ec9af3cc430683c97f76027e1c55ac6fd25c59
https://git.kernel.org/stable/c/edfb2e602b5ba5ca6bf31cbac20b366efb72b156
https://git.kernel.org/stable/c/91f114bffa36ce56d0e1f60a0a44fc09baaefc79
https://git.kernel.org/stable/c/005d4b0d33f6b4a23d382b7930f7a96b95b01f39
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: inet: frags: flush pending skbs in fqdir_pre_exit() We have been seeing occasional deadlocks on pernet_ops_rwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn't obvious from the reports. On closer inspection the Reader holding the lock was conntrack looping forever in nf_conntrack_cleanup_net_list(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references. The problem is that since conntrack depends on nf_defrag_ipv6, nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its netns exit hooks run _after_ conntrack's netns exit hook. Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we're running the pre_exit flush. The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack. 2026-01-13 not yet calculated CVE-2025-68768 https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903
https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: fix return value of f2fs_recover_fsync_data() With below scripts, it will trigger panic in f2fs: mkfs.f2fs -f /dev/vdd mount /dev/vdd /mnt/f2fs touch /mnt/f2fs/foo sync echo 111 >> /mnt/f2fs/foo f2fs_io fsync /mnt/f2fs/foo f2fs_io shutdown 2 /mnt/f2fs umount /mnt/f2fs mount -o ro,norecovery /dev/vdd /mnt/f2fs or mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f F2FS-fs (vdd): Stopped filesystem due to reason: 0 F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1 Filesystem f2fs get_tree() didn't set fc->root, returned 1 ------------[ cut here ]------------ kernel BUG at fs/super.c:1761! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vfs_get_tree.cold+0x18/0x1a Call Trace: <TASK> fc_mount+0x13/0xa0 path_mount+0x34e/0xc50 __x64_sys_mount+0x121/0x150 do_syscall_64+0x84/0x800 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa6cc126cfe The root cause is we missed to handle error number returned from f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or ro,disable_roll_forward mount option, result in returning a positive error number to vfs_get_tree(), fix it. 2026-01-13 not yet calculated CVE-2025-68769 https://git.kernel.org/stable/c/e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725
https://git.kernel.org/stable/c/0de4977a1eeafe9d77701e3c031a1bcdba389243
https://git.kernel.org/stable/c/9bc246018aaa3b46a7710428d0a2196c229f9d49
https://git.kernel.org/stable/c/a4c67d96f92eefcfa5596a08f069e77b743c5865
https://git.kernel.org/stable/c/473550e715654ad7612aa490d583cb7c25fe2ff3
https://git.kernel.org/stable/c/4560db9678a2c5952b6205fbca468c6805c2ba2a
https://git.kernel.org/stable/c/01fba45deaddcce0d0b01c411435d1acf6feab7b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix XDP_TX path For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not correct. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be looping within NAPI and some event flags may be set in earlier iterations. In particular, if BNXT_TX_EVENT is set earlier indicating some XDP_TX packets are ready and pending, it will be cleared if it is XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we successfully call __bnxt_xmit_xdp(). But if the TX ring has no more room, the flag will not be set. This will cause the TX producer to be ahead but the driver will not hit the TX doorbell. For multi-buf XDP_TX, there is no need to clear the event flags and set BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in bnxt_rx_pkt(). The visible symptom of this is that the RX ring associated with the TX XDP ring will eventually become empty and all packets will be dropped. Because this condition will cause the driver to not refill the RX ring seeing that the TX ring has forever pending XDP_TX packets. The fix is to only clear BNXT_RX_EVENT when we have successfully called __bnxt_xmit_xdp(). 2026-01-13 not yet calculated CVE-2025-68770 https://git.kernel.org/stable/c/4b83902a1e67ff327ab5c6c65021a03e72c081d6
https://git.kernel.org/stable/c/f17e0c1208485b24d61271bc1ddc8f2087e71561
https://git.kernel.org/stable/c/0373d5c387f24de749cc22e694a14b3a7c7eb515
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix kernel BUG in ocfs2_find_victim_chain syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the `cl_next_free_rec` field of the allocation chain list (next free slot in the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec) condition in ocfs2_find_victim_chain() and panicking the kernel. To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(), just before calling ocfs2_find_victim_chain(), the code block in it being executed when either of the following conditions is true: 1. `cl_next_free_rec` is equal to 0, indicating that there are no free chains in the allocation chain list 2. `cl_next_free_rec` is greater than `cl_count` (the total number of chains in the allocation chain list) Either of them being true is indicative of the fact that there are no chains left for usage. This is addressed using ocfs2_error(), which prints the error log for debugging purposes, rather than panicking the kernel. 2026-01-13 not yet calculated CVE-2025-68771 https://git.kernel.org/stable/c/1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7
https://git.kernel.org/stable/c/d0fd1f732ea8063cecd07a3879b7d815c7ee71ed
https://git.kernel.org/stable/c/b08a33d5f80efe6979a6e8f905c1a898910c21dd
https://git.kernel.org/stable/c/96f1b074c98c20f55a3b23d2ab44d9fb0f619869
https://git.kernel.org/stable/c/e24aedae71652d4119049f1fbef6532ccbe3966d
https://git.kernel.org/stable/c/7acc0390e0dd7474c4451d05465a677d55ad4268
https://git.kernel.org/stable/c/039bef30e320827bac8990c9f29d2a68cd8adb5f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating compression context during writeback Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857 Call Trace: <TASK> f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline] f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317 do_writepages+0x38e/0x640 mm/page-writeback.c:2634 filemap_fdatawrite_wbc mm/filemap.c:386 [inline] __filemap_fdatawrite_range mm/filemap.c:419 [inline] file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794 f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294 generic_write_sync include/linux/fs.h:3043 [inline] f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x7e9/0xe00 fs/read_write.c:686 ksys_write+0x19d/0x2d0 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The bug was triggered w/ below race condition: fsync setattr ioctl - f2fs_do_sync_file - file_write_and_wait_range - f2fs_write_cache_pages : inode is non-compressed : cc.cluster_size = F2FS_I(inode)->i_cluster_size = 0 - tag_pages_for_writeback - f2fs_setattr - truncate_setsize - f2fs_truncate - f2fs_fileattr_set - f2fs_setflags_common - set_compress_context : F2FS_I(inode)->i_cluster_size = 4 : set_inode_flag(inode, FI_COMPRESSED_FILE) - f2fs_compressed_file : return true - f2fs_all_cluster_page_ready : "pgidx % cc->cluster_size" trigger dividing 0 issue Let's change as below to fix this issue: - introduce a new atomic type variable .writeback in structure f2fs_inode_info to track the number of threads which calling f2fs_write_cache_pages(). - use .i_sem lock to protect .writeback update. - check .writeback before update compression context in f2fs_setflags_common() to avoid race w/ ->writepages. 2026-01-13 not yet calculated CVE-2025-68772 https://git.kernel.org/stable/c/ad26bfbc085c939b5dca77ff8c14798c06d151c4
https://git.kernel.org/stable/c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0
https://git.kernel.org/stable/c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bf
https://git.kernel.org/stable/c/0df713a9c082a474c8b0bcf670edc8e98461d5a0
https://git.kernel.org/stable/c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: spi: fsl-cpm: Check length parity before switching to 16 bit mode Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM. But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd. Add the missing length parity verification and remain in 8 bit mode when the length is not even. 2026-01-13 not yet calculated CVE-2025-68773 https://git.kernel.org/stable/c/c8f1d35076b78df61ace737e41cc1f4b7b63236c
https://git.kernel.org/stable/c/9c34a4a2ead00979d203a8c16bea87f0ef5291d8
https://git.kernel.org/stable/c/837a23a11e0f734f096c7c7b0778d0e625e3dc87
https://git.kernel.org/stable/c/3dd6d01384823e1bd8602873153d6fc4337ac4fe
https://git.kernel.org/stable/c/743cebcbd1b2609ec5057ab474979cef73d1b681
https://git.kernel.org/stable/c/be0b613198e6bfa104ad520397cab82ad3ec1771
https://git.kernel.org/stable/c/1417927df8049a0194933861e9b098669a95c762
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create When sync() and link() are called concurrently, both threads may enter hfs_bnode_find() without finding the node in the hash table and proceed to create it. Thread A: hfsplus_write_inode() -> hfsplus_write_system_inode() -> hfs_btree_write() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) Thread B: hfsplus_create_cat() -> hfs_brec_insert() -> hfs_bnode_split() -> hfs_bmap_alloc() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) In this case, thread A creates the bnode, sets refcnt=1, and hashes it. Thread B also tries to create the same bnode, notices it has already been inserted, drops its own instance, and uses the hashed one without getting the node. ``` node2 = hfs_bnode_findhash(tree, cnid); if (!node2) { <- Thread A hash = hfs_bnode_hash(cnid); node->next_hash = tree->node_hash[hash]; tree->node_hash[hash] = node; tree->node_hash_cnt++; } else { <- Thread B spin_unlock(&tree->hash_lock); kfree(node); wait_event(node2->lock_wq, !test_bit(HFS_BNODE_NEW, &node2->flags)); return node2; } ``` However, hfs_bnode_find() requires each call to take a reference. Here both threads end up setting refcnt=1. When they later put the node, this triggers: BUG_ON(!atomic_read(&node->refcnt)) In this scenario, Thread B in fact finds the node in the hash table rather than creating a new one, and thus must take a reference. Fix this by calling hfs_bnode_get() when reusing a bnode newly created by another thread to ensure the refcount is updated correctly. A similar bug was fixed in HFS long ago in commit a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create") but the same issue remained in HFS+ until now. 2026-01-13 not yet calculated CVE-2025-68774 https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56
https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d
https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86
https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50
https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6
https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e
https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/handshake: duplicate handshake cancellations leak socket When a handshake request is cancelled it is removed from the handshake_net->hn_requests list, but it is still present in the handshake_rhashtbl until it is destroyed. If a second cancellation request arrives for the same handshake request, then remove_pending() will return false... and assuming HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue processing through the out_true label, where we put another reference on the sock and a refcount underflow occurs. This can happen for example if a handshake times out - particularly if the SUNRPC client sends the AUTH_TLS probe to the server but doesn't follow it up with the ClientHello due to a problem with tlshd. When the timeout is hit on the server, the server will send a FIN, which triggers a cancellation request via xs_reset_transport(). When the timeout is hit on the client, another cancellation request happens via xs_tls_handshake_sync(). Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel path so duplicate cancels can be detected. 2026-01-13 not yet calculated CVE-2025-68775 https://git.kernel.org/stable/c/011ae80c49d9bfa5b4336f8bd387cd25c7593663
https://git.kernel.org/stable/c/e1641177e7fb48a0a5a06658d4aab51da6656659
https://git.kernel.org/stable/c/3c330f1dee3cd92b57e19b9d21dc8ce5970b09be
https://git.kernel.org/stable/c/15564bd67e2975002f2a8e9defee33e321d3183f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std but doesn't check if the allocation failed. If __pskb_copy() returns NULL, skb_clone() is called with a NULL pointer, causing a crash: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041 Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207 RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480 RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000 RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000 R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00 FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0 Call Trace: <TASK> hsr_forward_do net/hsr/hsr_forward.c:-1 [inline] hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741 hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84 __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966 __netif_receive_skb_one_core net/core/dev.c:6077 [inline] __netif_receive_skb+0x72/0x380 net/core/dev.c:6192 netif_receive_skb_internal net/core/dev.c:6278 [inline] netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337 tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485 tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0449f8e1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8 RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001 R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003 </TASK> Add a NULL check immediately after __pskb_copy() to handle allocation failures gracefully. 2026-01-13 not yet calculated CVE-2025-68776 https://git.kernel.org/stable/c/3ce95a57d8a1f0e20b637cdeddaaed81831ca819
https://git.kernel.org/stable/c/c851e43b88b40bb7c20176c51cbf4f8c8d960dd9
https://git.kernel.org/stable/c/7be6d25f4d974e44918ba3a5d58ebb9d36879087
https://git.kernel.org/stable/c/8f289fa12926aae44347ca7d490e216555d8f255
https://git.kernel.org/stable/c/1742974c24a9c1f1fd2e5edca0cbaccb720b397a
https://git.kernel.org/stable/c/6220d38a08f8837575cd8f830928b49a3a5a5095
https://git.kernel.org/stable/c/188e0fa5a679570ea35474575e724d8211423d17
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds access when used as index in 'config_pins[wire_order[i]]'. Since config_pins has 4 elements (indices 0-3), the valid range for wire_order should be 0-3. Fix the off-by-one error by using >= instead of > in the validation check. 2026-01-13 not yet calculated CVE-2025-68777 https://git.kernel.org/stable/c/a7ff2360431561b56f559d3a628d1f096048d178
https://git.kernel.org/stable/c/136abe173a3cc2951d70c6e51fe7abdbadbb204b
https://git.kernel.org/stable/c/08c0b561823a7026364efb38ed7f4a3af48ccfcd
https://git.kernel.org/stable/c/bf95ec55805828c4f2b5241fb6b0c12388548570
https://git.kernel.org/stable/c/84e4d3543168912549271b34261f5e0f94952d6e
https://git.kernel.org/stable/c/40e3042de43ffa0017a8460ff9b4cad7b8c7cb96
https://git.kernel.org/stable/c/248d3a73a0167dce15ba100477c3e778c4787178
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: don't log conflicting inode if it's a dir moved in the current transaction We can't log a conflicting inode if it's a directory and it was moved from one parent directory to another parent directory in the current transaction, as this can result an attempt to have a directory with two hard links during log replay, one for the old parent directory and another for the new parent directory. The following scenario triggers that issue: 1) We have directories "dir1" and "dir2" created in a past transaction. Directory "dir1" has inode A as its parent directory; 2) We move "dir1" to some other directory; 3) We create a file with the name "dir1" in directory inode A; 4) We fsync the new file. This results in logging the inode of the new file and the inode for the directory "dir1" that was previously moved in the current transaction. So the log tree has the INODE_REF item for the new location of "dir1"; 5) We move the new file to some other directory. This results in updating the log tree to included the new INODE_REF for the new location of the file and removes the INODE_REF for the old location. This happens during the rename when we call btrfs_log_new_name(); 6) We fsync the file, and that persists the log tree changes done in the previous step (btrfs_log_new_name() only updates the log tree in memory); 7) We have a power failure; 8) Next time the fs is mounted, log replay happens and when processing the inode for directory "dir1" we find a new INODE_REF and add that link, but we don't remove the old link of the inode since we have not logged the old parent directory of the directory inode "dir1". As a result after log replay finishes when we trigger writeback of the subvolume tree's extent buffers, the tree check will detect that we have a directory a hard link count of 2 and we get a mount failure. The errors and stack traces reported in dmesg/syslog are like this: [ 3845.729764] BTRFS info (device dm-0): start tree-log replay [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c [ 3845.731236] memcg:ffff9264c02f4e00 [ 3845.731751] aops:btree_aops [btrfs] ino:1 [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8 [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00 [ 3845.735305] page dumped because: eb page dump [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5 [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701 [ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384 [ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0 [ 3845.737797] rdev 0 sequence 2 flags 0x0 [ 3845.737798] atime 1764259517.0 [ 3845.737800] ctime 1764259517.572889464 [ 3845.737801] mtime 1764259517.572889464 [ 3845.737802] otime 1764259517.0 [ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [ 3845.737805] index 0 name_len 2 [ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34 [ 3845.737808] location key (257 1 0) type 2 [ 3845.737810] transid 9 data_len 0 name_len 4 [ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34 [ 3845.737813] location key (258 1 0) type 2 [ 3845.737814] transid 9 data_len 0 name_len 4 [ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [ 3845.737816] location key (257 1 0) type 2 [ ---truncated--- 2026-01-13 not yet calculated CVE-2025-68778 https://git.kernel.org/stable/c/d64f3834dffef80f0a9185a037617a54ed7f4bd2
https://git.kernel.org/stable/c/7359e1d39c78816ecbdb0cb4e93975794ce53973
https://git.kernel.org/stable/c/d478f50727c3ee46d0359f0d2ae114f70191816e
https://git.kernel.org/stable/c/a35788ddf8df65837897ecbb0ddb2896b863159e
https://git.kernel.org/stable/c/266273eaf4d99475f1ae57f687b3e42bc71ec6f0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid unregistering PSP twice PSP is unregistered twice in: _mlx5e_remove -> mlx5e_psp_unregister mlx5e_nic_cleanup -> mlx5e_psp_unregister This leads to a refcount underflow in some conditions: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 1694 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 [...] mlx5e_psp_unregister+0x26/0x50 [mlx5_core] mlx5e_nic_cleanup+0x26/0x90 [mlx5_core] mlx5e_remove+0xe6/0x1f0 [mlx5_core] auxiliary_bus_remove+0x18/0x30 device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 mlx5_rescan_drivers_locked+0xbc/0x2a0 [mlx5_core] [...] Do not directly remove psp from the _mlx5e_remove path, the PSP cleanup happens as part of profile cleanup. 2026-01-13 not yet calculated CVE-2025-68779 https://git.kernel.org/stable/c/e12c912f92ccea671b514caf371f28485714bb4b
https://git.kernel.org/stable/c/35e93736f69963337912594eb3951ab320b77521
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: sched/deadline: only set free_cpus for online runqueues Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus to reflect rd->online") introduced the cpudl_set/clear_freecpu functions to allow the cpu_dl::free_cpus mask to be manipulated by the deadline scheduler class rq_on/offline callbacks so the mask would also reflect this state. Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask from cpudl_find()") removed the check of the cpu_active_mask to save some processing on the premise that the cpudl::free_cpus mask already reflected the runqueue online state. Unfortunately, there are cases where it is possible for the cpudl_clear function to set the free_cpus bit for a CPU when the deadline runqueue is offline. When this occurs while a CPU is connected to the default root domain the flag may retain the bad state after the CPU has been unplugged. Later, a different CPU that is transitioning through the default root domain may push a deadline task to the powered down CPU when cpudl_find sees its free_cpus bit is set. If this happens the task will not have the opportunity to run. One example is outlined here: https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com Another occurs when the last deadline task is migrated from a CPU that has an offlined runqueue. The dequeue_task member of the deadline scheduler class will eventually call cpudl_clear and set the free_cpus bit for the CPU. This commit modifies the cpudl_clear function to be aware of the online state of the deadline runqueue so that the free_cpus mask can be updated appropriately. It is no longer necessary to manage the mask outside of the cpudl_set/clear functions so the cpudl_set/clear_freecpu functions are removed. In addition, since the free_cpus mask is now only updated under the cpudl lock the code was changed to use the non-atomic __cpumask functions. 2026-01-13 not yet calculated CVE-2025-68780 https://git.kernel.org/stable/c/9019e399684e3cc68c4a3f050e268f74d69c1317
https://git.kernel.org/stable/c/fb36846cbcc936954f2ad2bffdff13d16c0be08a
https://git.kernel.org/stable/c/91e448e69aca4bb0ba2e998eb3e555644db7322b
https://git.kernel.org/stable/c/dbc61834b0412435df21c71410562d933e4eba49
https://git.kernel.org/stable/c/3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8
https://git.kernel.org/stable/c/382748c05e58a9f1935f5a653c352422375566ea
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled under two conditions: 1. When a host controller binds to the OTG controller. 2. When the USB ID pin state changes (cable insertion/removal). A race condition occurs when the device is removed via fsl_otg_remove(): the fsl_otg instance may be freed while the delayed work is still pending or executing. This leads to use-after-free when the work function fsl_otg_event() accesses the already freed memory. The problematic scenario: (detach thread) | (delayed work) fsl_otg_remove() | kfree(fsl_otg_dev) //FREE| fsl_otg_event() | og = container_of(...) //USE | og-> //USE Fix this by calling disable_delayed_work_sync() in fsl_otg_remove() before deallocating the fsl_otg structure. This ensures the delayed work is properly canceled and completes execution prior to memory deallocation. This bug was identified through static analysis. 2026-01-13 not yet calculated CVE-2025-68781 https://git.kernel.org/stable/c/4476c73bbbb09b13a962176fca934b32d3954a2e
https://git.kernel.org/stable/c/319f7a85b3c4e34ac2fe083eb146fe129a556317
https://git.kernel.org/stable/c/69f9a0701abc3d1f8225074c56c27e6c16a37222
https://git.kernel.org/stable/c/2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23
https://git.kernel.org/stable/c/41ca62e3e21e48c2903b3b45e232cf4f2ff7434f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: target: Reset t_task_cdb pointer in error case If allocation of cmd->t_task_cdb fails, it remains NULL but is later dereferenced in the 'err' path. In case of error, reset NULL t_task_cdb value to point at the default fixed-size buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. 2026-01-13 not yet calculated CVE-2025-68782 https://git.kernel.org/stable/c/6cac97b12bdab04832e0416d049efcd0d48d303b
https://git.kernel.org/stable/c/45fd86b444105c8bd07a763f58635c87e5dc7aea
https://git.kernel.org/stable/c/8727663ded659aad55eef21e3864ebf5a4796a96
https://git.kernel.org/stable/c/0260ad551b0815eb788d47f32899fbcd65d6f128
https://git.kernel.org/stable/c/0d36db68fdb8a3325386fd9523b67735f944e1f3
https://git.kernel.org/stable/c/8edbb9e371af186b4cf40819dab65fafe109df4d
https://git.kernel.org/stable/c/5053eab38a4c4543522d0c320c639c56a8b59908
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-mixer: us16x08: validate meter packet indices get_meter_levels_from_urb() parses the 64-byte meter packets sent by the device and fills the per-channel arrays meter_level[], comp_level[] and master_level[] in struct snd_us16x08_meter_store. Currently the function derives the channel index directly from the meter packet (MUB2(meter_urb, s) - 1) and uses it to index those arrays without validating the range. If the packet contains a negative or out-of-range channel number, the driver may write past the end of these arrays. Introduce a local channel variable and validate it before updating the arrays. We reject negative indices, limit meter_level[] and comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[] updates with ARRAY_SIZE(master_level). 2026-01-13 not yet calculated CVE-2025-68783 https://git.kernel.org/stable/c/53461710a95e15ac1f6542450943a492ecf8e550
https://git.kernel.org/stable/c/2168866396bd28ec4f3c8da0fbc7d08b5bd4f053
https://git.kernel.org/stable/c/cde47f4ccad6751ac36b7471572ddf38ee91870c
https://git.kernel.org/stable/c/2f21a7cbaaa93926f5be15bc095b9c57c35748d9
https://git.kernel.org/stable/c/a8ad320efb663be30b794e3dd3e829301c0d0ed3
https://git.kernel.org/stable/c/eaa95228b8a56c4880a182c0350d67922b22408f
https://git.kernel.org/stable/c/5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: xfs: fix a UAF problem in xattr repair The xchk_setup_xattr_buf function can allocate a new value buffer, which means that any reference to ab->value before the call could become a dangling pointer. Fix this by moving an assignment to after the buffer setup. 2026-01-13 not yet calculated CVE-2025-68784 https://git.kernel.org/stable/c/1e2d3aa19c7962b9474b22893160cb460494c45f
https://git.kernel.org/stable/c/d29ed9ff972afe17c215cab171761d7a15d7063f
https://git.kernel.org/stable/c/5990fd756943836978ad184aac980e2b36ab7e01
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix middle attribute validation in push_nsh() action The push_nsh() action structure looks like this: OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...)) The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested() inside nsh_key_put_from_nlattr(). But nothing checks if the attribute in the middle is OK. We don't even check that this attribute is the OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data() calls - first time directly while calling validate_push_nsh() and the second time as part of the nla_for_each_nested() macro, which isn't safe, potentially causing invalid memory access if the size of this attribute is incorrect. The failure may not be noticed during validation due to larger netlink buffer, but cause trouble later during action execution where the buffer is allocated exactly to the size: BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] Read of size 184 at addr ffff88816459a634 by task a.out/22624 CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary) Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x2c/0x390 kasan_report+0xdd/0x110 kasan_check_range+0x35/0x1b0 __asan_memcpy+0x20/0x60 nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] push_nsh+0x82/0x120 [openvswitch] do_execute_actions+0x1405/0x2840 [openvswitch] ovs_execute_actions+0xd5/0x3b0 [openvswitch] ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch] genl_family_rcv_msg_doit+0x1d6/0x2b0 genl_family_rcv_msg+0x336/0x580 genl_rcv_msg+0x9f/0x130 netlink_rcv_skb+0x11f/0x370 genl_rcv+0x24/0x40 netlink_unicast+0x73e/0xaa0 netlink_sendmsg+0x744/0xbf0 __sys_sendto+0x3d6/0x450 do_syscall_64+0x79/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Let's add some checks that the attribute is properly sized and it's the only one attribute inside the action. Technically, there is no real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're pushing an NSH header already, it just creates extra nesting, but that's how uAPI works today. So, keeping as it is. 2026-01-13 not yet calculated CVE-2025-68785 https://git.kernel.org/stable/c/d0c135b8bbbcf92836068fd395bebeb7ae6c7bef
https://git.kernel.org/stable/c/3bc2efff20a38b2c7ca18317649715df0dd62ced
https://git.kernel.org/stable/c/1b569db9c2f28b599e40050524aae5f7332bc294
https://git.kernel.org/stable/c/10ffc558246f2c75619aedda0921906095e46702
https://git.kernel.org/stable/c/2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9
https://git.kernel.org/stable/c/c999153bfb2d1d9b295b7010d920f2a7c6d7595f
https://git.kernel.org/stable/c/5ace7ef87f059d68b5f50837ef3e8a1a4870c36e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: skip lock-range check on equal size to avoid size==0 underflow When size equals the current i_size (including 0), the code used to call check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1` and can underflow for size==0. Skip the equal case. 2026-01-13 not yet calculated CVE-2025-68786 https://git.kernel.org/stable/c/52fcbb92e0d3acfd1448b2a43b6595d540da5295
https://git.kernel.org/stable/c/da29cd197246c85c0473259f1cad897d9d28faea
https://git.kernel.org/stable/c/a6f4cfa3783804336491e0edcb250c25f9b59d33
https://git.kernel.org/stable/c/571204e4758a528fbd67330bd4b0dfbdafb33dd8
https://git.kernel.org/stable/c/5d510ac31626ed157d2182149559430350cf2104
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: netrom: Fix memory leak in nr_sendmsg() syzbot reported a memory leak [1]. When function sock_alloc_send_skb() return NULL in nr_output(), the original skb is not freed, which was allocated in nr_sendmsg(). Fix this by freeing it before return. [1] BUG: memory leak unreferenced object 0xffff888129f35500 (size 240): comm "syz.0.17", pid 6119, jiffies 4294944652 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(.... backtrace (crc 1456a3e4): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4983 [inline] slab_alloc_node mm/slub.c:5288 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 sock_alloc_send_skb include/net/sock.h:1859 [inline] nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x293/0x2a0 net/socket.c:1195 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0x143/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f 2026-01-13 not yet calculated CVE-2025-68787 https://git.kernel.org/stable/c/f77e538ac4e3adb1882d5bccb7bfdc111b5963d3
https://git.kernel.org/stable/c/09efbf54eeaecebe882af603c9939a4b1bb9567e
https://git.kernel.org/stable/c/73839497bbde5cd4fd02bbd9c8bc2640780ae65d
https://git.kernel.org/stable/c/156a0f6341dce634a825db49ca20b48b1ae9bcc1
https://git.kernel.org/stable/c/8d1ccba4b171cd504ecfa47349cb9864fc9d687c
https://git.kernel.org/stable/c/51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977
https://git.kernel.org/stable/c/613d12dd794e078be8ff3cf6b62a6b9acf7f4619
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent directory (e.g. /dev). Users with no read access to a file but with read access to its parent directory can still stat the file and see if it was accessed/modified via atime/mtime change. The same is not true for special files (e.g. /dev/null). Users will not generally observe atime/mtime changes when other users read/write to special files, only when someone sets atime/mtime via utimensat(). Align fsnotify events with this stat behavior and do not generate ACCESS/MODIFY events to parent watchers on read/write of special files. The events are still generated to parent watchers on utimensat(). This closes some side-channels that could be possibly used for information exfiltration [1]. [1] https://snee.la/pdf/pubs/file-notification-attacks.pdf 2026-01-13 not yet calculated CVE-2025-68788 https://git.kernel.org/stable/c/df2711544b050aba703e6da418c53c7dc5d443ca
https://git.kernel.org/stable/c/859bdf438f01d9aa7f84b09c1202d548c7cad9e8
https://git.kernel.org/stable/c/6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91
https://git.kernel.org/stable/c/e0643d46759db8b84c0504a676043e5e341b6c81
https://git.kernel.org/stable/c/82f7416bcbd951549e758d15fc1a96a5afc2e900
https://git.kernel.org/stable/c/7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6
https://git.kernel.org/stable/c/635bc4def026a24e071436f4f356ea08c0eed6ff
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) fix use-after-free in high/low store The ibmpex_high_low_store() function retrieves driver data using dev_get_drvdata() and uses it without validation. This creates a race condition where the sysfs callback can be invoked after the data structure is freed, leading to use-after-free. Fix by adding a NULL check after dev_get_drvdata(), and reordering operations in the deletion path to prevent TOCTOU. 2026-01-13 not yet calculated CVE-2025-68789 https://git.kernel.org/stable/c/3ce9b7ae9d4d148672b35147aaf7987a4f82bb94
https://git.kernel.org/stable/c/533ead425f8109b02fecc7e72d612b8898ec347a
https://git.kernel.org/stable/c/fa37adcf1d564ef58b9dfb01b6c36d35c5294bad
https://git.kernel.org/stable/c/68d62e5bebbd118b763e8bb210d5cf2198ef450c
https://git.kernel.org/stable/c/5aa2139201667c1f644601e4529c4acd6bf8db5a
https://git.kernel.org/stable/c/6946c726c3f4c36f0f049e6f97e88c510b15f65d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix double unregister of HCA_PORTS component Clear hca_devcom_comp in device's private data after unregistering it in LAG teardown. Otherwise a slightly lagging second pass through mlx5_unload_one() might try to unregister it again and trip over use-after-free. On s390 almost all PCI level recovery events trigger two passes through mxl5_unload_one() - one through the poll_health() method and one through mlx5_pci_err_detected() as callback from generic PCI error recovery. While testing PCI error recovery paths with more kernel debug features enabled, this issue reproducibly led to kernel panics with the following call chain: Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 ESOP-2 FSI Fault in home space mode while using kernel ASCE. AS:00000000705c4007 R3:0000000000000024 Oops: 0038 ilc:3 [#1]SMP CPU: 14 UID: 0 PID: 156 Comm: kmcheck Kdump: loaded Not tainted 6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x+debug #1 PREEMPT Krnl PSW : 0404e00180000000 0000020fc86aa1dc (__lock_acquire+0x5c/0x15f0) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000000 0000020f00000001 6b6b6b6b6b6b6c33 0000000000000000 0000000000000000 0000000000000000 0000000000000001 0000000000000000 0000000000000000 0000020fca28b820 0000000000000000 0000010a1ced8100 0000010a1ced8100 0000020fc9775068 0000018fce14f8b8 0000018fce14f7f8 Krnl Code: 0000020fc86aa1cc: e3b003400004 lg %r11,832 0000020fc86aa1d2: a7840211 brc 8,0000020fc86aa5f4 *0000020fc86aa1d6: c09000df0b25 larl %r9,0000020fca28b820 >0000020fc86aa1dc: d50790002000 clc 0(8,%r9),0(%r2) 0000020fc86aa1e2: a7840209 brc 8,0000020fc86aa5f4 0000020fc86aa1e6: c0e001100401 larl %r14,0000020fca8aa9e8 0000020fc86aa1ec: c01000e25a00 larl %r1,0000020fca2f55ec 0000020fc86aa1f2: a7eb00e8 aghi %r14,232 Call Trace: __lock_acquire+0x5c/0x15f0 lock_acquire.part.0+0xf8/0x270 lock_acquire+0xb0/0x1b0 down_write+0x5a/0x250 mlx5_detach_device+0x42/0x110 [mlx5_core] mlx5_unload_one_devl_locked+0x50/0xc0 [mlx5_core] mlx5_unload_one+0x42/0x60 [mlx5_core] mlx5_pci_err_detected+0x94/0x150 [mlx5_core] zpci_event_attempt_error_recovery+0xcc/0x388 2026-01-13 not yet calculated CVE-2025-68790 https://git.kernel.org/stable/c/d2495f529d60e8e8c43e6ad524089c38b8be7bc4
https://git.kernel.org/stable/c/6a107cfe9c99a079e578a4c5eb70038101a3599f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fuse: missing copy_finish in fuse-over-io-uring argument copies Fix a possible reference count leak of payload pages during fuse argument copies. [Joanne: simplified error cleanup] 2026-01-13 not yet calculated CVE-2025-68791 https://git.kernel.org/stable/c/b79938863f436960eff209130f025c4bd3026bf8
https://git.kernel.org/stable/c/6e0d7f7f4a43ac8868e98c87ecf48805aa8c24dd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix out of range indexing in name_size 'name_size' does not have any range checks, and it just directly indexes with TPM_ALG_ID, which could lead into memory corruption at worst. Address the issue by only processing known values and returning -EINVAL for unrecognized values. Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so that errors are detected before causing any spurious TPM traffic. End also the authorization session on failure in both of the functions, as the session state would be then by definition corrupted. 2026-01-13 not yet calculated CVE-2025-68792 https://git.kernel.org/stable/c/47e676ce4d68f461dfcab906f6aeb254f7276deb
https://git.kernel.org/stable/c/04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43
https://git.kernel.org/stable/c/6e9722e9a7bfe1bbad649937c811076acf86e1fd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix a job->pasid access race in gpu recovery Avoid a possible UAF in GPU recovery due to a race between the sched timeout callback and the tdr work queue. The gpu recovery function calls drm_sched_stop() and later drm_sched_start(). drm_sched_start() restarts the tdr queue which will eventually free the job. If the tdr queue frees the job before time out callback completes, the job will be freed and we'll get a UAF when accessing the pasid. Cache it early to avoid the UAF. Example KASAN trace: [ 493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323 [ 493.074892] [ 493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G E 6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary) [ 493.076493] Tainted: [E]=UNSIGNED_MODULE [ 493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019 [ 493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched] [ 493.076512] Call Trace: [ 493.076515] <TASK> [ 493.076518] dump_stack_lvl+0x64/0x80 [ 493.076529] print_report+0xce/0x630 [ 493.076536] ? _raw_spin_lock_irqsave+0x86/0xd0 [ 493.076541] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 493.076545] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077253] kasan_report+0xb8/0xf0 [ 493.077258] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077965] amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.078672] ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu] [ 493.079378] ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu] [ 493.080111] amdgpu_job_timedout+0x642/0x1400 [amdgpu] [ 493.080903] ? pick_task_fair+0x24e/0x330 [ 493.080910] ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu] [ 493.081702] ? _raw_spin_lock+0x75/0xc0 [ 493.081708] ? __pfx__raw_spin_lock+0x10/0x10 [ 493.081712] drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched] [ 493.081721] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081725] process_one_work+0x679/0xff0 [ 493.081732] worker_thread+0x6ce/0xfd0 [ 493.081736] ? __pfx_worker_thread+0x10/0x10 [ 493.081739] kthread+0x376/0x730 [ 493.081744] ? __pfx_kthread+0x10/0x10 [ 493.081748] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081751] ? __pfx_kthread+0x10/0x10 [ 493.081755] ret_from_fork+0x247/0x330 [ 493.081761] ? __pfx_kthread+0x10/0x10 [ 493.081764] ret_from_fork_asm+0x1a/0x30 [ 493.081771] </TASK> (cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d) 2026-01-13 not yet calculated CVE-2025-68793 https://git.kernel.org/stable/c/dac58c012c47cadf337a35eb05d44498c43e5cd0
https://git.kernel.org/stable/c/77f73253015cbc7893fca1821ac3eae9eb4bc943
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iomap: adjust read range correctly for non-block-aligned positions iomap_adjust_read_range() assumes that the position and length passed in are block-aligned. This is not always the case however, as shown in the syzbot generated case for erofs. This causes too many bytes to be skipped for uptodate blocks, which results in returning the incorrect position and length to read in. If all the blocks are uptodate, this underflows length and returns a position beyond the folio. Fix the calculation to also take into account the block offset when calculating how many bytes can be skipped for uptodate blocks. 2026-01-13 not yet calculated CVE-2025-68794 https://git.kernel.org/stable/c/82b60ffbb532d919959702768dca04c3c0500ae5
https://git.kernel.org/stable/c/12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e
https://git.kernel.org/stable/c/142194fb21afe964d2d194cab1fc357cbf87e899
https://git.kernel.org/stable/c/7aa6bc3e8766990824f66ca76c19596ce10daf3e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and ETHTOOL_GSTATS for the values. If the number of stats changes between these calls (e.g., due to device reconfiguration), userspace's buffer allocation will be incorrect, potentially leading to buffer overflow. Drivers are generally expected to maintain stable stat counts, but some drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making this scenario possible. Some drivers try to handle this internally: - bnad_get_ethtool_stats() returns early in case stats.n_stats is not equal to the driver's stats count. - micrel/ksz884x also makes sure not to write anything beyond stats.n_stats and overflow the buffer. However, both use stats.n_stats which is already assigned with the value returned from get_sset_count(), hence won't solve the issue described here. Change ethtool_get_strings(), ethtool_get_stats(), ethtool_get_phy_stats() to not return anything in case of a mismatch between userspace's size and get_sset_size(), to prevent buffer overflow. The returned n_stats value will be equal to zero, to reflect that nothing has been returned. This could result in one of two cases when using upstream ethtool, depending on when the size change is detected: 1. When detected in ethtool_get_strings(): # ethtool -S eth2 no stats available 2. When detected in get stats, all stats will be reported as zero. Both cases are presumably transient, and a subsequent ethtool call should succeed. Other than the overflow avoidance, these two cases are very evident (no output/cleared stats), which is arguably better than presenting incorrect/shifted stats. I also considered returning an error instead of a "silent" response, but that seems more destructive towards userspace apps. Notes: - This patch does not claim to fix the inherent race, it only makes sure that we do not overflow the userspace buffer, and makes for a more predictable behavior. - RTNL lock is held during each ioctl, the race window exists between the separate ioctl calls when the lock is released. - Userspace ethtool always fills stats.n_stats, but it is likely that these stats ioctls are implemented in other userspace applications which might not fill it. The added code checks that it's not zero, to prevent any regressions. 2026-01-13 not yet calculated CVE-2025-68795 https://git.kernel.org/stable/c/3df375a1e75483b7d973c3cc2e46aa374db8428b
https://git.kernel.org/stable/c/f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5
https://git.kernel.org/stable/c/4afcb985355210e1688560dc47e64b94dad35d71
https://git.kernel.org/stable/c/ca9983bc3a1189bd72f9ae449d925a66b2616326
https://git.kernel.org/stable/c/7bea09f60f2ad5d232e2db8f1c14e850fd3fd416
https://git.kernel.org/stable/c/4066b5b546293f44cd6d0e84ece6e3ee7ff27093
https://git.kernel.org/stable/c/7b07be1ff1cb6c49869910518650e8d0abc7d25f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating zero-sized extent in extent cache As syzbot reported: F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0] ------------[ cut here ]------------ kernel BUG at fs/f2fs/extent_cache.c:678! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678 Call Trace: <TASK> f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085 f2fs_do_zero_range fs/f2fs/file.c:1657 [inline] f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737 f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030 vfs_fallocate+0x669/0x7e0 fs/open.c:342 ioctl_preallocate fs/ioctl.c:289 [inline] file_ioctl+0x611/0x780 fs/ioctl.c:-1 do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576 __do_sys_ioctl fs/ioctl.c:595 [inline] __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f07bc58eec9 In error path of f2fs_zero_range(), it may add a zero-sized extent into extent cache, it should be avoided. 2026-01-13 not yet calculated CVE-2025-68796 https://git.kernel.org/stable/c/9c07bd262c13ca922adad6e7613d48505f97f548
https://git.kernel.org/stable/c/72c58a82e6fb7b327e8701f5786c70c3edc56188
https://git.kernel.org/stable/c/e50b81c50fcbe63f50405bb40f262162ff32af88
https://git.kernel.org/stable/c/efe3371001f50a2d6f746b50bdc6f9f26b2089ec
https://git.kernel.org/stable/c/4f244c64efe628d277b916f47071adf480eb8646
https://git.kernel.org/stable/c/bac23833220a1f8fe8dfab7e16efa20ff64d7589
https://git.kernel.org/stable/c/7c37c79510329cd951a4dedf3f7bf7e2b18dccec
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: char: applicom: fix NULL pointer dereference in ac_ioctl Discovered by Atuin - Automated Vulnerability Discovery Engine. In ac_ioctl, the validation of IndexCard and the check for a valid RamIO pointer are skipped when cmd is 6. However, the function unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the end. If cmd is 6, IndexCard may reference a board that does not exist (where RamIO is NULL), leading to a NULL pointer dereference. Fix this by skipping the readb access when cmd is 6, as this command is a global information query and does not target a specific board context. 2026-01-13 not yet calculated CVE-2025-68797 https://git.kernel.org/stable/c/5a6240804fb7bbd4f5f6e706955248a6f4c1abbc
https://git.kernel.org/stable/c/d1b0452280029d05a98c75631131ee61c0b0d084
https://git.kernel.org/stable/c/0b8b353e09888bccee405e0dd6feafb60360f478
https://git.kernel.org/stable/c/d285517429a75423789e6408653e57b6fdfc8e54
https://git.kernel.org/stable/c/74883565c621eec6cd2e35fe6d27454cf2810c23
https://git.kernel.org/stable/c/f83e3e9f89181b42f6076a115d767a7552c4a39e
https://git.kernel.org/stable/c/82d12088c297fa1cef670e1718b3d24f414c23f7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: perf/x86/amd: Check event before enable to avoid GPF On AMD machines cpuc->events[idx] can become NULL in a subtle race condition with NMI->throttle->x86_pmu_stop(). Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF. This appears to be an AMD only issue. Syzkaller reported a GPF in amd_pmu_enable_all. INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143 msecs Oops: general protection fault, probably for non-canonical address 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7] CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195 arch/x86/events/core.c:1430) RSP: 0018:ffff888118009d60 EFLAGS: 00010012 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601 FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0 Call Trace: <IRQ> amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2)) x86_pmu_enable (arch/x86/events/core.c:1360) event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186 kernel/events/core.c:2346) __perf_remove_from_context (kernel/events/core.c:2435) event_function (kernel/events/core.c:259) remote_function (kernel/events/core.c:92 (discriminator 1) kernel/events/core.c:72 (discriminator 1)) __flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64 kernel/smp.c:135 kernel/smp.c:540) __sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272) sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47) arch/x86/kernel/smp.c:266 (discriminator 47)) </IRQ> 2026-01-13 not yet calculated CVE-2025-68798 https://git.kernel.org/stable/c/49324a0c40f7e9bae1bd0362d23fc42232e14621
https://git.kernel.org/stable/c/6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f
https://git.kernel.org/stable/c/e1028fb38b328084bc683a4efb001c95d3108573
https://git.kernel.org/stable/c/43c2e5c2acaae50e99d1c20a5a46e367c442fb3b
https://git.kernel.org/stable/c/866cf36bfee4fba6a492d2dcc5133f857e3446b0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow. This can lead to memory exhaustion and kernel instability, potential information disclosure if padding contains uninitialized kernel memory. Fix this by validating that len >= 2 before performing the subtraction. 2026-01-13 not yet calculated CVE-2025-68799 https://git.kernel.org/stable/c/f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691
https://git.kernel.org/stable/c/c54091eec6fed19e94182aa05dd6846600a642f7
https://git.kernel.org/stable/c/785c7be6361630070790f6235b696da156ac71b3
https://git.kernel.org/stable/c/f818cd472565f8b0c2c409b040e0121c5cf8592c
https://git.kernel.org/stable/c/4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3
https://git.kernel.org/stable/c/21fdcc00656a60af3c7aae2dea8dd96abd35519c
https://git.kernel.org/stable/c/8a11ff0948b5ad09b71896b7ccc850625f9878d1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device. One instance of list entry deletion (during route replace) was missed and it can result in a use-after-free [1]. Fix by acquiring the mutex before deleting the entry from the list and releasing it afterwards. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043 CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full) Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017 Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum] Call Trace: <TASK> dump_stack_lvl+0xba/0x110 print_report+0x174/0x4f5 kasan_report+0xdf/0x110 mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 Freed by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x43/0x70 kfree+0x14e/0x700 mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 2026-01-13 not yet calculated CVE-2025-68800 https://git.kernel.org/stable/c/b957366f5611bbaba03dd10ef861283347ddcc88
https://git.kernel.org/stable/c/6e367c361a523a4b54fe618215c64a0ee189caf0
https://git.kernel.org/stable/c/37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73
https://git.kernel.org/stable/c/5f2831fc593c2b2efbff7dd0dd7441cec76adcd5
https://git.kernel.org/stable/c/216afc198484fde110ebeafc017992266f4596ce
https://git.kernel.org/stable/c/4049a6ace209f4ed150429f86ae796d7d6a4c22b
https://git.kernel.org/stable/c/8ac1dacec458f55f871f7153242ed6ab60373b90
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop. Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid taking a referencing when the neighbour is used by a nexthop as the neighbour entry associated with the nexthop already holds a reference. Tested by running the test that uncovered the problem over 300 times. Without this patch the problem was reproduced after a handful of iterations. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310 Read of size 8 at addr ffff88817f8e3420 by task ip/3929 CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full) Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6e/0x300 print_report+0xfc/0x1fb kasan_report+0xe4/0x110 mlxsw_sp_neigh_entry_update+0x2d4/0x310 mlxsw_sp_router_rif_gone_sync+0x35f/0x510 mlxsw_sp_rif_destroy+0x1ea/0x730 mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0 __mlxsw_sp_inetaddr_lag_event+0xcc/0x130 __mlxsw_sp_inetaddr_event+0xf5/0x3c0 mlxsw_sp_router_netdevice_event+0x1015/0x1580 notifier_call_chain+0xcc/0x150 call_netdevice_notifiers_info+0x7e/0x100 __netdev_upper_dev_unlink+0x10b/0x210 netdev_upper_dev_unlink+0x79/0xa0 vrf_del_slave+0x18/0x50 do_set_master+0x146/0x7d0 do_setlink.isra.0+0x9a0/0x2880 rtnl_newlink+0x637/0xb20 rtnetlink_rcv_msg+0x6fe/0xb90 netlink_rcv_skb+0x123/0x380 netlink_unicast+0x4a3/0x770 netlink_sendmsg+0x75b/0xc90 __sock_sendmsg+0xbe/0x160 ____sys_sendmsg+0x5b2/0x7d0 ___sys_sendmsg+0xfd/0x180 __sys_sendmsg+0x124/0x1c0 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [...] Allocated by task 109: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x2c1/0x790 neigh_alloc+0x6af/0x8f0 ___neigh_create+0x63/0xe90 mlxsw_sp_nexthop_neigh_init+0x430/0x7e0 mlxsw_sp_nexthop_type_init+0x212/0x960 mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280 mlxsw_sp_nexthop6_group_get+0x392/0x6a0 mlxsw_sp_fib6_entry_create+0x46a/0xfd0 mlxsw_sp_router_fib6_replace+0x1ed/0x5f0 mlxsw_sp_router_fib6_event_work+0x10a/0x2a0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Freed by task 154: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free_bulk.part.0+0x1eb/0x5e0 kvfree_rcu_bulk+0x1f2/0x260 kfree_rcu_work+0x130/0x1b0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Last potentially related work creation: kasan_save_stack+0x30/0x50 kasan_record_aux_stack+0x8c/0xa0 kvfree_call_rcu+0x93/0x5b0 mlxsw_sp_router_neigh_event_work+0x67d/0x860 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 2026-01-13 not yet calculated CVE-2025-68801 https://git.kernel.org/stable/c/a2dfe6758fc63e542105bee8b17a3a7485684db0
https://git.kernel.org/stable/c/9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc
https://git.kernel.org/stable/c/c437fbfd4382412598cdda1f8e2881b523668cc2
https://git.kernel.org/stable/c/4a3c569005f42ab5e5b2ad637132a33bf102cc08
https://git.kernel.org/stable/c/ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a
https://git.kernel.org/stable/c/675c5aeadf6472672c472dc0f26401e4fcfbf254
https://git.kernel.org/stable/c/8b0e69763ef948fb872a7767df4be665d18f5fd4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/xe: Limit num_syncs to prevent oversized allocations The exec and vm_bind ioctl allow userspace to specify an arbitrary num_syncs value. Without bounds checking, a very large num_syncs can force an excessively large allocation, leading to kernel warnings from the page allocator as below. Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request exceeding this limit. " ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124 ... Call Trace: <TASK> alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416 ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317 __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348 __do_kmalloc_node mm/slub.c:4364 [inline] __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] kmalloc_array_noprof include/linux/slab.h:948 [inline] xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158 drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797 drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894 xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... " v2: Add "Reported-by" and Cc stable kernels. v3: Change XE_MAX_SYNCS from 64 to 1024. (Matt & Ashutosh) v4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt) v5: Do the check at the top of the exec func. (Matt) (cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c) 2026-01-13 not yet calculated CVE-2025-68802 https://git.kernel.org/stable/c/e281d1fd6903a081ef023c341145ae92258e38d2
https://git.kernel.org/stable/c/1d200017f55f829b9e376093bd31dfbec92081de
https://git.kernel.org/stable/c/8e461304009135270e9ccf2d7e2dfe29daec9b60
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL. 2026-01-13 not yet calculated CVE-2025-68803 https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d
https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725
https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1
https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862
https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3
https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192
https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After unbinding the driver, another kthread `cros_ec_console_log_work` is still accessing the device, resulting an UAF and crash. The driver doesn't unregister the EC device in .remove() which should shutdown sub-devices synchronously. Fix it. 2026-01-13 not yet calculated CVE-2025-68804 https://git.kernel.org/stable/c/27037916db38e6b78a0242031d3b93d997b84020
https://git.kernel.org/stable/c/e1da6e399df976dd04c7c73ec008bc81da368a95
https://git.kernel.org/stable/c/8dc1f5a85286290dbf04dd5951d020570f49779b
https://git.kernel.org/stable/c/393b8f9bedc7806acb9c47cefdbdb223b4b6164b
https://git.kernel.org/stable/c/4701493ba37654b3c38b526f6591cf0b02aa172f
https://git.kernel.org/stable/c/24a2062257bbdfc831de5ed21c27b04b5bdf2437
https://git.kernel.org/stable/c/944edca81e7aea15f83cf9a13a6ab67f711e8abd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fuse: fix io-uring list corruption for terminated non-committed requests When a request is terminated before it has been committed, the request is not removed from the queue's list. This leaves a dangling list entry that leads to list corruption and use-after-free issues. Remove the request from the queue's list for terminated non-committed requests. 2026-01-13 not yet calculated CVE-2025-68805 https://git.kernel.org/stable/c/a6d1f1ace16d0e777a85f84267160052d3499b6e
https://git.kernel.org/stable/c/95c39eef7c2b666026c69ab5b30471da94ea2874
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix buffer validation by including null terminator size in EA length The smb2_set_ea function, which handles Extended Attributes (EA), was performing buffer validation checks that incorrectly omitted the size of the null terminating character (+1 byte) for EA Name. This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where the null terminator is expected to be present in the buffer, ensuring the validation accurately reflects the total required buffer size. 2026-01-13 not yet calculated CVE-2025-68806 https://git.kernel.org/stable/c/cae52c592a07e1d3fa3338a5f064a374a5f26750
https://git.kernel.org/stable/c/a28a375a5439eb474e9f284509a407efb479c925
https://git.kernel.org/stable/c/d26af6d14da43ab92d07bc60437c62901dc522e6
https://git.kernel.org/stable/c/6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4
https://git.kernel.org/stable/c/95d7a890e4b03e198836d49d699408fd1867cb55
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: block: fix race between wbt_enable_default and IO submission When wbt_enable_default() is moved out of queue freezing in elevator_change(), it can cause the wbt inflight counter to become negative (-1), leading to hung tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter is in an inconsistent state. The issue occurs because wbt_enable_default() could race with IO submission, allowing the counter to be decremented before proper initialization. This manifests as: rq_wait[0]: inflight: -1 has_waiters: True rwb_enabled() checks the state, which can be updated exactly between wbt_wait() (rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter will become negative. And results in hung task warnings like: task:kworker/u24:39 state:D stack:0 pid:14767 Call Trace: rq_qos_wait+0xb4/0x150 wbt_wait+0xa9/0x100 __rq_qos_throttle+0x24/0x40 blk_mq_submit_bio+0x672/0x7b0 ... Fix this by: 1. Splitting wbt_enable_default() into: - __wbt_enable_default(): Returns true if wbt_init() should be called - wbt_enable_default(): Wrapper for existing callers (no init) - wbt_init_enable_default(): New function that checks and inits WBT 2. Using wbt_init_enable_default() in blk_register_queue() to ensure proper initialization during queue registration 3. Move wbt_init() out of wbt_enable_default() which is only for enabling disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the original lock warning can be avoided. 4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling code since it's no longer needed This ensures WBT is properly initialized before any IO can be submitted, preventing the counter from going negative. 2026-01-13 not yet calculated CVE-2025-68807 https://git.kernel.org/stable/c/f55201fb3becff6a903fd29f4d1147cc7e91eb0c
https://git.kernel.org/stable/c/9869d3a6fed381f3b98404e26e1afc75d680cbf9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NULL. This causes the vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and in the flow that jumps to free_eit, the memory that was freed by vidtv_psi_*_table_destroy() can be accessed again by vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it is freed once again. Therefore, to prevent use-after-free and double-free vulnerability, local pointers must be initialized to NULL when transferring memory ownership. 2026-01-13 not yet calculated CVE-2025-68808 https://git.kernel.org/stable/c/c342e294dac4988c8ada759b2f057246e48c5108
https://git.kernel.org/stable/c/12ab6ebb37789b84073e83e4d9b14a5e0d133323
https://git.kernel.org/stable/c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e
https://git.kernel.org/stable/c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8
https://git.kernel.org/stable/c/a69c7fd603bf5ad93177394fbd9711922ee81032
https://git.kernel.org/stable/c/30f4d4e5224a9e44e9ceb3956489462319d804ce
https://git.kernel.org/stable/c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on m_flags in vfs_cache ksmbd maintains delete-on-close and pending-delete state in ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under inconsistent locking: some paths read and modify m_flags under ci->m_lock while others do so without taking the lock at all. Examples: - ksmbd_query_inode_status() and __ksmbd_inode_close() use ci->m_lock when checking or updating m_flags. - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close() used to read and modify m_flags without ci->m_lock. This creates a potential data race on m_flags when multiple threads open, close and delete the same file concurrently. In the worst case delete-on-close and pending-delete bits can be lost or observed in an inconsistent state, leading to confusing delete semantics (files that stay on disk after delete-on-close, or files that disappear while still in use). Fix it by: - Making ksmbd_query_inode_status() look at m_flags under ci->m_lock after dropping inode_hash_lock. - Adding ci->m_lock protection to all helpers that read or modify m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()). - Keeping the existing ci->m_lock protection in __ksmbd_inode_close(), and moving the actual unlink/xattr removal outside the lock. This unifies the locking around m_flags and removes the data race while preserving the existing delete-on-close behaviour. 2026-01-13 not yet calculated CVE-2025-68809 https://git.kernel.org/stable/c/5adad9727a815c26013b0d41cfee92ffa7d4037c
https://git.kernel.org/stable/c/ccc78781041589ea383e61d5d7a1e9a31b210b93
https://git.kernel.org/stable/c/ee63729760f5b61a66f345c54dc4c7514e62383d
https://git.kernel.org/stable/c/991f8a79db99b14c48d20d2052c82d65b9186cad
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was initially created with a guest_memfd binding, as KVM doesn't support toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling KVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag. Failure to reject the new memslot results in a use-after-free due to KVM not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY change is easy enough, and can/will be done as a hardening measure (in anticipation of KVM supporting dirty logging on guest_memfd at some point), but fixing the use-after-free would only address the immediate symptom. ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm] Write of size 8 at addr ffff8881111ae908 by task repro/745 CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x51/0x60 print_report+0xcb/0x5c0 kasan_report+0xb4/0xe0 kvm_gmem_release+0x362/0x400 [kvm] __fput+0x2fa/0x9d0 task_work_run+0x12c/0x200 do_exit+0x6ae/0x2100 do_group_exit+0xa8/0x230 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0x737/0x740 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f581f2eac31 </TASK> Allocated by task 745 on cpu 6 at 9.746971s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_kmalloc+0x77/0x90 kvm_set_memory_region.part.0+0x652/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 745 on cpu 6 at 9.747467s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x3b/0x60 kfree+0xf5/0x440 kvm_set_memslot+0x3c2/0x1160 [kvm] kvm_set_memory_region.part.0+0x86a/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 2026-01-13 not yet calculated CVE-2025-68810 https://git.kernel.org/stable/c/89dbbe6ff323fc34659621a577fe0af913f47386
https://git.kernel.org/stable/c/cb51bef465d8ec60a968507330e01020e35dc127
https://git.kernel.org/stable/c/9935df5333aa503a18de5071f53762b65c783c4c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com) 2026-01-13 not yet calculated CVE-2025-68811 https://git.kernel.org/stable/c/e8623e9c451e23d84b870811f42fd872b4089ef6
https://git.kernel.org/stable/c/2a77c8dd49bccf0ca232be7c836cec1209abb8da
https://git.kernel.org/stable/c/a8ee9099f30654917aa68f55d707b5627e1dbf77
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: iris: Add sanity check for stop streaming Add sanity check in iris_vb2_stop_streaming. If inst->state is already IRIS_INST_ERROR, we should skip the stream_off operation because it would still send packets to the firmware. In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. [bod: remove qcom from patch title] 2026-01-13 not yet calculated CVE-2025-68812 https://git.kernel.org/stable/c/f8b136296722e258ec43237a35f72c92a6d4501a
https://git.kernel.org/stable/c/ad699fa78b59241c9d71a8cafb51525f3dab04d4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure(). The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764 2026-01-13 not yet calculated CVE-2025-68813 https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903
https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd
https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447
https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a
https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8
https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90
https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: io_uring: fix filename leak in __io_openat_prep() __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this, the memory for the newly allocated struct filename is not cleaned up, causing a memory leak. Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the successful getname() call, so that when the request is torn down, the filename will be cleaned up, along with other resources needing cleanup. 2026-01-13 not yet calculated CVE-2025-68814 https://git.kernel.org/stable/c/2420ef01b2e836fbc05a0a8c73a1016504eb0458
https://git.kernel.org/stable/c/8f44c4a550570cd5903625133f938c6b51310c9b
https://git.kernel.org/stable/c/18b99fa603d0df5e1c898699c17d3b92ddc80746
https://git.kernel.org/stable/c/e232269d511566b1f80872256a48593acc1becf4
https://git.kernel.org/stable/c/7fbfb85b05bc960cc50e09d03e5e562131e48d45
https://git.kernel.org/stable/c/b14fad555302a2104948feaff70503b64c80ac01
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1]. Doing so with the following commands: tc qdisc add dev lo root handle 1: ets bands 2 strict 1 tc qdisc add dev lo parent 1:2 handle 20: \ tbf rate 8bit burst 100b latency 1s tc filter add dev lo parent 1: basic classid 1:2 ping -c1 -W0.01 -s 56 127.0.0.1 tc qdisc change dev lo root handle 1: ets bands 2 strict 2 tc qdisc change dev lo root handle 1: ets bands 2 strict 1 ping -c1 -W0.01 -s 56 127.0.0.1 Will trigger the following splat with list debug turned on: [ 59.279014][ T365] ------------[ cut here ]------------ [ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0. [ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220 [ 59.280860][ T365] Modules linked in: [ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary) [ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220 [ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44 ... [ 59.288812][ T365] Call Trace: [ 59.289056][ T365] <TASK> [ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80 [ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0 [ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10 [ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240 [ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10 [ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.292313][ T365] ? trace_contention_end+0xc8/0x110 [ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0 Fix this by always checking and removing an ets class from the active list when changing it to strict. [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663 2026-01-13 not yet calculated CVE-2025-68815 https://git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2
https://git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87
https://git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fa
https://git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34
https://git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630f
https://git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6c
https://git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fw_tracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (e.g., %s, %p, %n) that could lead to crashes, or other undefined behavior. Add mlx5_tracer_validate_params() to validate that all format specifiers in trace strings are limited to safe integer/hex formats (%x, %d, %i, %u, %llx, %lx, etc.). Reject strings containing other format types that could be used to access arbitrary memory or cause crashes. Invalid format strings are added to the trace output for visibility with "BAD_FORMAT: " prefix. 2026-01-13 not yet calculated CVE-2025-68816 https://git.kernel.org/stable/c/95624b731c490a4b849844269193a233d6d556a0
https://git.kernel.org/stable/c/768d559f466cdd72849110a7ecd76a21d52dcfe3
https://git.kernel.org/stable/c/38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d
https://git.kernel.org/stable/c/8ac688c0e430dab19f6a9b70df94b1f635612c1a
https://git.kernel.org/stable/c/45bd283b1d69e2c97cddcb9956f0e0261fc4efd7
https://git.kernel.org/stable/c/8c35c2448086870509ede43947845be0833251f0
https://git.kernel.org/stable/c/b35966042d20b14e2d83330049f77deec5229749
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. 2026-01-13 not yet calculated CVE-2025-68817 https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a
https://git.kernel.org/stable/c/d64977495e44855f2b28d8ce56107c963a7a50e4
https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea
https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21
https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD: qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79b qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurred qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor instruction fetch in kernel mode PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0 </TASK> Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within lock") added the spinlock back, because not having the lock caused a race and a crash. But qla2x00_abort_srb() in the switch below already checks for qla2x00_chip_is_down() and handles it the same way, so the code above the switch is now redundant and still buggy in target-mode. Remove it. 2026-01-13 not yet calculated CVE-2025-68818 https://git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d
https://git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b
https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003
https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1
https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0
https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d
https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. 2026-01-13 not yet calculated CVE-2025-68819 https://git.kernel.org/stable/c/c2c293ea7b61f12cdaad1e99a5b4efc58c88960a
https://git.kernel.org/stable/c/c2305b4c5fc15e20ac06c35738e0578eb4323750
https://git.kernel.org/stable/c/61f214a878e96e2a8750bf96a98f78c658dba60c
https://git.kernel.org/stable/c/4a54d8fcb093761e4c56eb211cf4e39bf8401fa1
https://git.kernel.org/stable/c/fe3e129ab49806aaaa3f22067ebc75c2dfbe4658
https://git.kernel.org/stable/c/ac92151ff2494130d9fc686055d6bbb9743a673e
https://git.kernel.org/stable/c/b91e6aafe8d356086cc621bc03e35ba2299e4788
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4_raw_inode() If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all() lacks error checking, this will lead to a null pointer dereference in ext4_raw_inode(), called right after ext4_get_inode_loc(). Found by Linux Verification Center (linuxtesting.org) with SVACE. 2026-01-13 not yet calculated CVE-2025-68820 https://git.kernel.org/stable/c/b72a3476f0c97d02f63a6e9fff127348d55436f6
https://git.kernel.org/stable/c/3d8d22e75f7edfa0b30ff27330fd6a1285d594c3
https://git.kernel.org/stable/c/190ad0f22ba49f1101182b80e3af50ca2ddfe72f
https://git.kernel.org/stable/c/b5d942922182e82724b7152cb998f540132885ec
https://git.kernel.org/stable/c/5b154e901fda2e98570b8f426a481f5740097dc2
https://git.kernel.org/stable/c/ce5f54c065a4a7cbb92787f4f140917112350142
https://git.kernel.org/stable/c/b97cb7d6a051aa6ebd57906df0e26e9e36c26d14
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fuse: fix readahead reclaim deadlock Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed") skips allocating ff->release_args if the server does not implement open. However in doing so, fuse_prepare_release() now skips grabbing the reference on the inode, which makes it possible for an inode to be evicted from the dcache while there are inflight readahead requests. This causes a deadlock if the server triggers reclaim while servicing the readahead request and reclaim attempts to evict the inode of the file being read ahead. Since the folio is locked during readahead, when reclaim evicts the fuse inode and fuse_evict_inode() attempts to remove all folios associated with the inode from the page cache (truncate_inode_pages_range()), reclaim will block forever waiting for the lock since readahead cannot relinquish the lock because it is itself blocked in reclaim: >>> stack_trace(1504735) folio_wait_bit_common (mm/filemap.c:1308:4) folio_lock (./include/linux/pagemap.h:1052:3) truncate_inode_pages_range (mm/truncate.c:336:10) fuse_evict_inode (fs/fuse/inode.c:161:2) evict (fs/inode.c:704:3) dentry_unlink_inode (fs/dcache.c:412:3) __dentry_kill (fs/dcache.c:615:3) shrink_kill (fs/dcache.c:1060:12) shrink_dentry_list (fs/dcache.c:1087:3) prune_dcache_sb (fs/dcache.c:1168:2) super_cache_scan (fs/super.c:221:10) do_shrink_slab (mm/shrinker.c:435:9) shrink_slab (mm/shrinker.c:626:10) shrink_node (mm/vmscan.c:5951:2) shrink_zones (mm/vmscan.c:6195:3) do_try_to_free_pages (mm/vmscan.c:6257:3) do_swap_page (mm/memory.c:4136:11) handle_pte_fault (mm/memory.c:5562:10) handle_mm_fault (mm/memory.c:5870:9) do_user_addr_fault (arch/x86/mm/fault.c:1338:10) handle_page_fault (arch/x86/mm/fault.c:1481:3) exc_page_fault (arch/x86/mm/fault.c:1539:2) asm_exc_page_fault+0x22/0x27 Fix this deadlock by allocating ff->release_args and grabbing the reference on the inode when preparing the file for release even if the server does not implement open. The inode reference will be dropped when the last reference on the fuse file is dropped (see fuse_file_put() -> fuse_release_end()). 2026-01-13 not yet calculated CVE-2025-68821 https://git.kernel.org/stable/c/cbbf3f1bb9f834bb2acbb61ddca74363456e19cd
https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a
https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f
https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6
https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411
https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad. During device detachment, the original implementation calls flush_workqueue() in psmouse_disconnect() to ensure completion of dev3_register_work. However, the flush_workqueue() in psmouse_disconnect() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work items submitted after flush_workqueue() is called are not included in the set of tasks that the flush operation awaits. This means that after flush_workqueue() has finished executing, the dev3_register_work could still be scheduled. Although the psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(), the scheduling of dev3_register_work remains unaffected. The race condition can occur as follows: CPU 0 (cleanup path) | CPU 1 (delayed work) psmouse_disconnect() | psmouse_set_state() | flush_workqueue() | alps_report_bare_ps2_packet() alps_disconnect() | psmouse_queue_work() kfree(priv); // FREE | alps_register_bare_ps2_mouse() | priv = container_of(work...); // USE | priv->dev3 // USE Add disable_delayed_work_sync() in alps_disconnect() to ensure that dev3_register_work is properly canceled and prevented from executing after the alps_data structure has been deallocated. This bug is identified by static analysis. 2026-01-13 not yet calculated CVE-2025-68822 https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7
https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2
https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ublk: fix deadlock when reading partition table When one process(such as udev) opens ublk block device (e.g., to read the partition table via bdev_open()), a deadlock[1] can occur: 1. bdev_open() grabs disk->open_mutex 2. The process issues read I/O to ublk backend to read partition table 3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request() runs bio->bi_end_io() callbacks 4. If this triggers fput() on file descriptor of ublk block device, the work may be deferred to current task's task work (see fput() implementation) 5. This eventually calls blkdev_release() from the same context 6. blkdev_release() tries to grab disk->open_mutex again 7. Deadlock: same task waiting for a mutex it already holds The fix is to run blk_update_request() and blk_mq_end_request() with bottom halves disabled. This forces blkdev_release() to run in kernel work-queue context instead of current task work context, and allows ublk server to make forward progress, and avoids the deadlock. [axboe: rewrite comment in ublk] 2026-01-13 not yet calculated CVE-2025-68823 https://git.kernel.org/stable/c/0460e09a614291f06c008443f47393c37b7358e7
https://git.kernel.org/stable/c/c258f5c4502c9667bccf5d76fa731ab9c96687c1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the num_tqps in the vf driver to apply for resources Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller than hdev->num_tqps, which causes some hdev->htqp[i] to remain uninitialized in hclgevf_knic_setup(). Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps, ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent and that all elements are properly initialized. 2026-01-13 not yet calculated CVE-2025-71064 https://git.kernel.org/stable/c/c149decd8c18ae6acdd7a6041d74507835cf26e6
https://git.kernel.org/stable/c/bcefdb288eedac96fd2f583298927e9c6c481489
https://git.kernel.org/stable/c/6cd8a2930df850f4600fe8c57d0662b376520281
https://git.kernel.org/stable/c/1956d47a03eb625951e9e070db39fe2590e27510
https://git.kernel.org/stable/c/429f946a7af3fbf08761d218746cd4afa80a7954
https://git.kernel.org/stable/c/62f28d79a6186a602a9d926a2dbb5b12b6867df7
https://git.kernel.org/stable/c/c2a16269742e176fccdd0ef9c016a233491a49ad
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential deadlock As Jiaming Zhang and syzbot reported, there is potential deadlock in f2fs as below: Chain exists of: &sbi->cp_rwsem --> fs_reclaim --> sb_internal#2 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(sb_internal#2); lock(fs_reclaim); lock(sb_internal#2); rlock(&sbi->cp_rwsem); *** DEADLOCK *** 3 locks held by kswapd0/73: #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline] #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389 #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline] #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197 #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890 stack backtrace: CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043 check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175 check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908 __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537 f2fs_down_read fs/f2fs/f2fs.h:2278 [inline] f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline] f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791 f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867 f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925 f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897 evict+0x504/0x9c0 fs/inode.c:810 f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853 evict+0x504/0x9c0 fs/inode.c:810 dispose_list fs/inode.c:852 [inline] prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000 super_cache_scan+0x39b/0x4b0 fs/super.c:224 do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437 shrink_slab_memcg mm/shrinker.c:550 [inline] shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628 shrink_one+0x28a/0x7c0 mm/vmscan.c:4955 shrink_many mm/vmscan.c:5016 [inline] lru_gen_shrink_node mm/vmscan.c:5094 [inline] shrink_node+0x315d/0x3780 mm/vmscan.c:6081 kswapd_shrink_node mm/vmscan.c:6941 [inline] balance_pgdat mm/vmscan.c:7124 [inline] kswapd+0x147c/0x2800 mm/vmscan.c:7389 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The root cause is deadlock among four locks as below: kswapd - fs_reclaim --- Lock A - shrink_one - evict - f2fs_evict_inode - sb_start_intwrite --- Lock B - iput - evict - f2fs_evict_inode - sb_start_intwrite --- Lock B - f2fs_truncate - f2fs_truncate_blocks - f2fs_do_truncate_blocks - f2fs_lock_op --- Lock C ioctl - f2fs_ioc_commit_atomic_write - f2fs_lock_op --- Lock C - __f2fs_commit_atomic_write - __replace_atomic_write_block - f2fs_get_dnode_of_data - __get_node_folio - f2fs_check_nid_range - f2fs_handle_error - f2fs_record_errors - f2fs_down_write --- Lock D open - do_open - do_truncate - security_inode_need_killpriv - f2fs_getxattr - lookup_all_xattrs - f2fs_handle_error - f2fs_record_errors - f2fs_down_write --- Lock D - f2fs_commit_super - read_mapping_folio - filemap_alloc_folio_noprof - prepare_alloc_pages - fs_reclaim_acquire --- Lock A In order to a ---truncated--- 2026-01-13 not yet calculated CVE-2025-71065 https://git.kernel.org/stable/c/8bd6dff8b801abaa362272894bda795bf0cf1307
https://git.kernel.org/stable/c/6c3bab5c6261aa22c561ef56b7365959a90e7d91
https://git.kernel.org/stable/c/86a85a7b622e6e8dba69810257733ce5eab5ed55
https://git.kernel.org/stable/c/ca8b201f28547e28343a6f00a6e91fa8c09572fe
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change zdi-disclosures@trendmicro.com says: The vulnerability is a race condition between `ets_qdisc_dequeue` and `ets_qdisc_change`. It leads to UAF on `struct Qdisc` object. Attacker requires the capability to create new user and network namespace in order to trigger the bug. See my additional commentary at the end of the analysis. Analysis: static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, struct netlink_ext_ack *extack) { ... // (1) this lock is preventing .change handler (`ets_qdisc_change`) //to race with .dequeue handler (`ets_qdisc_dequeue`) sch_tree_lock(sch); for (i = nbands; i < oldbands; i++) { if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) list_del_init(&q->classes[i].alist); qdisc_purge_queue(q->classes[i].qdisc); } WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { // (2) the class is added to the q->active list_add_tail(&q->classes[i].alist, &q->active); q->classes[i].deficit = quanta[i]; } } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap)); for (i = 0; i < q->nbands; i++) WRITE_ONCE(q->classes[i].quantum, quanta[i]); for (i = oldbands; i < q->nbands; i++) { q->classes[i].qdisc = queues[i]; if (q->classes[i].qdisc != &noop_qdisc) qdisc_hash_add(q->classes[i].qdisc, true); } // (3) the qdisc is unlocked, now dequeue can be called in parallel // to the rest of .change handler sch_tree_unlock(sch); ets_offload_change(sch); for (i = q->nbands; i < oldbands; i++) { // (4) we're reducing the refcount for our class's qdisc and // freeing it qdisc_put(q->classes[i].qdisc); // (5) If we call .dequeue between (4) and (5), we will have // a strong UAF and we can control RIP q->classes[i].qdisc = NULL; WRITE_ONCE(q->classes[i].quantum, 0); q->classes[i].deficit = 0; gnet_stats_basic_sync_init(&q->classes[i].bstats); memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); } return 0; } Comment: This happens because some of the classes have their qdiscs assigned to NULL, but remain in the active list. This commit fixes this issue by always removing the class from the active list before deleting and freeing its associated qdisc Reproducer Steps (trimmed version of what was sent by zdi-disclosures@trendmicro.com) ``` DEV="${DEV:-lo}" ROOT_HANDLE="${ROOT_HANDLE:-1:}" BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2 PING_BYTES="${PING_BYTES:-48}" PING_COUNT="${PING_COUNT:-200000}" PING_DST="${PING_DST:-127.0.0.1}" SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}" SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}" SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}" cleanup() { tc qdisc del dev "$DEV" root 2>/dev/null } trap cleanup EXIT ip link set "$DEV" up tc qdisc del dev "$DEV" root 2>/dev/null || true tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \ tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT" tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2 tc -s qdisc ls dev $DEV ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \ >/dev/null 2>&1 & tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0 tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc -s qdisc ls dev $DEV tc qdisc del dev "$DEV" parent ---truncated--- 2026-01-13 not yet calculated CVE-2025-71066 https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3
https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd
https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9
https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0
https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39
https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c
https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ntfs: set dummy blocksize to read boot_block when mounting When mounting, sb->s_blocksize is used to read the boot_block without being defined or validated. Set a dummy blocksize before attempting to read the boot_block. The issue can be triggered with the following syz reproducer: mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0) r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0) ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000) mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0) syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0) Here, the ioctl sets the bdev block size to 16384. During mount, get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)), but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves sb->s_blocksize at zero. Later, ntfs_init_from_boot() attempts to read the boot_block while sb->s_blocksize is still zero, which triggers the bug. [almaz.alexandrovich@paragon-software.com: changed comment style, added return value handling] 2026-01-13 not yet calculated CVE-2025-71067 https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43
https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417
https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a
https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array. Add guards before the first use and after advancing to a new page. 2026-01-13 not yet calculated CVE-2025-71068 https://git.kernel.org/stable/c/a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9
https://git.kernel.org/stable/c/7ba826aae1d43212f3baa53a2175ad949e21926e
https://git.kernel.org/stable/c/5f140b525180c628db8fa6c897f138194a2de417
https://git.kernel.org/stable/c/da1ccfc4c452541584a4eae89e337cfa21be6d5a
https://git.kernel.org/stable/c/d1bea0ce35b6095544ee82bb54156fc62c067e58
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: invalidate dentry cache on failed whiteout creation F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT operations are performed on such directories, f2fs_rename performs directory modifications (updating target entry and deleting source entry) before attempting to add the whiteout entry via f2fs_add_link. If f2fs_add_link fails due to the corrupted directory structure, the function returns an error to VFS, but the partial directory modifications have already been committed to disk. VFS assumes the entire rename operation failed and does not update the dentry cache, leaving stale mappings. In the error path, VFS does not call d_move() to update the dentry cache. This results in new_dentry still pointing to the old inode (new_inode) which has already had its i_nlink decremented to zero. The stale cache causes subsequent operations to incorrectly reference the freed inode. This causes subsequent operations to use cached dentry information that no longer matches the on-disk state. When a second rename targets the same entry, VFS attempts to decrement i_nlink on the stale inode, which may already have i_nlink=0, triggering a WARNING in drop_nlink(). Example sequence: 1. First rename (RENAME_WHITEOUT): file2 → file1 - f2fs updates file1 entry on disk (points to inode 8) - f2fs deletes file2 entry on disk - f2fs_add_link(whiteout) fails (corrupted directory) - Returns error to VFS - VFS does not call d_move() due to error - VFS cache still has: file1 → inode 7 (stale!) - inode 7 has i_nlink=0 (already decremented) 2. Second rename: file3 → file1 - VFS uses stale cache: file1 → inode 7 - Tries to drop_nlink on inode 7 (i_nlink already 0) - WARNING in drop_nlink() Fix this by explicitly invalidating old_dentry and new_dentry when f2fs_add_link fails during whiteout creation. This forces VFS to refresh from disk on subsequent operations, ensuring cache consistency even when the rename partially succeeds. Reproducer: 1. Mount F2FS image with corrupted i_current_depth 2. renameat2(file2, file1, RENAME_WHITEOUT) 3. renameat2(file3, file1, 0) 4. System triggers WARNING in drop_nlink() 2026-01-13 not yet calculated CVE-2025-71069 https://git.kernel.org/stable/c/7f2bae0c881aa1e0a6318756df692cc13df2cc83
https://git.kernel.org/stable/c/3d95ed8cf980fdfa67a3ab9491357521ae576168
https://git.kernel.org/stable/c/64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb
https://git.kernel.org/stable/c/3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5
https://git.kernel.org/stable/c/c89845fae250efdd59c1d4ec60e9e1c652cee4b6
https://git.kernel.org/stable/c/0dde30753c1e8648665dbe069d814e540ce2fd37
https://git.kernel.org/stable/c/d33f89b34aa313f50f9a512d58dd288999f246b0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ublk: clean up user copy references on ublk server exit If a ublk server process releases a ublk char device file, any requests dispatched to the ublk server but not yet completed will retain a ref value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify aborting ublk request"), __ublk_fail_req() would decrement the reference count before completing the failed request. However, that commit optimized __ublk_fail_req() to call __ublk_complete_rq() directly without decrementing the request reference count. The leaked reference count incorrectly allows user copy and zero copy operations on the completed ublk request. It also triggers the WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit() and ublk_deinit_queue(). Commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk char dev is closed") already fixed the issue for ublk devices using UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference count leak also affects UBLK_F_USER_COPY, the other reference-counted data copy mode. Fix the condition in ublk_check_and_reset_active_ref() to include all reference-counted data copy modes. This ensures that any ublk requests still owned by the ublk server when it exits have their reference counts reset to 0. 2026-01-13 not yet calculated CVE-2025-71070 https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6
https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case a larb device has not yet been bound to its driver so that the iommu driver probe defers. Fix this by keeping the references as expected while the iommu driver is bound. 2026-01-13 not yet calculated CVE-2025-71071 https://git.kernel.org/stable/c/896ec55da3b90bdb9fc04fedc17ad8c359b2eee5
https://git.kernel.org/stable/c/5c04217d06a1161aaf36267e9d971ab6f847d5a7
https://git.kernel.org/stable/c/1ef70a0b104ae8011811f60bcfaa55ff49385171
https://git.kernel.org/stable/c/f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a
https://git.kernel.org/stable/c/de83d4617f9fe059623e97acf7e1e10d209625b5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: shmem: fix recovery on rename failures maple_tree insertions can fail if we are seriously short on memory; simple_offset_rename() does not recover well if it runs into that. The same goes for simple_offset_rename_exchange(). Moreover, shmem_whiteout() expects that if it succeeds, the caller will progress to d_move(), i.e. that shmem_rename2() won't fail past the successful call of shmem_whiteout(). Not hard to fix, fortunately - mtree_store() can't fail if the index we are trying to store into is already present in the tree as a singleton. For simple_offset_rename_exchange() that's enough - we just need to be careful about the order of operations. For simple_offset_rename() solution is to preinsert the target into the tree for new_dir; the rest can be done without any potentially failing operations. That preinsertion has to be done in shmem_rename2() rather than in simple_offset_rename() itself - otherwise we'd need to deal with the possibility of failure after successful shmem_whiteout(). 2026-01-13 not yet calculated CVE-2025-71072 https://git.kernel.org/stable/c/4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113
https://git.kernel.org/stable/c/4642686699a46718d7f2fb5acd1e9d866a9d9cca
https://git.kernel.org/stable/c/e1b4c6a58304fd490124cc2b454d80edc786665c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has been freed, leading to a potential use-after-free. Use disable_work_sync() instead of cancel_work_sync() to ensure the reinit work cannot be re-queued, and call it both in lkkbd_disconnect() and in lkkbd_connect() error paths after serio_open(). 2026-01-13 not yet calculated CVE-2025-71073 https://git.kernel.org/stable/c/3a7cd1397c209076c371d53bf39a55c138f62342
https://git.kernel.org/stable/c/cffc4e29b1e2d44ab094cf142d7c461ff09b9104
https://git.kernel.org/stable/c/e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: functionfs: fix the open/removal races ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object. There is a total count of opened files on functionfs (both ep0 and dynamic ones) and when it hits zero, dynamic files get removed. Unfortunately, that removal can happen while another thread is in ffs_epfile_open(), but has not incremented the count yet. In that case open will succeed, leaving us with UAF on any subsequent read() or write(). The root cause is that ffs->opened is misused; atomic_dec_and_test() vs. atomic_add_return() is not a good idea, when object remains visible all along. To untangle that * serialize openers on ffs->mutex (both for ep0 and for dynamic files) * have dynamic ones use atomic_inc_not_zero() and fail if we had zero ->opened; in that case the file we are opening is doomed. * have the inodes of dynamic files marked on removal (from the callback of simple_recursive_removal()) - clear ->i_private there. * have open of dynamic ones verify they hadn't been already removed, along with checking that state is FFS_ACTIVE. 2026-01-13 not yet calculated CVE-2025-71074 https://git.kernel.org/stable/c/b49c766856fb5901490de577e046149ebf15e39d
https://git.kernel.org/stable/c/e5bf5ee266633cb18fff6f98f0b7d59a62819eee
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceeds. 2026-01-13 not yet calculated CVE-2025-71075 https://git.kernel.org/stable/c/c8f6f88cd1df35155258285c4f43268b361819df
https://git.kernel.org/stable/c/278455a82245a572aeb218a6212a416a98e418de
https://git.kernel.org/stable/c/b3e655e52b98a1d3df41c8e42035711e083099f8
https://git.kernel.org/stable/c/e354793a7ab9bb0934ea699a9d57bcd1b48fc27b
https://git.kernel.org/stable/c/a41dc180b6e1229ae49ca290ae14d82101c148c3
https://git.kernel.org/stable/c/751c19635c2bfaaf2836a533caa3663633066dcf
https://git.kernel.org/stable/c/f6ab594672d4cba08540919a4e6be2e202b60007
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit num_syncs to prevent oversized allocations The OA open parameters did not validate num_syncs, allowing userspace to pass arbitrarily large values, potentially leading to excessive allocations. Add check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS, returning -EINVAL when the limit is violated. v2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh) (cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b) 2026-01-13 not yet calculated CVE-2025-71076 https://git.kernel.org/stable/c/b963636331fb4f3f598d80492e2fa834757198eb
https://git.kernel.org/stable/c/338849090ee610ff6d11e5e90857d2c27a4121ab
https://git.kernel.org/stable/c/f8dd66bfb4e184c71bd26418a00546ebe7f5c17a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tpm: Cap the number of PCR banks tpm2_get_pcr_allocation() does not cap any upper limit for the number of banks. Cap the limit to eight banks so that out of bounds values coming from external I/O cause on only limited harm. 2026-01-13 not yet calculated CVE-2025-71077 https://git.kernel.org/stable/c/8ceee7288152bc121a6bf92997261838c78bfe06
https://git.kernel.org/stable/c/275c686f1e3cc056ec66c764489ec1fe1e51b950
https://git.kernel.org/stable/c/ceb70d31da5671d298bad94ae6c20e4bbb800f96
https://git.kernel.org/stable/c/d88481653d74d622d1d0d2c9bad845fc2cc6fd23
https://git.kernel.org/stable/c/b69492161c056d36789aee42a87a33c18c8ed5e1
https://git.kernel.org/stable/c/858344bc9210bea9ab2bdc7e9e331ba84c164e50
https://git.kernel.org/stable/c/faf07e611dfa464b201223a7253e9dc5ee0f3c9e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to periodic eviction - typically after every 256 context switches - to remove old entry. To optimize performance, the kernel skips switch_mmu_context() in switch_mm_irqs_off() when the prev and next mm_struct are the same. However, on hash MMU systems, this can lead to inconsistencies between the hardware SLB and the software preload cache. If an SLB entry for a process is evicted from the software cache on one CPU, and the same process later runs on another CPU without executing switch_mmu_context(), the hardware SLB may retain stale entries. If the kernel then attempts to reload that entry, it can trigger an SLB multi-hit error. The following timeline shows how stale SLB entries are created and can cause a multi-hit error when a process moves between CPUs without a MMU context switch. CPU 0 CPU 1 ----- ----- Process P exec swapper/1 load_elf_binary begin_new_exc activate_mm switch_mm_irqs_off switch_mmu_context switch_slb /* * This invalidates all * the entries in the HW * and setup the new HW * SLB entries as per the * preload cache. */ context_switch sched_migrate_task migrates process P to cpu-1 Process swapper/0 context switch (to process P) (uses mm_struct of Process P) switch_mm_irqs_off() switch_slb load_slb++ /* * load_slb becomes 0 here * and we evict an entry from * the preload cache with * preload_age(). We still * keep HW SLB and preload * cache in sync, that is * because all HW SLB entries * anyways gets evicted in * switch_slb during SLBIA. * We then only add those * entries back in HW SLB, * which are currently * present in preload_cache * (after eviction). */ load_elf_binary continues... setup_new_exec() slb_setup_new_exec() sched_switch event sched_migrate_task migrates process P to cpu-0 context_switch from swapper/0 to Process P switch_mm_irqs_off() /* * Since both prev and next mm struct are same we don't call * switch_mmu_context(). This will cause the HW SLB and SW preload * cache to go out of sync in preload_new_slb_context. Because there * was an SLB entry which was evicted from both HW and preload cache * on cpu-1. Now later in preload_new_slb_context(), when we will try * to add the same preload entry again, we will add this to the SW * preload cache and then will add it to the HW SLB. Since on cpu-0 * this entry was never invalidated, hence adding this entry to the HW * SLB will cause a SLB multi-hit error. */ load_elf_binary cont ---truncated--- 2026-01-13 not yet calculated CVE-2025-71078 https://git.kernel.org/stable/c/01324c0328181b94cf390bda22ff91c75126ea57
https://git.kernel.org/stable/c/2e9a95d60f1df7b57618fd5ef057aef331575bd2
https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc
https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf
https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37
https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8
https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock Thread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex This creates a classic ABBA deadlock scenario. Fix this by moving rfkill_unregister() and rfkill_destroy() outside the device_lock critical section. Store the rfkill pointer in a local variable before releasing the lock, then call rfkill_unregister() after releasing device_lock. This change is safe because rfkill_fop_write() holds rfkill_global_mutex while calling the rfkill callbacks, and rfkill_unregister() also acquires rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will wait for any ongoing callback to complete before proceeding, and device_del() is only called after rfkill_unregister() returns, preventing any use-after-free. The similar lock ordering in nfc_register_device() (device_lock -> rfkill_global_mutex via rfkill_register) is safe because during registration the device is not yet in rfkill_list, so no concurrent rfkill operations can occur on this device. 2026-01-13 not yet calculated CVE-2025-71079 https://git.kernel.org/stable/c/2e0831e9fc46a06daa6d4d8d57a2738e343130c3
https://git.kernel.org/stable/c/e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012
https://git.kernel.org/stable/c/ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5
https://git.kernel.org/stable/c/6b93c8ab6f6cda8818983a4ae3fcf84b023037b4
https://git.kernel.org/stable/c/8fc4632fb508432895430cd02b38086bdd649083
https://git.kernel.org/stable/c/f3a8a7c1aa278f2378b2f3a10500c6674dffdfda
https://git.kernel.org/stable/c/1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the current task can be preempted. Another task running on the same CPU may then execute rt6_make_pcpu_route() and successfully install a pcpu_rt entry. When the first task resumes execution, its cmpxchg() in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding mdelay() after rt6_get_pcpu_route(). Using preempt_disable/enable is not appropriate here because ip6_rt_pcpu_alloc() may sleep. Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT: free our allocation and return the existing pcpu_rt installed by another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT kernels where such races should not occur. 2026-01-13 not yet calculated CVE-2025-71080 https://git.kernel.org/stable/c/1dc33ad0867325f8d2c6d7b2a6f542d4f3121f66
https://git.kernel.org/stable/c/787515ccb2292f82eb0876993129154629a49651
https://git.kernel.org/stable/c/1adaea51c61b52e24e7ab38f7d3eba023b2d050d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe. Make sure to drop the reference on platform probe failures (e.g. probe deferral) and on driver unbind. This also avoids a potential use-after-free in case the DAI is ever reprobed without first rebinding the platform driver. 2026-01-13 not yet calculated CVE-2025-71081 https://git.kernel.org/stable/c/7daa50a2157e41c964b745ab1dc378b5b3b626d1
https://git.kernel.org/stable/c/acda653169e180b1d860dbb6bc5aceb105858394
https://git.kernel.org/stable/c/4054a3597d047f3fe87864ef87f399b5d523e6c0
https://git.kernel.org/stable/c/bae74771fc5d3b2a9cf6f5aa64596083d032c4a3
https://git.kernel.org/stable/c/3752afcc6d80d5525e236e329895ba2cb93bcb26
https://git.kernel.org/stable/c/23261f0de09427367e99f39f588e31e2856a690e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. In a driver that binds to other interfaces, ISOC and DIAG, this is an accident waiting to happen. The issue is revealed in btusb_disconnect(), where calling usb_driver_release_interface(&btusb_driver, data->intf) will have devm free the data that is also being used by the other interfaces of the driver that may not be released yet. To fix this, revert the use of devm and go back to freeing memory explicitly. 2026-01-13 not yet calculated CVE-2025-71082 https://git.kernel.org/stable/c/fff9206b0907252a41eb12b7c1407b9347df18b1
https://git.kernel.org/stable/c/cca0e9206e3bcc63cd3e72193e60149165d493cc
https://git.kernel.org/stable/c/c0ecb3e4451fe94f4315e6d09c4046dfbc42090b
https://git.kernel.org/stable/c/1e54c19eaf84ba652c4e376571093e58e144b339
https://git.kernel.org/stable/c/fdf7c640fb8a44a59b0671143d8c2f738bc48003
https://git.kernel.org/stable/c/252714f1e8bdd542025b16321c790458014d6880
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for dumping, we need to expect this as well -- in this case, ENODATA is recorded instead of the buffer contents. 2026-01-13 not yet calculated CVE-2025-71083 https://git.kernel.org/stable/c/47a85604a761005d255ae38115ee630cc6931756
https://git.kernel.org/stable/c/4b9944493c6d92d7b29cfd83aaf3deb842b8da79
https://git.kernel.org/stable/c/3d004f7341d4898889801ebb2ef61ffca610dd6f
https://git.kernel.org/stable/c/5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0
https://git.kernel.org/stable/c/b94182b3d7228aec18d069cba56d5982e9bfe1b1
https://git.kernel.org/stable/c/491adc6a0f9903c32b05f284df1148de39e8e644
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline] WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886 Destroy the ah_attr after canceling the work, it is safe to call this twice. 2026-01-13 not yet calculated CVE-2025-71084 https://git.kernel.org/stable/c/d5ce588a9552878859a4d44b70b724216c188a5f
https://git.kernel.org/stable/c/abf38398724ecc888f62c678d288da40d11878af
https://git.kernel.org/stable/c/ab668a58c4a2ccb6d54add7a76f2f955d15d0196
https://git.kernel.org/stable/c/c0acdee513239e1d6e1b490f56be0e6837dfd162
https://git.kernel.org/stable/c/5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3
https://git.kernel.org/stable/c/3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5
https://git.kernel.org/stable/c/57f3cb6c84159d12ba343574df2115fb18dd83ca
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0); 2026-01-13 not yet calculated CVE-2025-71085 https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2
https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910
https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1
https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0
https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24
https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570
https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i. 2026-01-13 not yet calculated CVE-2025-71086 https://git.kernel.org/stable/c/819fb41ae54960f66025802400c9d3935eef4042
https://git.kernel.org/stable/c/ed2639414d43ba037f798eaf619e878309310451
https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981
https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280
https://git.kernel.org/stable/c/b409ba9e1e63ccf3ab4cc061e33c1f804183543e
https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38
https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i <= adapter->rss_{key,lut}_size / 4 where `rss_{key,lut}_size / 4` is the number of dwords, so the last valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` accesses one element past the end. Fix the issues by using `<` instead of `<=`, ensuring we do not exceed the bounds. [1] KASAN splat about rss_key_size off-by-one BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: iavf iavf_watchdog_task Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x1a0 iavf_config_rss+0x619/0x800 iavf_watchdog_task+0x2be7/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 63: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x246/0x6f0 iavf_watchdog_task+0x28fc/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff888102c50100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 52-byte region [ffff888102c50100, ffff888102c50134) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ^ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 2026-01-13 not yet calculated CVE-2025-71087 https://git.kernel.org/stable/c/ceb8459df28d22c225a82d74c0f725f2a935d194
https://git.kernel.org/stable/c/5bb18bfd505ca1affbca921462c350095a6c798c
https://git.kernel.org/stable/c/d7369dc8dd7cbf5cee3a22610028d847b6f02982
https://git.kernel.org/stable/c/18de0e41d69d97fab10b91fecf10ae78a5e43232
https://git.kernel.org/stable/c/f36de3045d006e6d9be1be495f2ed88d1721e752
https://git.kernel.org/stable/c/3095228e1320371e143835d0cebeef1a8a754c66
https://git.kernel.org/stable/c/6daa2893f323981c7894c68440823326e93a7d61
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6 RSP: 0018:ffffc900006cf338 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900 R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0 Call Trace: <TASK> tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 dst_input include/net/dst.h:471 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092 process_backlog+0x442/0x15e0 net/core/dev.c:6444 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494 napi_poll net/core/dev.c:7557 [inline] net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579 run_ksoftirqd kernel/softirq.c:968 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The TCP subflow can process the simult-connect syn-ack packet after transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check, as the sk_state_change() callback is not invoked for * -> FIN_WAIT1 transitions. That will move the msk socket to an inconsistent status and the next incoming data will hit the reported splat. Close the race moving the simult-fallback check at the earliest possible stage - that is at syn-ack generation time. About the fixes tags: [2] was supposed to also fix this issue introduced by [3]. [1] is required as a dependence: it was not explicitly marked as a fix, but it is one and it has already been backported before [3]. In other words, this commit should be backported up to [3], including [2] and [1] if that's not already there. 2026-01-13 not yet calculated CVE-2025-71088 https://git.kernel.org/stable/c/b5f46a08269265e2f5e87d855287d6d22de0a32b
https://git.kernel.org/stable/c/c9bf315228287653522894df9d851e9b43db9516
https://git.kernel.org/stable/c/79f80a7a47849ef1b3c25a0bedcc448b9cb551c1
https://git.kernel.org/stable/c/25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86
https://git.kernel.org/stable/c/71154bbe49423128c1c8577b6576de1ed6836830
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages. 2026-01-13 not yet calculated CVE-2025-71089 https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9
https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4
https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661
https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg() nfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites fp->fi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if the client already has a SHARE_ACCESS_READ open from a previous OPEN operation, this action overwrites the existing pointer without releasing its reference, orphaning the previous reference. Additionally, the function originally stored the same nfsd_file pointer in both fp->fi_fds[O_RDONLY] and fp->fi_rdeleg_file with only a single reference. When put_deleg_file() runs, it clears fi_rdeleg_file and calls nfs4_file_put_access() to release the file. However, nfs4_file_put_access() only releases fi_fds[O_RDONLY] when the fi_access[O_RDONLY] counter drops to zero. If another READ open exists on the file, the counter remains elevated and the nfsd_file reference from the delegation is never released. This potentially causes open conflicts on that file. Then, on server shutdown, these leaks cause __nfsd_file_cache_purge() to encounter files with an elevated reference count that cannot be cleaned up, ultimately triggering a BUG() in kmem_cache_destroy() because there are still nfsd_file objects allocated in that cache. 2026-01-13 not yet calculated CVE-2025-71090 https://git.kernel.org/stable/c/c07dc84ed67c5a182273171639bacbbb87c12175
https://git.kernel.org/stable/c/8072e34e1387d03102b788677d491e2bcceef6f5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del_rcu include/linux/rculist.h:178 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 team_option_set drivers/net/team/team_core.c:376 [inline] team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 __sys_sendmsg+0x16d/0x220 net/socket.c:2716 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The problem is in this flow: 1) Port is enabled, queue_id != 0, in qom_list 2) Port gets disabled -> team_port_disable() -> team_queue_override_port_del() -> del (removed from list) 3) Port is disabled, queue_id != 0, not in any list 4) Priority changes -> team_queue_override_port_prio_changed() -> checks: port disabled && queue_id != 0 -> calls del - hits the BUG as it is removed already To fix this, change the check in team_queue_override_port_prio_changed() so it returns early if port is not enabled. 2026-01-13 not yet calculated CVE-2025-71091 https://git.kernel.org/stable/c/25029e813c4aae5fcf7118e8dd5c56e382b9a1a3
https://git.kernel.org/stable/c/f820e438b8ec2a8354e70e75145f05fe45500d97
https://git.kernel.org/stable/c/53a727a8bfd78c739e130a781192d0f6f8e03d39
https://git.kernel.org/stable/c/6bfb62b6010a16112dcae52f490e5e0e6abe12a3
https://git.kernel.org/stable/c/107d245f84cb4f55f597d31eda34b42a2b7d6952
https://git.kernel.org/stable/c/b71187648ef2349254673d0523fdf96d1fe3d758
https://git.kernel.org/stable/c/932ac51d9953eaf77a1252f79b656d4ca86163c6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats() Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR. BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware statistics with different num_counters values on chip_gen_p5_p7 devices. As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating hw_stats, which leads to an out-of-bounds write in bnxt_re_copy_err_stats(). The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not only p5/p7 devices. Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they are included in the generic counter set. 2026-01-13 not yet calculated CVE-2025-71092 https://git.kernel.org/stable/c/369a161c48723f60f06f3510b82ea7d96d0499ab
https://git.kernel.org/stable/c/9b68a1cc966bc947d00e4c0df7722d118125aa37
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ================================================================== BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790 Read of size 1 at addr ffff888014114e54 by task sshd/363 CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x5a/0x74 print_address_description+0x7b/0x440 print_report+0x101/0x200 kasan_report+0xc1/0xf0 e1000_tbi_should_accept+0x610/0x790 e1000_clean_rx_irq+0xa8c/0x1110 e1000_clean+0xde2/0x3c10 __napi_poll+0x98/0x380 net_rx_action+0x491/0xa20 __do_softirq+0x2c9/0x61d do_softirq+0xd1/0x120 </IRQ> <TASK> __local_bh_enable_ip+0xfe/0x130 ip_finish_output2+0x7d5/0xb00 __ip_queue_xmit+0xe24/0x1ab0 __tcp_transmit_skb+0x1bcb/0x3340 tcp_write_xmit+0x175d/0x6bd0 __tcp_push_pending_frames+0x7b/0x280 tcp_sendmsg_locked+0x2e4f/0x32d0 tcp_sendmsg+0x24/0x40 sock_write_iter+0x322/0x430 vfs_write+0x56c/0xa60 ksys_write+0xd1/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f511b476b10 Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24 RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10 RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003 RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00 R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003 </TASK> Allocated by task 1: __kasan_krealloc+0x131/0x1c0 krealloc+0x90/0xc0 add_sysfs_param+0xcb/0x8a0 kernel_add_sysfs_param+0x81/0xd4 param_sysfs_builtin+0x138/0x1a6 param_sysfs_init+0x57/0x5b do_one_initcall+0x104/0x250 do_initcall_level+0x102/0x132 do_initcalls+0x46/0x74 kernel_init_freeable+0x28f/0x393 kernel_init+0x14/0x1a0 ret_from_fork+0x22/0x30 The buggy address belongs to the object at ffff888014114000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1620 bytes to the right of 2048-byte region [ffff888014114000, ffff888014114800] The buggy address belongs to the physical page: page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110 head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected ================================================================== This happens because the TBI check unconditionally dereferences the last byte without validating the reported length first: u8 last_byte = *(data + length - 1); Fix by rejecting the frame early if the length is zero, or if it exceeds adapter->rx_buffer_len. This preserves the TBI workaround semantics for valid frames and prevents touching memory beyond the RX buffer. 2026-01-13 not yet calculated CVE-2025-71093 https://git.kernel.org/stable/c/4ccfa56f272241e8d8e2c38191fdbb03df489d80
https://git.kernel.org/stable/c/278b7cfe0d4da7502c7fd679b15032f014c92892
https://git.kernel.org/stable/c/ad7a2a45e2417ac54089926b520924f8f0d91aea
https://git.kernel.org/stable/c/2c4c0c09f9648ba766d399917d420d03e7b3e1f8
https://git.kernel.org/stable/c/26c8bebc2f25288c2bcac7bc0a7662279a0e817c
https://git.kernel.org/stable/c/ee7c125fb3e8b04dd46510130b9fc92380e5d578
https://git.kernel.org/stable/c/9c72a5182ed92904d01057f208c390a303f00a0f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76 Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c. 2026-01-13 not yet calculated CVE-2025-71094 https://git.kernel.org/stable/c/fc96018f09f8d30586ca6582c5045a84eafef146
https://git.kernel.org/stable/c/f5f4f30f3811d37e1aa48667c36add74e5a8d99f
https://git.kernel.org/stable/c/38722e69ee64dbb020028c93898d25d6f4c0e0b2
https://git.kernel.org/stable/c/98a12c2547a44a5f03f35c108d2022cc652cbc4d
https://git.kernel.org/stable/c/bf8a0f3b787ca7c5889bfca12c60c483041fbee3
https://git.kernel.org/stable/c/a1e077a3f76eea0dc671ed6792e7d543946227e8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue. 2026-01-13 not yet calculated CVE-2025-71095 https://git.kernel.org/stable/c/3f7823219407f2f18044c2b72366a48810c5c821
https://git.kernel.org/stable/c/4d0ceb7677e1c4616afb96abb4518f70b65abb0d
https://git.kernel.org/stable/c/45ee0462b88396a0bd1df1991f801c89994ea72b
https://git.kernel.org/stable/c/5e5988736a95b1de7f91b10ac2575454b70e4897
https://git.kernel.org/stable/c/a48e232210009be50591fdea8ba7c07b0f566a13
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation and parsing into one function. Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query. BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline] BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline] ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline] ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline] __do_compat_sys_sendmsg net/compat.c:353 [inline] __se_compat_sys_sendmsg net/compat.c:350 [inline] __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3 2026-01-13 not yet calculated CVE-2025-71096 https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831
https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624d
https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b
https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc
https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec
https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94
https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem. 2026-01-13 not yet calculated CVE-2025-71097 https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a
https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea
https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e
https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536
https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f
https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43
https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:213 ! <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 neigh_output include/net/neighbour.h:556 [inline] ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 2026-01-13 not yet calculated CVE-2025-71098 https://git.kernel.org/stable/c/17e7386234f740f3e7d5e58a47b5847ea34c3bc2
https://git.kernel.org/stable/c/41a1a3140aff295dee8063906f70a514548105e8
https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e
https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c
https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60
https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92
https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call xe_oa_remove_config_ioctl() with perfect timing, freeing oa_config before we dereference it, leading to a potential use-after-free. Fix this by caching the id in a local variable while holding the lock. v2: (Matt A) - Dropped mutex_unlock(&oa->metrics_lock) ordering change from xe_oa_remove_config_ioctl() (cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31) 2026-01-13 not yet calculated CVE-2025-71099 https://git.kernel.org/stable/c/c6d30b65b7a44dac52ad49513268adbf19eab4a2
https://git.kernel.org/stable/c/7cdb9a9da935c687563cc682155461fef5f9b48d
https://git.kernel.org/stable/c/dcb171931954c51a1a7250d558f02b8f36570783
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise, UBSAN warn: UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30 index 10 is out of range for type 'rtl_tid_data [9]' 2026-01-13 not yet calculated CVE-2025-71100 https://git.kernel.org/stable/c/9765d6eb8298b07d499cdf9ef7c237d3540102d6
https://git.kernel.org/stable/c/90a15ff324645aa806d81fa349497cd964861b66
https://git.kernel.org/stable/c/dd39edb445f07400e748da967a07d5dca5c5f96e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields like PREREQUISITES and ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array elements using expressions like 'enum_obj[elem + reqs]' and 'enum_obj[elem + pos_values]' within nested loops. The bug is that the bounds check only validated elem, but did not consider the additional offset when accessing elem + reqs or elem + pos_values. The fix changes the bounds check to validate the actual accessed index. 2026-01-13 not yet calculated CVE-2025-71101 https://git.kernel.org/stable/c/cf7ae870560b988247a4bbbe5399edd326632680
https://git.kernel.org/stable/c/db4c26adf7117b1a4431d1197ae7109fee3230ad
https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f5681bd08c986e2abd
https://git.kernel.org/stable/c/e44c42c830b7ab36e3a3a86321c619f24def5206
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in __scs_magic __scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here should be '__scs_magic(task_scs(tsk))'. The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage checking function (scs_check_usage) would scan an incorrect memory range. This could lead 1. **Inaccurate stack usage reporting**: The function would calculate wrong usage statistics for the shadow call stack, potentially showing incorrect value in kmsg. 2. **Potential kernel crash**: If the value of __scs_magic(tsk)is greater than that of __scs_magic(task_scs(tsk)), the for loop may access unmapped memory, potentially causing a kernel panic. However, this scenario is unlikely because task_struct is allocated via the slab allocator (which typically returns lower addresses), while the shadow call stack returned by task_scs(tsk) is allocated via vmalloc(which typically returns higher addresses). However, since this is purely a debugging feature (CONFIG_DEBUG_STACK_USAGE), normal production systems should be not unaffected. The bug only impacts developers and testers who are actively debugging stack usage with this configuration enabled. 2026-01-14 not yet calculated CVE-2025-71102 https://git.kernel.org/stable/c/1727e8bd69103a68963a5613a0ddb6d8d37df5d3
https://git.kernel.org/stable/c/cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c
https://git.kernel.org/stable/c/57ba40b001be27786d0570dd292289df748b306b
https://git.kernel.org/stable/c/062774439d442882b44f5eab8c256ad3423ef284
https://git.kernel.org/stable/c/9ef28943471a16e4f9646bc3e8e2de148e7d8d7b
https://git.kernel.org/stable/c/a19fb3611e4c06624fc0f83ef19f4fb8d57d4751
https://git.kernel.org/stable/c/08bd4c46d5e63b78e77f2605283874bbe868ab19
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/msm: adreno: fix deferencing ifpc_reglist when not declared On plaforms with an a7xx GPU not supporting IFPC, the ifpc_reglist if still deferenced in a7xx_patch_pwrup_reglist() which causes a kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 ... pc : a6xx_hw_init+0x155c/0x1e4c [msm] lr : a6xx_hw_init+0x9a8/0x1e4c [msm] ... Call trace: a6xx_hw_init+0x155c/0x1e4c [msm] (P) msm_gpu_hw_init+0x58/0x88 [msm] adreno_load_gpu+0x94/0x1fc [msm] msm_open+0xe4/0xf4 [msm] drm_file_alloc+0x1a0/0x2e4 [drm] drm_client_init+0x7c/0x104 [drm] drm_fbdev_client_setup+0x94/0xcf0 [drm_client_lib] drm_client_setup+0xb4/0xd8 [drm_client_lib] msm_drm_kms_post_init+0x2c/0x3c [msm] msm_drm_init+0x1a4/0x228 [msm] msm_drm_bind+0x30/0x3c [msm] ... Check the validity of ifpc_reglist before deferencing the table to setup the register values. Patchwork: https://patchwork.freedesktop.org/patch/688944/ 2026-01-14 not yet calculated CVE-2025-71103 https://git.kernel.org/stable/c/19648135e904bce447d368ecb6136e5da809639c
https://git.kernel.org/stable/c/129049d4fe22c998ae9fd1ec479fbb4ed5338c15
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an expired timer over and over. In extreme scenarios, e.g. if userspace pauses/suspends a VM for an extended duration, this can even cause hard lockups in the host. Currently, the bug only affects Intel CPUs when using the hypervisor timer (HV timer), a.k.a. the VMX preemption timer. Unlike the software timer, a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the HV timer only runs while the guest is active. As a result, if the vCPU does not run for an extended duration, there will be a huge gap between the target expiration and the current time the vCPU resumes running. Because the target expiration is incremented by only one period on each timer expiration, this leads to a series of timer expirations occurring rapidly after the vCPU/VM resumes. More critically, when the vCPU first triggers a periodic HV timer expiration after resuming, advancing the expiration by only one period will result in a target expiration in the past. As a result, the delta may be calculated as a negative value. When the delta is converted into an absolute value (tscdeadline is an unsigned u64), the resulting value can overflow what the HV timer is capable of programming. I.e. the large value will exceed the VMX Preemption Timer's maximum bit width of cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the HV timer to the software timer (hrtimers). After switching to the software timer, periodic timer expiration callbacks may be executed consecutively within a single clock interrupt handler, because hrtimers honors KVM's request for an expiration in the past and immediately re-invokes KVM's callback after reprogramming. And because the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer over and over until the target expiration is advanced to "now" can result in a hard lockup. E.g. the following hard lockup was triggered in the host when running a Windows VM (only relevant because it used the APIC timer in periodic mode) after resuming the VM from a long suspend (in the host). NMI watchdog: Watchdog detected hard LOCKUP on cpu 45 ... RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm] ... RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046 RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500 RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0 R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0 R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8 FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0 PKRU: 55555554 Call Trace: <IRQ> apic_timer_fn+0x31/0x50 [kvm] __hrtimer_run_queues+0x100/0x280 hrtimer_interrupt+0x100/0x210 ? ttwu_do_wakeup+0x19/0x160 smp_apic_timer_interrupt+0x6a/0x130 apic_timer_interrupt+0xf/0x20 </IRQ> Moreover, if the suspend duration of the virtual machine is not long enough to trigger a hard lockup in this scenario, since commit 98c25ead5eda ("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM will continue using the software timer until the guest reprograms the APIC timer in some way. Since the periodic timer does not require frequent APIC timer register programming, the guest may continue to use the software timer in ---truncated--- 2026-01-14 not yet calculated CVE-2025-71104 https://git.kernel.org/stable/c/786ed625c125c5cd180d6aaa37e653e3e4ffb8d9
https://git.kernel.org/stable/c/d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73
https://git.kernel.org/stable/c/807dbe8f3862fa7c164155857550ce94b36a11b9
https://git.kernel.org/stable/c/7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed
https://git.kernel.org/stable/c/e746e51947053a02af2ea964593dc4887108d379
https://git.kernel.org/stable/c/e23f46f1a971c73dad2fd63e1408696114ddebe2
https://git.kernel.org/stable/c/18ab3fc8e880791aa9f7c000261320fc812b5465
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_slab instead of per-sb slab cache As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ------------[ cut here ]------------ kmem_cache of name 'f2fs_xattr_entry-7:7' already exists WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline] WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline] RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 Call Trace:  __kmem_cache_create include/linux/slab.h:353 [inline]  f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]  f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843  f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918  get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692  vfs_get_tree+0x43/0x140 fs/super.c:1815  do_new_mount+0x201/0x550 fs/namespace.c:3808  do_mount fs/namespace.c:4136 [inline]  __do_sys_mount fs/namespace.c:4347 [inline]  __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]  do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94  entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug can be reproduced w/ below scripts: - mount /dev/vdb /mnt1 - mount /dev/vdc /mnt2 - umount /mnt1 - mounnt /dev/vdb /mnt1 The reason is if we created two slab caches, named f2fs_xattr_entry-7:3 and f2fs_xattr_entry-7:7, and they have the same slab size. Actually, slab system will only create one slab cache core structure which has slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same structure and cache address. So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will decrease reference count of slab cache, rather than release slab cache entirely, since there is one more user has referenced the cache. Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again, slab system will find that there is existed cache which has the same name and trigger the warning. Let's changes to use global inline_xattr_slab instead of per-sb slab cache for fixing. 2026-01-14 not yet calculated CVE-2025-71105 https://git.kernel.org/stable/c/93d30fe19660dec6bf1bd3d5c186c1c737b21aa5
https://git.kernel.org/stable/c/474cc3ed37436ddfd63cac8dbffe3b1e219e9100
https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4
https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a
https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5
https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a
https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs: PM: Fix reverse check in filesystems_freeze_callback() The freeze_all_ptr check in filesystems_freeze_callback() introduced by commit a3f8f8662771 ("power: always freeze efivarfs") is reverse which quite confusingly causes all file systems to be frozen when filesystem_freeze_enabled is false. On my systems it causes the WARN_ON_ONCE() in __set_task_frozen() to trigger, most likely due to an attempt to freeze a file system that is not ready for that. Add a logical negation to the check in question to reverse it as appropriate. 2026-01-14 not yet calculated CVE-2025-71106 https://git.kernel.org/stable/c/b107196729ff6b9d6cde0a71f49c1243def43328
https://git.kernel.org/stable/c/222047f68e8565c558728f792f6fef152a1d4d51
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none) Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_put_super+0x3b3/0x3c0 Call Trace: <TASK> generic_shutdown_super+0x7e/0x190 kill_block_super+0x1a/0x40 kill_f2fs_super+0x9d/0x190 deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x5c/0xa0 exit_to_user_mode_loop+0xb7/0xc0 do_syscall_64+0x1ae/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> ---[ end trace 0000000000000000 ]--- It appears that sometimes it is possible that f2fs_put_super() is called before all node page reads are completed. Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem. 2026-01-14 not yet calculated CVE-2025-71107 https://git.kernel.org/stable/c/c3031cf2b61f1508662fc95ef9ad505cb0882a5f
https://git.kernel.org/stable/c/3b15d5f12935e9e25f9a571e680716bc9ee61025
https://git.kernel.org/stable/c/0b36fae23621a09e772c8adf918b9011158f8511
https://git.kernel.org/stable/c/297baa4aa263ff8f5b3d246ee16a660d76aa82c4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero. Some buggy FW has been known to set this bit, and it can lead to a system not booting. Flag that the FW is not behaving correctly, and auto-fix the value so that the system boots correctly. Found on Lenovo P1 G8 during Linux enablement program. The FW will be fixed, but seemed worth addressing in case it hit platforms that aren't officially Linux supported. 2026-01-14 not yet calculated CVE-2025-71108 https://git.kernel.org/stable/c/07c8d2a109d847775b3b4e2c3294c8e1eea75432
https://git.kernel.org/stable/c/58941bbb0050e365a98c64f1fc4a9a0ac127dba6
https://git.kernel.org/stable/c/f72f97d0aee4a993a35f2496bca5efd24827235d
https://git.kernel.org/stable/c/914605b0de8128434eafc9582445306830748b93
https://git.kernel.org/stable/c/3042a57a8e8bce4a3100c3f6f03dc372aab24943
https://git.kernel.org/stable/c/132fe187e0d940f388f839fe2cde9b84106ad20d
https://git.kernel.org/stable/c/30cd2cb1abf4c4acdb1ddb468c946f68939819fb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time, the code in ftrace assumes that no more than 2 instructions can be generated, which is why it stores them in an int[2] array. However, as previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA) causes a buffer overflow when _mcount is beyond 32 bits. This leads to corruption of the variables located in the __read_mostly section. This corruption was observed because the variable __cpu_primary_thread_mask was corrupted, causing a hang very early during boot. This fix prevents the corruption by avoiding the generation of instructions if they could exceed 2 instructions in length. Fortunately, insn_la_mcount is only used if the instrumented code is located outside the kernel code section, so dynamic ftrace can still be used, albeit in a more limited scope. This is still preferable to corrupting memory and/or crashing the kernel. 2026-01-14 not yet calculated CVE-2025-71109 https://git.kernel.org/stable/c/e3e33ac2eb69d595079a1a1e444c2fb98efdd42d
https://git.kernel.org/stable/c/7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150
https://git.kernel.org/stable/c/36dac9a3dda1f2bae343191bc16b910c603cac25
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free(). On ARM64 with MTE (Memory Tagging Extension), kasan_slab_free() poisons the memory and changes the tag from the original (e.g., 0xf3) to a poison tag (0xfe). When defer_free() then tries to write to the freed object to build the deferred free list via llist_add(), the pointer still has the old tag, causing a tag mismatch and triggering a KASAN use-after-free report: BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537 Write at addr f3f000000854f020 by task kworker/u8:6/983 Pointer tag: [f3], memory tag: [fe] Fix this by calling kasan_reset_tag() before accessing the freed memory. This is safe because defer_free() is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes. 2026-01-14 not yet calculated CVE-2025-71110 https://git.kernel.org/stable/c/65d4e5af2a2e82f4fc50d8259aee208fbc6b2c1d
https://git.kernel.org/stable/c/53ca00a19d345197a37a1bf552e8d1e7b091666c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors. Convert the macro to a static function. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions. Additionally, in store_fan_div, move the calculation of the minimum limit inside the update lock. This ensures that the read-modify-write sequence operates on consistent data. Adhere to the principle of minimal changes by only converting macros that evaluate arguments multiple times and are used in lockless contexts. 2026-01-14 not yet calculated CVE-2025-71111 https://git.kernel.org/stable/c/3dceb68f6ad33156032ef4da21a93d84059cca6d
https://git.kernel.org/stable/c/bf5b03227f2e6d4360004886d268f9df8993ef8f
https://git.kernel.org/stable/c/f2b579a0c37c0df19603d719894a942a295f634a
https://git.kernel.org/stable/c/f94800fbc26ccf7c81eb791707b038a57aa39a18
https://git.kernel.org/stable/c/a9fb6e8835a22f5796c1182ed612daed3fd273af
https://git.kernel.org/stable/c/c8cf0c2bdcccc6634b6915ff793b844e12436680
https://git.kernel.org/stable/c/670d7ef945d3a84683594429aea6ab2cdfa5ceb4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause out-of-bounds memory access once the VLAN id is bigger than or equal to VLAN_N_VID. Therefore, VLAN id needs to be checked to ensure it is within the range of VLAN_N_VID. 2026-01-14 not yet calculated CVE-2025-71112 https://git.kernel.org/stable/c/46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8
https://git.kernel.org/stable/c/42c91dfa772c57de141e5a55a187ac760c0fd7e1
https://git.kernel.org/stable/c/00e56a7706e10b3d00a258d81fcb85a7e96372d6
https://git.kernel.org/stable/c/b7b4f3bf118f51b67691a55b464f04452e5dc6fc
https://git.kernel.org/stable/c/95cca255a7a5ad782639ff0298c2a486707d1046
https://git.kernel.org/stable/c/91a51d01be5c9f82c12c2921ca5cceaa31b67128
https://git.kernel.org/stable/c/6ef935e65902bfed53980ad2754b06a284ea8ac1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added 'inflight' variable introduced in af_alg_ctx by commit: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data. 2026-01-14 not yet calculated CVE-2025-71113 https://git.kernel.org/stable/c/e125c8e346e4eb7b3e854c862fcb4392bc13ddba
https://git.kernel.org/stable/c/543bf004e4eafbb302b1e6c78570d425d2ca13a0
https://git.kernel.org/stable/c/f81244fd6b14fecfa93b66b6bb1d59f96554e550
https://git.kernel.org/stable/c/84238876e3b3b262cf62d5f4d1338e983fb27010
https://git.kernel.org/stable/c/5a4b65523608974a81edbe386f8a667a3e10c726
https://git.kernel.org/stable/c/51a5ab36084f3251ef87eda3e6a6236f6488925e
https://git.kernel.org/stable/c/6f6e309328d53a10c0fe1f77dec2db73373179b6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register. However, the allocated resource was not given a name, which causes the kernel resource tree to contain an entry marked as "<BAD>" under /proc/iomem on x86 platforms. During boot, this unnamed resource can lead to a critical hang because subsequent resource lookups and conflict checks fail to handle the invalid entry properly. 2026-01-14 not yet calculated CVE-2025-71114 https://git.kernel.org/stable/c/1d56025a3af50db0f3da2792f41eb9943eee5324
https://git.kernel.org/stable/c/c7b986adc9e9336066350542ac5a2005d305ae78
https://git.kernel.org/stable/c/47c910965c936724070d2a8094a4c3ed8f452856
https://git.kernel.org/stable/c/d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d
https://git.kernel.org/stable/c/f7b6370d0fbee06a867037d675797a606cb62e57
https://git.kernel.org/stable/c/c6a2dd4f2e4e6cbdfe7a1618160281af897b75db
https://git.kernel.org/stable/c/7aa31ee9ec92915926e74731378c009c9cc04928
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: um: init cpu_tasks[] earlier This is currently done in uml_finishsetup(), but e.g. with KCOV enabled we'll crash because some init code can call into e.g. memparse(), which has coverage annotations, and then the checks in check_kcov_mode() crash because current is NULL. Simply initialize the cpu_tasks[] array statically, which fixes the crash. For the later SMP work, it seems to have not really caused any problems yet, but initialize all of the entries anyway. 2026-01-14 not yet calculated CVE-2025-71115 https://git.kernel.org/stable/c/dbbf6d47130674640cd12a0781a0fb2a575d0e44
https://git.kernel.org/stable/c/7b5d4416964c07c902163822a30a622111172b01
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped. 2026-01-14 not yet calculated CVE-2025-71116 https://git.kernel.org/stable/c/d061be4c8040ffb1110d537654a038b8b6ad39d2
https://git.kernel.org/stable/c/145d140abda80e33331c5781d6603014fa75d258
https://git.kernel.org/stable/c/c82e39ff67353a5a6cbc07b786b8690bd2c45aaa
https://git.kernel.org/stable/c/e927ab132b87ba3f076705fc2684d94b24201ed1
https://git.kernel.org/stable/c/5d0d8c292531fe356c4e94dcfdf7d7212aca9957
https://git.kernel.org/stable/c/2acb8517429ab42146c6c0ac1daed1f03d2fd125
https://git.kernel.org/stable/c/8c738512714e8c0aa18f8a10c072d5b01c83db39
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: block: Remove queue freezing from several sysfs store callbacks Freezing the request queue from inside sysfs store callbacks may cause a deadlock in combination with the dm-multipath driver and the queue_if_no_path option. Additionally, freezing the request queue slows down system boot on systems where sysfs attributes are set synchronously. Fix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue() calls from the store callbacks that do not strictly need these callbacks. Add the __data_racy annotation to request_queue.rq_timeout to suppress KCSAN data race reports about the rq_timeout reads. This patch may cause a small delay in applying the new settings. For all the attributes affected by this patch, I/O will complete correctly whether the old or the new value of the attribute is used. This patch affects the following sysfs attributes: * io_poll_delay * io_timeout * nomerges * read_ahead_kb * rq_affinity Here is an example of a deadlock triggered by running test srp/002 if this patch is not applied: task:multipathd Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 schedule_preempt_disabled+0x1c/0x30 __mutex_lock+0xb89/0x1650 mutex_lock_nested+0x1f/0x30 dm_table_set_restrictions+0x823/0xdf0 __bind+0x166/0x590 dm_swap_table+0x2a7/0x490 do_resume+0x1b1/0x610 dev_suspend+0x55/0x1a0 ctl_ioctl+0x3a5/0x7e0 dm_ctl_ioctl+0x12/0x20 __x64_sys_ioctl+0x127/0x1a0 x64_sys_call+0xe2b/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> task:(udev-worker) Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 blk_mq_freeze_queue_wait+0xf2/0x140 blk_mq_freeze_queue_nomemsave+0x23/0x30 queue_ra_store+0x14e/0x290 queue_attr_store+0x23e/0x2c0 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3b2/0x630 vfs_write+0x4fd/0x1390 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x276/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> 2026-01-14 not yet calculated CVE-2025-71117 https://git.kernel.org/stable/c/3997b3147c7b68b0308378fa95a766015f8ceb1c
https://git.kernel.org/stable/c/935a20d1bebf6236076785fac3ff81e3931834e9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Namespace if start_node is NULL Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace if it is not there") fixed the situation when both start_node and acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed on Honor Magicbook 14 Pro [1]. That happens due to the access to the member of parent_node in acpi_ns_get_next_node(). The NULL pointer dereference will always happen, no matter whether or not the start_node is equal to ACPI_ROOT_OBJECT, so move the check of start_node being NULL out of the if block. Unfortunately, all the attempts to contact Honor have failed, they refused to provide any technical support for Linux. The bad DSDT table's dump could be found on GitHub [2]. DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025 [ rjw: Subject adjustment, changelog edits ] 2026-01-14 not yet calculated CVE-2025-71118 https://git.kernel.org/stable/c/b84edef48cc8afb41150949a87dcfa81bc95b53e
https://git.kernel.org/stable/c/ecb296286c8787895625bd4c53e9478db4ae139c
https://git.kernel.org/stable/c/7f9b951ed11842373851dd3c91860778356d62d3
https://git.kernel.org/stable/c/1bc34293dfbd266c29875206849b4f8e8177e6df
https://git.kernel.org/stable/c/0d8bb08126920fd4b12dbf32d9250757c9064b36
https://git.kernel.org/stable/c/f91dad0a3b381244183ffbea4cec5a7a69d6f41e
https://git.kernel.org/stable/c/9d6c58dae8f6590c746ac5d0012ffe14a77539f0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: powerpc/kexec: Enable SMT before waking offline CPUs If SMT is disabled or a partial SMT state is enabled, when a new kernel image is loaded for kexec, on reboot the following warning is observed: kexec: Waking offline cpu 228. WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc [snip] NIP kexec_prepare_cpus+0x1b0/0x1bc LR kexec_prepare_cpus+0x1a0/0x1bc Call Trace: kexec_prepare_cpus+0x1a0/0x1bc (unreliable) default_machine_kexec+0x160/0x19c machine_kexec+0x80/0x88 kernel_kexec+0xd0/0x118 __do_sys_reboot+0x210/0x2c4 system_call_exception+0x124/0x320 system_call_vectored_common+0x15c/0x2ec This occurs as add_cpu() fails due to cpu_bootable() returning false for CPUs that fail the cpu_smt_thread_allowed() check or non primary threads if SMT is disabled. Fix the issue by enabling SMT and resetting the number of SMT threads to the number of threads per core, before attempting to wake up all present CPUs. 2026-01-14 not yet calculated CVE-2025-71119 https://git.kernel.org/stable/c/7cccd82a0e4aad192fd74fc60e61ed9aed5857a3
https://git.kernel.org/stable/c/d790ef0c4819424ee0c2f448c0a8154c5ca369d1
https://git.kernel.org/stable/c/f0c0a681ffb77b8c5290c88c02d968199663939b
https://git.kernel.org/stable/c/0d5c9e901ad40bd39b38e119c0454b52d7663930
https://git.kernel.org/stable/c/c2296a1e42418556efbeb5636c4fa6aa6106713a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. 2026-01-14 not yet calculated CVE-2025-71120 https://git.kernel.org/stable/c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810
https://git.kernel.org/stable/c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d
https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd
https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b
https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19
https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8
https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: parisc: Do not reprogram affinitiy on ASP chip The ASP chip is a very old variant of the GSP chip and is used e.g. in HP 730 workstations. When trying to reprogram the affinity it will crash with a HPMC as the relevant registers don't seem to be at the usual location. Let's avoid the crash by checking the sversion. Also note, that reprogramming isn't necessary either, as the HP730 is a just a single-CPU machine. 2026-01-14 not yet calculated CVE-2025-71121 https://git.kernel.org/stable/c/845a92b74cf7a730200532ecb4482981cec9d006
https://git.kernel.org/stable/c/7a146f34e5be96330467397c9fd9d3d851b2cbbe
https://git.kernel.org/stable/c/4d0858bbeea12a50bfb32137f74d4b74917ebadd
https://git.kernel.org/stable/c/e09fd2eb6d4c993ee9eaae556cb51e30ec1042df
https://git.kernel.org/stable/c/60560d13ff368415c96a0c1247bea16d427c0641
https://git.kernel.org/stable/c/c8f810e20f4bbe50b49f73429d9fa6efad00623e
https://git.kernel.org/stable/c/dca7da244349eef4d78527cafc0bf80816b261f5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED syzkaller found it could overflow math in the test infrastructure and cause a WARN_ON by corrupting the reserved interval tree. This only effects test kernels with CONFIG_IOMMUFD_TEST. Validate the user input length in the test ioctl. 2026-01-14 not yet calculated CVE-2025-71122 https://git.kernel.org/stable/c/4cc829d61f10c20523fd4085c1546e741a792a97
https://git.kernel.org/stable/c/e6c122cffcbb2e84d321ec8ba0e38ce8e7c10925
https://git.kernel.org/stable/c/b166b8e0a381429fefd9180e67fbc834b3cee82f
https://git.kernel.org/stable/c/e6a973af11135439de32ece3b9cbe3bfc043bea8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()") provides additional information in that regard. So if this happens, the following warning is observed: strnlen: detected buffer overflow: 65 byte read of buffer size 64 WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Modules linked in: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Call Trace: <TASK> __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [inline] sized_strscpy include/linux/fortify-string.h:309 [inline] parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline] __ext4_fill_super fs/ext4/super.c:5261 [inline] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [inline] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [inline] __do_sys_mount fs/namespace.c:4103 [inline] __se_sys_mount fs/namespace.c:4080 [inline] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Since userspace is expected to provide s_mount_opts field to be at most 63 characters long with the ending byte being NUL-term, use a 64-byte buffer which matches the size of s_mount_opts, so that strscpy_pad() does its job properly. Return with error if the user still managed to provide a non-NUL-term string here. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. 2026-01-14 not yet calculated CVE-2025-71123 https://git.kernel.org/stable/c/52ac96c4a2dd7bc47666000440b0602d9742e820
https://git.kernel.org/stable/c/6e37143560e37869d51b7d9e0ac61fc48895f8a0
https://git.kernel.org/stable/c/902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc
https://git.kernel.org/stable/c/db9ee13fab0267eccf6544ee35b16c9522db9aac
https://git.kernel.org/stable/c/5bbacbbf1ca4419861dca3c6b82707c10e9c021c
https://git.kernel.org/stable/c/ee5a977b4e771cc181f39d504426dbd31ed701cc
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: move preempt_prepare_postamble after error check Move the call to preempt_prepare_postamble() after verifying that preempt_postamble_ptr is valid. If preempt_postamble_ptr is NULL, dereferencing it in preempt_prepare_postamble() would lead to a crash. This change avoids calling the preparation function when the postamble allocation has failed, preventing potential NULL pointer dereference and ensuring proper error handling. Patchwork: https://patchwork.freedesktop.org/patch/687659/ 2026-01-14 not yet calculated CVE-2025-71124 https://git.kernel.org/stable/c/2c46497eb148ec61909f4101b8443f3c4c2daaec
https://git.kernel.org/stable/c/ef3b04091fd8bc737dc45312375df8625b8318e2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupported perf events Synthetic events currently do not have a function to register perf events. This leads to calling the tracepoint register functions with a NULL function pointer which triggers: ------------[ cut here ]------------ WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:tracepoint_add_func+0x357/0x370 Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246 RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000 RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8 RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780 R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78 FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0 Call Trace: <TASK> tracepoint_probe_register+0x5d/0x90 synth_event_reg+0x3c/0x60 perf_trace_event_init+0x204/0x340 perf_trace_init+0x85/0xd0 perf_tp_event_init+0x2e/0x50 perf_try_init_event+0x6f/0x230 ? perf_event_alloc+0x4bb/0xdc0 perf_event_alloc+0x65a/0xdc0 __se_sys_perf_event_open+0x290/0x9f0 do_syscall_64+0x93/0x7b0 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? trace_hardirqs_off+0x53/0xc0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Instead, have the code return -ENODEV, which doesn't warn and has perf error out with: # perf record -e synthetic:futex_wait Error: The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait). "dmesg | grep -i perf" may provide additional information. Ideally perf should support synthetic events, but for now just fix the warning. The support can come later. 2026-01-14 not yet calculated CVE-2025-71125 https://git.kernel.org/stable/c/6819bc6285c0ff835f67cfae7efebc03541782f6
https://git.kernel.org/stable/c/6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc
https://git.kernel.org/stable/c/f7305697b60d79bc69c0a6e280fc931b4e8862dd
https://git.kernel.org/stable/c/65b1971147ec12f0b1cee0811c859a3d7d9b04ce
https://git.kernel.org/stable/c/3437c775bf209c674ad66304213b6b3c3b1b3f69
https://git.kernel.org/stable/c/6df47e5bb9b62d72f186f826ab643ea1856877c7
https://git.kernel.org/stable/c/ef7f38df890f5dcd2ae62f8dbde191d72f3bebae
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mptcp: avoid deadlock on fallback while reinjecting Jakub reported an MPTCP deadlock at fallback time: WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted -------------------------------------------- mptcp_connect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280 but task is already holding lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&msk->fallback_lock); lock(&msk->fallback_lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by mptcp_connect/20858: #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0 #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0 #2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 stack backtrace: CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full) Hardware name: Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_deadlock_bug.cold+0xc0/0xcd validate_chain+0x2ff/0x5f0 __lock_acquire+0x34c/0x740 lock_acquire.part.0+0xbc/0x260 _raw_spin_lock_bh+0x38/0x50 __mptcp_try_fallback+0xd8/0x280 mptcp_sendmsg_frag+0x16c2/0x3050 __mptcp_retrans+0x421/0xaa0 mptcp_release_cb+0x5aa/0xa70 release_sock+0xab/0x1d0 mptcp_sendmsg+0xd5b/0x1bc0 sock_write_iter+0x281/0x4d0 new_sync_write+0x3c5/0x6f0 vfs_write+0x65e/0xbb0 ksys_write+0x17e/0x200 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fa5627cbc5e Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005 RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920 R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c The packet scheduler could attempt a reinjection after receiving an MP_FAIL and before the infinite map has been transmitted, causing a deadlock since MPTCP needs to do the reinjection atomically from WRT fallback. Address the issue explicitly avoiding the reinjection in the critical scenario. Note that this is the only fallback critical section that could potentially send packets and hit the double-lock. 2026-01-14 not yet calculated CVE-2025-71126 https://git.kernel.org/stable/c/0107442e82c0f8d6010e07e6030741c59c520d6e
https://git.kernel.org/stable/c/252892d5a6a2f163ce18f32716e46fa4da7d4e79
https://git.kernel.org/stable/c/0ca9fb4335e726dab4f23b3bfe87271d8f005f41
https://git.kernel.org/stable/c/50f47c02be419bf0a3ae94c118addf67beef359f
https://git.kernel.org/stable/c/ffb8c27b0539dd90262d1021488e7817fae57c42
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame shall be set to the broadcast address"). A unicast Beacon frame might be used as a targeted attack to get one of the associated STAs to do something (e.g., using CSA to move it to another channel). As such, it is better have strict filtering for this on the received side and discard all Beacon frames that are sent to an unexpected address. This is even more important for cases where beacon protection is used. The current implementation in mac80211 is correctly discarding unicast Beacon frames if the Protected Frame bit in the Frame Control field is set to 0. However, if that bit is set to 1, the logic used for checking for configured BIGTK(s) does not actually work. If the driver does not have logic for dropping unicast Beacon frames with Protected Frame bit 1, these frames would be accepted in mac80211 processing as valid Beacon frames even though they are not protected. This would allow beacon protection to be bypassed. While the logic for checking beacon protection could be extended to cover this corner case, a more generic check for discard all Beacon frames based on A1=unicast address covers this without needing additional changes. Address all these issues by dropping received Beacon frames if they are sent to a non-broadcast address. 2026-01-14 not yet calculated CVE-2025-71127 https://git.kernel.org/stable/c/be0974be5c42584e027883ac2af7dab5e950098c
https://git.kernel.org/stable/c/0a59a3895f804469276d188effa511c72e752f35
https://git.kernel.org/stable/c/88aab153d1528bc559292a12fb5105ee97528e1f
https://git.kernel.org/stable/c/6e5bff40bb38741e40c33043ba0816fba5f93661
https://git.kernel.org/stable/c/7b240a8935d554ad36a52c2c37c32039f9afaef2
https://git.kernel.org/stable/c/a21704df4024708be698fb3fd5830d5b113b70e0
https://git.kernel.org/stable/c/193d18f60588e95d62e0f82b6a53893e5f2f19f8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: erspan: Initialize options_len before referencing options. The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. After scanning through the files that use struct ip_tunnel_info and also refer to options or options_len, it appears the normal case is to use the ip_tunnel_info_opts_set() helper. Said helper would initialize options_len properly before copying data into options, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Reported-at: https://launchpad.net/bugs/2129580 2026-01-14 not yet calculated CVE-2025-71128 https://git.kernel.org/stable/c/b282b2a9eed848587c1348abdd5d83fa346a2743
https://git.kernel.org/stable/c/35ddf66c65eff93fff91406756ba273600bf61a3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Sign extend kfunc call arguments The kfunc calls are native calls so they should follow LoongArch calling conventions. Sign extend its arguments properly to avoid kernel panic. This is done by adding a new emit_abi_ext() helper. The emit_abi_ext() helper performs extension in place meaning a value already store in the target register (Note: this is different from the existing sign_extend() helper and thus we can't reuse it). 2026-01-14 not yet calculated CVE-2025-71129 https://git.kernel.org/stable/c/fd43edf357a3a1f5ed1c4bf450b60001c9091c39
https://git.kernel.org/stable/c/0d666db731e95890e0eda7ea61bc925fd2be90c6
https://git.kernel.org/stable/c/321993a874f571a94b5a596f1132f798c663b56e
https://git.kernel.org/stable/c/3f5a238f24d7b75f9efe324d3539ad388f58536e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Initialize the eb.vma array with values of 0 when the eb structure is first set up. In particular, this sets the eb->vma[i].vma pointers to NULL, simplifying cleanup and getting rid of the bug described below. During the execution of eb_lookup_vmas(), the eb->vma array is successively filled up with struct eb_vma objects. This process includes calling eb_add_vma(), which might fail; however, even in the event of failure, eb->vma[i].vma is set for the currently processed buffer. If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which prompts a call to eb_release_vmas() to clean up the mess. Since eb_lookup_vmas() might fail during processing any (possibly not first) buffer, eb_release_vmas() checks whether a buffer's vma is NULL to know at what point did the lookup function fail. In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is set to NULL in case i915_gem_object_userptr_submit_init() fails; the current one needs to be cleaned up by eb_release_vmas() at this point, so the next one is set. If eb_add_vma() fails, neither the current nor the next vma is set to NULL, which is a source of a NULL deref bug described in the issue linked in the Closes tag. When entering eb_lookup_vmas(), the vma pointers are set to the slab poison value, instead of NULL. This doesn't matter for the actual lookup, since it gets overwritten anyway, however the eb_release_vmas() function only recognizes NULL as the stopping value, hence the pointers are being set to NULL as they go in case of intermediate failure. This patch changes the approach to filling them all with NULL at the start instead, rather than handling that manually during failure. (cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd) 2026-01-14 not yet calculated CVE-2025-71130 https://git.kernel.org/stable/c/25d69e07770745992387c016613fd7ac8eaf9893
https://git.kernel.org/stable/c/0336188cc85d0eab8463bd1bbd4ded4e9602de8b
https://git.kernel.org/stable/c/24d55ac8e31d2f8197bfad71ffcb3bae21ed7117
https://git.kernel.org/stable/c/63f23aa2fbb823c8b15a29269fde220d227ce5b3
https://git.kernel.org/stable/c/4fe2bd195435e71c117983d87f278112c5ab364c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variable unaligned_info and use it for that purpose instead. 2026-01-14 not yet calculated CVE-2025-71131 https://git.kernel.org/stable/c/18202537856e0fae079fed2c9308780bcff2bb9d
https://git.kernel.org/stable/c/baf0e2d1e03ddb04781dfe7f22a654d3611f69b2
https://git.kernel.org/stable/c/50f196d2bbaee4ab2494bb1b0d294deba292951a
https://git.kernel.org/stable/c/0279978adec6f1296af66b642cce641c6580be46
https://git.kernel.org/stable/c/ccbb96434d88e32358894c879457b33f7508e798
https://git.kernel.org/stable/c/5476f7f8a311236604b78fcc5b2a63b3a61b0169
https://git.kernel.org/stable/c/50fdb78b7c0bcc550910ef69c0984e751cac72fa
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: smc91x: fix broken irq-context in PREEMPT_RT When smc91x.c is built with PREEMPT_RT, the following splat occurs in FVP_RevC: [ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 [ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] [ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work [ 13.062266] C ** replaying previous printk message ** [ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)} [ 13.062353] Hardware name: , BIOS [ 13.062382] Workqueue: mld mld_ifc_work [ 13.062469] Call trace: [ 13.062494] show_stack+0x24/0x40 (C) [ 13.062602] __dump_stack+0x28/0x48 [ 13.062710] dump_stack_lvl+0x7c/0xb0 [ 13.062818] dump_stack+0x18/0x34 [ 13.062926] process_scheduled_works+0x294/0x450 [ 13.063043] worker_thread+0x260/0x3d8 [ 13.063124] kthread+0x1c4/0x228 [ 13.063235] ret_from_fork+0x10/0x20 This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, but smc_special_unlock() does not restore IRQs on PREEMPT_RT. The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). 2026-01-14 not yet calculated CVE-2025-71132 https://git.kernel.org/stable/c/1c4cb705e733250d13243f6a69b8b5a92e39b9f6
https://git.kernel.org/stable/c/9d222141b00156509d67d80c771fbefa92c43ace
https://git.kernel.org/stable/c/ef277ae121b3249c99994652210a326b52d527b0
https://git.kernel.org/stable/c/36561b86cb2501647662cfaf91286dd6973804a6
https://git.kernel.org/stable/c/b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3
https://git.kernel.org/stable/c/6402078bd9d1ed46e79465e1faaa42e3458f8a33
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. Other events come with different structures pointed to by "ptr" and they may be smaller than struct neighbour. Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. The bug is mostly harmless, but it triggers KASAN on debug kernels: BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 Hardware name: [...] Workqueue: events rt6_probe_deferred Call Trace: <IRQ> dump_stack_lvl+0x60/0xb0 print_address_description.constprop.0+0x2c/0x3f0 print_report+0xb4/0x270 kasan_report+0x92/0xc0 irdma_net_event+0x32e/0x3b0 [irdma] notifier_call_chain+0x9e/0x180 atomic_notifier_call_chain+0x5c/0x110 rt6_do_redirect+0xb91/0x1080 tcp_v6_err+0xe9b/0x13e0 icmpv6_notify+0x2b2/0x630 ndisc_redirect_rcv+0x328/0x530 icmpv6_rcv+0xc16/0x1360 ip6_protocol_deliver_rcu+0xb84/0x12e0 ip6_input_finish+0x117/0x240 ip6_input+0xc4/0x370 ipv6_rcv+0x420/0x7d0 __netif_receive_skb_one_core+0x118/0x1b0 process_backlog+0xd1/0x5d0 __napi_poll.constprop.0+0xa3/0x440 net_rx_action+0x78a/0xba0 handle_softirqs+0x2d4/0x9c0 do_softirq+0xad/0xe0 </IRQ> 2026-01-14 not yet calculated CVE-2025-71133 https://git.kernel.org/stable/c/db93ae6fa66f1c61ae63400191195e3ee58021da
https://git.kernel.org/stable/c/305c02e541befe4a44ffde30ed374970f41aeb6c
https://git.kernel.org/stable/c/fc23d05f0b3fb4d80657e7afebae2cae686b31c8
https://git.kernel.org/stable/c/bf197c7c79ef6458d1ee84dd7db251b51784885f
https://git.kernel.org/stable/c/d9b9affd103f51b42322da4ed5ac025b560bc354
https://git.kernel.org/stable/c/6f05611728e9d0ab024832a4f1abb74a5f5d0bb0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: change all pageblocks migrate type on coalescing When a page is freed it coalesces with a buddy into a higher order page while possible. When the buddy page migrate type differs, it is expected to be updated to match the one of the page being freed. However, only the first pageblock of the buddy page is updated, while the rest of the pageblocks are left unchanged. That causes warnings in later expand() and other code paths (like below), since an inconsistency between migration type of the list containing the page and the page-owned pageblocks migration types is introduced. [ 308.986589] ------------[ cut here ]------------ [ 308.987227] page type is 0, passed migratetype is 1 (nr=256) [ 308.987275] WARNING: CPU: 1 PID: 5224 at mm/page_alloc.c:812 expand+0x23c/0x270 [ 308.987293] Modules linked in: algif_hash(E) af_alg(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) nf_tables(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) drm(E) i2c_core(E) drm_panel_orientation_quirks(E) loop(E) nfnetlink(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vsock(E) ctcm(E) fsm(E) diag288_wdt(E) watchdog(E) zfcp(E) scsi_transport_fc(E) ghash_s390(E) prng(E) aes_s390(E) des_generic(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha_common(E) paes_s390(E) crypto_engine(E) pkey_cca(E) pkey_ep11(E) zcrypt(E) rng_core(E) pkey_pckmo(E) pkey(E) autofs4(E) [ 308.987439] Unloaded tainted modules: hmac_s390(E):2 [ 308.987650] CPU: 1 UID: 0 PID: 5224 Comm: mempig_verify Kdump: loaded Tainted: G E 6.18.0-gcc-bpf-debug #431 PREEMPT [ 308.987657] Tainted: [E]=UNSIGNED_MODULE [ 308.987661] Hardware name: IBM 3906 M04 704 (z/VM 7.3.0) [ 308.987666] Krnl PSW : 0404f00180000000 00000349976fa600 (expand+0x240/0x270) [ 308.987676] R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3 [ 308.987682] Krnl GPRS: 0000034980000004 0000000000000005 0000000000000030 000003499a0e6d88 [ 308.987688] 0000000000000005 0000034980000005 000002be803ac000 0000023efe6c8300 [ 308.987692] 0000000000000008 0000034998d57290 000002be00000100 0000023e00000008 [ 308.987696] 0000000000000000 0000000000000000 00000349976fa5fc 000002c99b1eb6f0 [ 308.987708] Krnl Code: 00000349976fa5f0: c020008a02f2 larl %r2,000003499883abd4 00000349976fa5f6: c0e5ffe3f4b5 brasl %r14,0000034997378f60 #00000349976fa5fc: af000000 mc 0,0 >00000349976fa600: a7f4ff4c brc 15,00000349976fa498 00000349976fa604: b9040026 lgr %r2,%r6 00000349976fa608: c0300088317f larl %r3,0000034998800906 00000349976fa60e: c0e5fffdb6e1 brasl %r14,00000349976b13d0 00000349976fa614: af000000 mc 0,0 [ 308.987734] Call Trace: [ 308.987738] [<00000349976fa600>] expand+0x240/0x270 [ 308.987744] ([<00000349976fa5fc>] expand+0x23c/0x270) [ 308.987749] [<00000349976ff95e>] rmqueue_bulk+0x71e/0x940 [ 308.987754] [<00000349976ffd7e>] __rmqueue_pcplist+0x1fe/0x2a0 [ 308.987759] [<0000034997700966>] rmqueue.isra.0+0xb46/0xf40 [ 308.987763] [<0000034997703ec8>] get_page_from_freelist+0x198/0x8d0 [ 308.987768] [<0000034997706fa8>] __alloc_frozen_pages_noprof+0x198/0x400 [ 308.987774] [<00000349977536f8>] alloc_pages_mpol+0xb8/0x220 [ 308.987781] [<0000034997753bf6>] folio_alloc_mpol_noprof+0x26/0xc0 [ 308.987786] [<0000034997753e4c>] vma_alloc_folio_noprof+0x6c/0xa0 [ 308.987791] [<0000034997775b22>] vma_alloc_anon_folio_pmd+0x42/0x240 [ 308.987799] [<000003499777bfea>] __do_huge_pmd_anonymous_page+0x3a/0x210 [ 308.987804] [<00000349976cb0 ---truncated--- 2026-01-14 not yet calculated CVE-2025-71134 https://git.kernel.org/stable/c/914769048818021556c940b9163e8056be9507dd
https://git.kernel.org/stable/c/a794d65b132107a085d165caba33aae1101316a5
https://git.kernel.org/stable/c/7838a4eb8a1d23160bd3f588ea7f2b8f7c00c55b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() The variable mddev->private is first assigned to conf and then checked: conf = mddev->private; if (!conf) ... If conf is NULL, then mddev->private is also NULL. In this case, null-pointer dereferences can occur when calling raid5_quiesce(): raid5_quiesce(mddev, true); raid5_quiesce(mddev, false); since mddev->private is assigned to conf again in raid5_quiesce(), and conf is dereferenced in several places, for example: conf->quiesce = 0; wake_up(&conf->wait_for_quiescent); To fix this issue, the function should unlock mddev and return before invoking raid5_quiesce() when conf is NULL, following the existing pattern in raid5_change_consistency_policy(). 2026-01-14 not yet calculated CVE-2025-71135 https://git.kernel.org/stable/c/20597b7229aea8b5bc45cd92097640257c7fc33b
https://git.kernel.org/stable/c/e5abb6af905de6b2fead8a0b3f32ab0b81468a01
https://git.kernel.org/stable/c/7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it's needed. Found by Linux Verification Center (linuxtesting.org) with SVACE. 2026-01-14 not yet calculated CVE-2025-71136 https://git.kernel.org/stable/c/f81ee181cb036d046340c213091b69d9a8701a76
https://git.kernel.org/stable/c/f913b9a2ccd6114b206b9e91dae5e3dc13a415a0
https://git.kernel.org/stable/c/d6a22a4a96e4dfe6897cb3532d2b3016d87706f0
https://git.kernel.org/stable/c/a73881ae085db5702d8b13e2fc9f78d51c723d3f
https://git.kernel.org/stable/c/60dde0960e3ead8a9569f6c494d90d0232ac0983
https://git.kernel.org/stable/c/b693d48a6ed0cd09171103ad418e4a693203d6e4
https://git.kernel.org/stable/c/8163419e3e05d71dcfa8fb49c8fdf8d76908fe51
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G. 2026-01-14 not yet calculated CVE-2025-71137 https://git.kernel.org/stable/c/5d8dfa3abb9a845302e021cf9c92d941abbc011a
https://git.kernel.org/stable/c/4cc4cfe4d23c883120b6f3d41145edbaa281f2ab
https://git.kernel.org/stable/c/658caf3b8aad65f8b8e102670ca4f68c7030f655
https://git.kernel.org/stable/c/b23a2e15589466a027c9baa3fb5813c9f6a6c6dc
https://git.kernel.org/stable/c/aa743b0d98448282b2cb37356db8db2a48524624
https://git.kernel.org/stable/c/442848e457f5a9f71a4e7e14d24d73dae278ebe3
https://git.kernel.org/stable/c/85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing. Also use convenient locals instead of phys_enc->* where available. Patchwork: https://patchwork.freedesktop.org/patch/693860/ 2026-01-14 not yet calculated CVE-2025-71138 https://git.kernel.org/stable/c/678d1c86566dfbb247ba25482d37fddde6140cc9
https://git.kernel.org/stable/c/471baae774a30a04cf066907b60eaf3732928cb7
https://git.kernel.org/stable/c/35ea3282136a630a3fd92b76f5a3a02651145ef1
https://git.kernel.org/stable/c/88733a0b64872357e5ecd82b7488121503cb9cc6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: kernel/kexec: fix IMA when allocation happens in CMA area *** Bug description *** When I tested kexec with the latest kernel, I ran into the following warning: [ 40.712410] ------------[ cut here ]------------ [ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198 [...] [ 40.816047] Call trace: [ 40.818498] kimage_map_segment+0x144/0x198 (P) [ 40.823221] ima_kexec_post_load+0x58/0xc0 [ 40.827246] __do_sys_kexec_file_load+0x29c/0x368 [...] [ 40.855423] ---[ end trace 0000000000000000 ]--- *** How to reproduce *** This bug is only triggered when the kexec target address is allocated in the CMA area. If no CMA area is reserved in the kernel, use the "cma=" option in the kernel command line to reserve one. *** Root cause *** The commit 07d24902977e ("kexec: enable CMA based contiguous allocation") allocates the kexec target address directly on the CMA area to avoid copying during the jump. In this case, there is no IND_SOURCE for the kexec segment. But the current implementation of kimage_map_segment() assumes that IND_SOURCE pages exist and map them into a contiguous virtual address by vmap(). *** Solution *** If IMA segment is allocated in the CMA area, use its page_address() directly. 2026-01-14 not yet calculated CVE-2025-71139 https://git.kernel.org/stable/c/a843e4155c83211c55b1b6cc17eab27a6a2c5b6f
https://git.kernel.org/stable/c/a3785ae5d334bb71d47a593d54c686a03fb9d136
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler. Turns out on the MT8173, the VPU IPI handler is called from hard IRQ context. This causes a big warning from the scheduler. This was first reported downstream on the ChromeOS kernels, but is also reproducible on mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though the actual capture format is not supported, the affected code paths are triggered. Since this lock just protects the context list and operations on it are very fast, it should be OK to switch to a spinlock. 2026-01-14 not yet calculated CVE-2025-71140 https://git.kernel.org/stable/c/2c1ea6214827041f548279c9eda341eda0cc8351
https://git.kernel.org/stable/c/b92c19675f632a41af1222027a231bc2b7efa7ed
https://git.kernel.org/stable/c/3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1
https://git.kernel.org/stable/c/a5844227e0f030d2af2d85d4aed10c5eca6ca176
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/tilcdc: Fix removal actions in case of failed probe The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers should only be called when the device has been successfully registered. Currently, these functions are called unconditionally in tilcdc_fini(), which causes warnings during probe deferral scenarios. [ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68 ... [ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108 [ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8 [ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144 [ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc] [ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc] Fix this by rewriting the failed probe cleanup path using the standard goto error handling pattern, which ensures that cleanup functions are only called on successfully initialized resources. Additionally, remove the now-unnecessary is_registered flag. 2026-01-14 not yet calculated CVE-2025-71141 https://git.kernel.org/stable/c/21e52dc7762908c3d499cfb493d1b8281fc1d3ab
https://git.kernel.org/stable/c/71be8825e83c90c1e020feb77b29e6a99629e642
https://git.kernel.org/stable/c/a585c7ef9cabda58088916baedc6573e9a5cd2a7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: cpuset: fix warning when disabling remote partition A warning was triggered as follows: WARNING: kernel/cgroup/cpuset.c:1651 at remote_partition_disable+0xf7/0x110 RIP: 0010:remote_partition_disable+0xf7/0x110 RSP: 0018:ffffc90001947d88 EFLAGS: 00000206 RAX: 0000000000007fff RBX: ffff888103b6e000 RCX: 0000000000006f40 RDX: 0000000000006f00 RSI: ffffc90001947da8 RDI: ffff888103b6e000 RBP: ffff888103b6e000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: ffff88810b2e2728 R12: ffffc90001947da8 R13: 0000000000000000 R14: ffffc90001947da8 R15: ffff8881081f1c00 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f55c8bbe0b2 CR3: 000000010b14c000 CR4: 00000000000006f0 Call Trace: <TASK> update_prstate+0x2d3/0x580 cpuset_partition_write+0x94/0xf0 kernfs_fop_write_iter+0x147/0x200 vfs_write+0x35d/0x500 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f55c8cd4887 Reproduction steps (on a 16-CPU machine): # cd /sys/fs/cgroup/ # mkdir A1 # echo +cpuset > A1/cgroup.subtree_control # echo "0-14" > A1/cpuset.cpus.exclusive # mkdir A1/A2 # echo "0-14" > A1/A2/cpuset.cpus.exclusive # echo "root" > A1/A2/cpuset.cpus.partition # echo 0 > /sys/devices/system/cpu/cpu15/online # echo member > A1/A2/cpuset.cpus.partition When CPU 15 is offlined, subpartitions_cpus gets cleared because no CPUs remain available for the top_cpuset, forcing partitions to share CPUs with the top_cpuset. In this scenario, disabling the remote partition triggers a warning stating that effective_xcpus is not a subset of subpartitions_cpus. Partitions should be invalidated in this case to inform users that the partition is now invalid(cpus are shared with top_cpuset). To fix this issue: 1. Only emit the warning only if subpartitions_cpus is not empty and the effective_xcpus is not a subset of subpartitions_cpus. 2. During the CPU hotplug process, invalidate partitions if subpartitions_cpus is empty. 2026-01-14 not yet calculated CVE-2025-71142 https://git.kernel.org/stable/c/5d8b9d38a7676be7bb5e7d57f92156a98dab39fb
https://git.kernel.org/stable/c/aa7d3a56a20f07978d9f401e13637a6479b13bd0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds. As noted in that change, the __counted_by member must be initialized with the number of elements before the first array access happens, otherwise there will be a warning from each access prior to the initialization because the number of elements is zero. This occurs in exynos_clkout_probe() due to .num being assigned after .hws[] has been accessed: UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18 index 0 is out of range for type 'clk_hw *[*]' Move the .num initialization to before the first access of .hws[], clearing up the warning. 2026-01-14 not yet calculated CVE-2025-71143 https://git.kernel.org/stable/c/fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236
https://git.kernel.org/stable/c/eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0
https://git.kernel.org/stable/c/a317f63255ebc3dac378c79c5bff4f8d0561c290
https://git.kernel.org/stable/c/cf33f0b7df13685234ccea7be7bfe316b60db4db
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on disconnect() After the blamed commit below, if the MPC subflow is already in TCP_CLOSE status or has fallback to TCP at mptcp_disconnect() time, mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later __mptcp_close_ssk() does not reset anymore the related subflow context. Any later connection will be created with both the `request_mptcp` flag and the msk-level fallback status off (it is unconditionally cleared at MPTCP disconnect time), leading to a warning in subflow_data_ready(): WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Modules linked in: CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary) Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09 RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435 RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005 RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0 Call Trace: <TASK> tcp_data_ready (net/ipv4/tcp_input.c:5356) tcp_data_queue (net/ipv4/tcp_input.c:5445) tcp_rcv_state_process (net/ipv4/tcp_input.c:7165) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955) __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6)) release_sock (net/core/sock.c:3737) mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857) inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7)) __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15)) __x64_sys_sendto (net/socket.c:2247) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f883326702d Address the issue setting an explicit `fastclosing` flag at fastclose time, and checking such flag after mptcp_do_fastclose(). 2026-01-14 not yet calculated CVE-2025-71144 https://git.kernel.org/stable/c/5c7c7135468f3fc6379cde9777a2c18bfe92d82f
https://git.kernel.org/stable/c/1c7c3a9314d8a7fc0e9a508606466a967c8e774a
https://git.kernel.org/stable/c/f1a77dfc3b045c3dd5f6e64189b9f52b90399f07
https://git.kernel.org/stable/c/86730ac255b0497a272704de9a1df559f5d6602e
 
Ludashi--Ludashi A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of physical addresses. The handler maps arbitrary physical memory via MmMapIoSpace and copies data back to user mode without verifying the caller's privileges or the target address range. This allows unprivileged users to read arbitrary physical memory, potentially exposing kernel data structures, kernel pointers, security tokens, and other sensitive information. This vulnerability can be further exploited to bypass the Kernel Address Space Layout Rules (KASLR) and achieve local privilege escalation. 2026-01-15 not yet calculated CVE-2025-67246 http://ludashi.com
https://github.com/CDipper/CVE-Publication
 
LycheeOrg--Lychee Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0. 2026-01-12 not yet calculated CVE-2026-22784 https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-jj56-2c54-4f25
https://github.com/LycheeOrg/Lychee/commit/f021a29f9ab2bafa81d9f5e32ff5bc89915c7d41
 
maximmasiutin--TinyWeb TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98. 2026-01-12 not yet calculated CVE-2026-22781 https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2
https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96
https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html
 
MCP Server--Zen A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths. 2026-01-12 not yet calculated CVE-2025-66689 https://github.com/BeehiveInnovations/zen-mcp-server/issues/293
https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-66689.md
 
metabase--metabase Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1. 2026-01-12 not yet calculated CVE-2026-22805 https://github.com/metabase/metabase/security/advisories/GHSA-2wgg-7r2p-cmqx
 
Microsoft--Microsoft Edge (Chromium-based) Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem. This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass. 2026-01-16 not yet calculated CVE-2026-21223 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
 
Mini Router--Italy Wireless A Stored Cross-Site Scripting (XSS) vulnerability in Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to execute arbitrary scripts via a crafted payload due to unsanitized repeater AP SSID value when is displayed in any page at /index.htm. 2026-01-15 not yet calculated CVE-2025-65349 https://imgur.com/a/X9DNOBj
https://github.com/5ulfur/security-advisories/tree/main/CVE-2025-65349
 
Mitel MiVoice--Mitel MiVoice A vulnerability in the Provisioning Manager component of Mitel MiVoice MX-ONE 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14) could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication mechanisms. A successful exploit could allow an attacker to gain unauthorized access to user or admin accounts in the system. 2026-01-15 not yet calculated CVE-2025-67822 https://www.mitel.com/support/security-advisories
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009
 
Mitel--Mitel A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim's browser or desktop client application. 2026-01-15 not yet calculated CVE-2025-67823 https://www.mitel.com/support/security-advisories
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0010
 
mlflow--mlflow/mlflow MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0. 2026-01-12 not yet calculated CVE-2025-14279 https://huntr.com/bounties/ef478f72-2e4f-44dc-8055-fc06bef03108
https://github.com/mlflow/mlflow/commit/b0ffd289e9b0d0cc32c9e3a9b9f3843ae83dbec3
 
Mozilla--Firefox Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0877 https://bugzilla.mozilla.org/show_bug.cgi?id=1999257
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-02/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0878 https://bugzilla.mozilla.org/show_bug.cgi?id=2003989
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0879 https://bugzilla.mozilla.org/show_bug.cgi?id=2004602
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-02/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0880 https://bugzilla.mozilla.org/show_bug.cgi?id=2005014
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-02/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Sandbox escape in the Messaging System component. This vulnerability affects Firefox < 147 and Thunderbird < 147. 2026-01-13 not yet calculated CVE-2026-0881 https://bugzilla.mozilla.org/show_bug.cgi?id=2005845
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-04/
 
Mozilla--Firefox Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0882 https://bugzilla.mozilla.org/show_bug.cgi?id=1924125
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-02/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0883 https://bugzilla.mozilla.org/show_bug.cgi?id=1989340
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0884 https://bugzilla.mozilla.org/show_bug.cgi?id=2003588
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0885 https://bugzilla.mozilla.org/show_bug.cgi?id=2003607
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0886 https://bugzilla.mozilla.org/show_bug.cgi?id=2005658
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-02/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0887 https://bugzilla.mozilla.org/show_bug.cgi?id=2006500
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Information disclosure in the XML component. This vulnerability affects Firefox < 147 and Thunderbird < 147. 2026-01-13 not yet calculated CVE-2026-0888 https://bugzilla.mozilla.org/show_bug.cgi?id=1985996
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-04/
 
Mozilla--Firefox Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147 and Thunderbird < 147. 2026-01-13 not yet calculated CVE-2026-0889 https://bugzilla.mozilla.org/show_bug.cgi?id=1999084
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-04/
 
Mozilla--Firefox Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0890 https://bugzilla.mozilla.org/show_bug.cgi?id=2005081
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. 2026-01-13 not yet calculated CVE-2026-0891 Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-05/
 
Mozilla--Firefox Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147 and Thunderbird < 147. 2026-01-13 not yet calculated CVE-2026-0892 Memory safety bugs fixed in Firefox 147 and Thunderbird 147
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://www.mozilla.org/security/advisories/mfsa2026-04/
 
nanomq--nanomq An issue in nanomq v0.22.7 allows attackers to cause a Denial of Service (DoS) via a crafted request. The number of data packets received in the recv-q queue of the Nanomq process continues to increase, causing the nanomq broker to fall into a deadlock and be unable to provide normal services. 2026-01-15 not yet calculated CVE-2024-48077 https://github.com/nanomq/nanomq
https://gist.github.com/pengwGit/2379e7a8fe75d09621f7c060db0237c4
 
NAVER--lucy-xss-filter lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension. 2026-01-16 not yet calculated CVE-2026-23768 https://cve.naver.com/detail/cve-2026-23768.html
https://github.com/naver/lucy-xss-filter/pull/31
 
NAVER--lucy-xss-filter lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files. 2026-01-16 not yet calculated CVE-2026-23769 https://cve.naver.com/detail/cve-2026-23769.html
https://github.com/naver/lucy-xss-filter/pull/32
 
Neoteroi--BlackSheep BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers.The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. This vulnerability is fixed in 2.4.6. 2026-01-14 not yet calculated CVE-2026-22779 https://github.com/Neoteroi/BlackSheep/security/advisories/GHSA-6pw3-h7xf-x4gp
https://github.com/Neoteroi/BlackSheep/commit/bd4ecb9542b5d52442276b5a6907931b90f38d12
https://github.com/Neoteroi/BlackSheep/releases/tag/v2.4.6
 
NETAPP--ONTAP 9 ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none. 2026-01-12 not yet calculated CVE-2026-22050 https://security.netapp.com/advisory/NTAP-20260112-0001
 
NETGEAR--EX5000 An insufficient authentication vulnerability in NETGEAR WiFi range extenders allows a network adjacent attacker with WiFi authentication or a physical Ethernet port connection to bypass the authentication process and access the admin panel. 2026-01-13 not yet calculated CVE-2026-0407 https://www.netgear.com/support/product/ex5000
https://www.netgear.com/support/product/ex3110
https://www.netgear.com/support/product/ex6110
https://www.netgear.com/support/product/ex2800
https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory
 
NETGEAR--EX5000 A path traversal vulnerability in NETGEAR WiFi range extenders allows an attacker with LAN authentication to access the router's IP and review the contents of the dynamically generated webproc file, which records the username and password submitted to the router GUI. 2026-01-13 not yet calculated CVE-2026-0408 https://www.netgear.com/support/product/ex5000
https://www.netgear.com/support/product/ex3110
https://www.netgear.com/support/product/ex6110
https://www.netgear.com/support/product/ex2800
https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory
 
NETGEAR--RBE970 An authentication bypass vulnerability in NETGEAR Orbi devices allows users connected to the local network to access the router web interface as an admin. 2026-01-13 not yet calculated CVE-2026-0405 https://www.netgear.com/support/product/rbe971
https://www.netgear.com/support/product/rbe970
https://www.netgear.com/support/product/cbr750
https://www.netgear.com/support/product/nbr750
https://www.netgear.com/support/product/rbe770
https://www.netgear.com/support/product/rbe771
https://www.netgear.com/support/product/rbe772
https://www.netgear.com/support/product/rbe773
https://www.netgear.com/support/product/rbr750
https://www.netgear.com/support/product/rbs750
https://www.netgear.com/support/product/rbr840
https://www.netgear.com/support/product/rbs840
https://www.netgear.com/support/product/rbr850
https://www.netgear.com/support/product/rbs850
https://www.netgear.com/support/product/rbr860
https://www.netgear.com/support/product/rbs860
https://www.netgear.com/support/product/rbre950
https://www.netgear.com/support/product/rbse950
https://www.netgear.com/support/product/rbre960
https://www.netgear.com/support/product/rbse960
https://www.netgear.com/support/product/rbe370
https://www.netgear.com/support/product/rbe371
https://www.netgear.com/support/product/rbe372
https://www.netgear.com/support/product/rbe373
https://www.netgear.com/support/product/rbe374
https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory
 
NETGEAR--RBR750 An insufficient input validation vulnerability in NETGEAR Orbi routers allows attackers connected to the router's LAN to execute OS command injections. 2026-01-13 not yet calculated CVE-2026-0403 https://www.netgear.com/support/product/rbr750
https://www.netgear.com/support/product/rbs750
https://www.netgear.com/support/product/rbre960
https://www.netgear.com/support/product/rbse960
https://www.netgear.com/support/product/rbr850
https://www.netgear.com/support/product/rbs850
https://www.netgear.com/support/product/rbe971
https://www.netgear.com/support/product/rbe970
https://www.netgear.com/support/product/rbr860
https://www.netgear.com/support/product/rbs860
https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory
 
NETGEAR--RBRE960 An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default. 2026-01-13 not yet calculated CVE-2026-0404 https://www.netgear.com/support/product/rbre960
https://www.netgear.com/support/product/rbse960
https://www.netgear.com/support/product/rbr850
https://www.netgear.com/support/product/rbs850
https://www.netgear.com/support/product/rbr860
https://www.netgear.com/support/product/rbs860
https://www.netgear.com/support/product/rbre950
https://www.netgear.com/support/product/rbse950
https://www.netgear.com/support/product/rbr750
https://www.netgear.com/support/product/rbs750
https://www.netgear.com/support/product/rbr840
https://www.netgear.com/support/product/rbs840
https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory
 
NETGEAR--XR1000v2 An insufficient input validation vulnerability in the NETGEAR XR1000v2 allows attackers connected to the router's LAN to execute OS command injections. 2026-01-13 not yet calculated CVE-2026-0406 https://www.netgear.com/support/product/xr1000v2
https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory
 
Ollama--Ollama Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded data represents valid media before passing it to the mtmd_helper_bitmap_init_from_buf function. This function can return NULL for malformed input, but the code does not check this return value before dereferencing the pointer in subsequent operations. A remote attacker can exploit this by sending specially crafted base64 image data that decodes to invalid media, causing a segmentation fault and crashing the runner process. This results in a denial of service condition where the model becomes unavailable to all users until the service is restarted. 2026-01-12 not yet calculated CVE-2025-15514 https://huntr.com/bounties/172df98b-07cd-41ea-a628-366f8cd525c0
https://ollama.com/
https://https://github.com/ollama/ollama
https://www.vulncheck.com/advisories/ollama-multi-modal-image-processing-null-pointer-dereference
 
Omnilogic--Omni Secure Files Omni Secure Files plugin versions prior to 0.1.14 contain an arbitrary file upload vulnerability in the bundled plupload example endpoint. The /wp-content/plugins/omni-secure-files/plupload/examples/upload.php handler allows unauthenticated uploads without enforcing safe file type restrictions, enabling an attacker to place attacker-controlled files under the plugin's uploads directory. This can lead to remote code execution if a server-executable file type is uploaded and subsequently accessed. 2026-01-16 not yet calculated CVE-2012-10064 https://wpscan.com/vulnerability/376fd666-6471-479c-9b74-1d8088a33e89/
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/omni-secure-files/omni-secure-files-0113-arbitrary-file-upload
https://wordpress.org/plugins/omni-secure-files/
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-omni-secure-files-upload-php-arbitrary-file-upload-0-1-13/
https://web.archive.org/web/20121025112632/http%3A//secunia.com/advisories/49441
https://packetstorm.news/files/id/113411
https://www.exploit-db.com/exploits/19009
https://web.archive.org/web/20191021091221/https%3A//www.securityfocus.com/bid/53872/
https://www.vulncheck.com/advisories/omni-secure-files-unauthenticated-arbitrary-file-upload
 
Omnispace--Omnispace Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read. 2026-01-15 not yet calculated CVE-2025-67076 https://www.agora-project.net
https://www.helx.io/blog/advisory-agora-project/
 
Omnispace--Omnispace File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action. 2026-01-15 not yet calculated CVE-2025-67077 https://www.agora-project.net
https://www.helx.io/blog/advisory-agora-project/
 
Omnispace--Omnispace Cross site scripting (XSS) vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute arbitrary code via the notify parameter of the file controller used to display errors. 2026-01-15 not yet calculated CVE-2025-67078 https://www.agora-project.net
https://www.helx.io/blog/advisory-agora-project/
 
Omnispace--Omnispace File upload vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute code through the MSL engine of the Imagick library via crafted PDF file to the file upload and thumbnail functions. 2026-01-15 not yet calculated CVE-2025-67079 https://www.agora-project.net
https://www.helx.io/blog/advisory-agora-project/
 
orval-labs--orval orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0. 2026-01-12 not yet calculated CVE-2026-22785 https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj
https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d
 
Paessler--Paessler Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the tag parameter. 2026-01-14 not yet calculated CVE-2025-67833 https://paessler.com
https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032
 
Paessler--Paessler Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the filter parameter. 2026-01-14 not yet calculated CVE-2025-67834 https://paessler.com
https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032
 
Paessler--Paessler Paessler PRTG Network Monitor before 25.4.114 allows Denial-of-Service (DoS) by an authenticated attacker via the Notification Contacts functionality. 2026-01-14 not yet calculated CVE-2025-67835 https://paessler.com
https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032
 
Palo Alto Networks--Cloud NGFW A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode. 2026-01-15 not yet calculated CVE-2026-0227 https://security.paloaltonetworks.com/CVE-2025-4620
 
Pegasystems--Pega Infinity Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file. 2026-01-13 not yet calculated CVE-2025-62182 https://support.pega.com/support-doc/pega-security-advisory-l25-vulnerability-remediation-note
 
pH7Software--pH7Software A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field. 2026-01-14 not yet calculated CVE-2025-63644 https://drive.google.com/drive/folders/1mYDvUTnlTPCGTB-7tHD3pmu_wHtlMVRP
https://medium.com/@rudranshsinghrajpurohit/cve-2025-63644-stored-cross-site-scripting-xss-vulnerability-in-ph7-social-dating-cms-23ed0e7eb853
 
phpgurukul--phpgurukul phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted. 2026-01-13 not yet calculated CVE-2025-69990 https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20deletion%20vulnerability.md
 
phpgurukul--phpgurukul phpgurukul News Portal Project V4.1 is vulnerable to SQL Injection in check_availablity.php. 2026-01-13 not yet calculated CVE-2025-69991 https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/SQL%20Injection.md
 
phpgurukul--phpgurukul phpgurukul News Portal Project V4.1 has File Upload Vulnerability via upload.php, which enables the upload of files of any format to the server without identity authentication. 2026-01-13 not yet calculated CVE-2025-69992 https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20upload%20vulnerability.md
 
QloApps--QloApps A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. 2026-01-12 not yet calculated CVE-2021-41074 https://qloapps.com/
https://github.com/dillonkirsch/CVE-2021-41074
 
RIOT--RIOT OS RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption. 2026-01-12 not yet calculated CVE-2026-22213 https://seclists.org/fulldisclosure/2026/Jan/15
https://www.riot-os.org/
https://github.com/RIOT-OS/RIOT
https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility
 
RIOT--RIOT OS RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash. 2026-01-12 not yet calculated CVE-2026-22214 https://seclists.org/fulldisclosure/2026/Jan/16
https://www.riot-os.org/
https://github.com/RIOT-OS/RIOT
https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-ethos-serial-frame-parser
 
run-llama--llama_index LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk. 2026-01-12 not yet calculated CVE-2024-14021 https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12
https://www.llamaindex.ai/
https://github.com/run-llama/llama_index
https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization
 
run-llama--llama_index LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query(). 2026-01-12 not yet calculated CVE-2024-58339 https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f
https://www.llamaindex.ai/
https://github.com/run-llama/llama_index
https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion
 
RustCrypto--utils RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). This vulnerability is fixed in 0.4.4. 2026-01-15 not yet calculated CVE-2026-23519 https://github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp
https://github.com/RustCrypto/utils/commit/55977257e7c82a309d5e8abfdd380a774f0f9778
 
rustfs--rustfs RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80. 2026-01-16 not yet calculated CVE-2026-22782 https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq
https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560
https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122
 
samrocketman--jervis Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). This vulnerability is fixed in 2.2. 2026-01-13 not yet calculated CVE-2025-68698 https://github.com/samrocketman/jervis/security/advisories/GHSA-mqw7-c5gg-xq97
https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
 
samrocketman--jervis Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses deterministic AES IV derivation from a passphrase. This vulnerability is fixed in 2.2. 2026-01-13 not yet calculated CVE-2025-68701 https://github.com/samrocketman/jervis/security/advisories/GHSA-crxp-chh4-9ghp
https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
 
samrocketman--jervis Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses padLeft(32, '0') when it should use padLeft(64, '0') because SHA-256 produces 32 bytes which equates to 64 hex characters. This vulnerability is fixed in 2.2. 2026-01-13 not yet calculated CVE-2025-68702 https://github.com/samrocketman/jervis/security/advisories/GHSA-67rj-pjg6-pq59
https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
 
samrocketman--jervis Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2. 2026-01-13 not yet calculated CVE-2025-68703 https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34
https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
 
samrocketman--jervis Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2. 2026-01-13 not yet calculated CVE-2025-68704 https://github.com/samrocketman/jervis/security/advisories/GHSA-c9q6-g3hr-8gww
https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
 
samrocketman--jervis Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2. 2026-01-13 not yet calculated CVE-2025-68925 https://github.com/samrocketman/jervis/security/advisories/GHSA-5pq9-5mpr-jj85
https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
 
samrocketman--jervis Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is fixed in 2.2. 2026-01-13 not yet calculated CVE-2025-68931 https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj
https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a
 
Schneider Electric--EcoStruxure Power Build Rapsody CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody. 2026-01-15 not yet calculated CVE-2025-13844 https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf
 
Schneider Electric--EcoStruxure Power Build Rapsody CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody. 2026-01-15 not yet calculated CVE-2025-13845 https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf
 
Semantic--Semantic An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints. 2026-01-13 not yet calculated CVE-2025-66698 http://veda.com
http://semantic.com
https://github.com/Perunchess/CVE-2025-66698
 
ServiceNow--Now Assist AI Agents A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update to  hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so. 2026-01-12 not yet calculated CVE-2025-12420 https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329
 
siyuan-note--siyuan SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2. 2026-01-16 not yet calculated CVE-2026-23645 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j
https://github.com/siyuan-note/siyuan/issues/16844
https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388
 
Slab--Quill A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS). This issue affects Quill: 2.0.3. 2026-01-13 not yet calculated CVE-2025-15056 https://fluidattacks.com/advisories/diomedes
https://github.com/slab/quill
 
Sonatype--Nexus Repository Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default. 2026-01-14 not yet calculated CVE-2026-0600 https://support.sonatype.com/hc/en-us/articles/47928855816595
 
Sonatype--Nexus Repository A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted request requiring user interaction. 2026-01-14 not yet calculated CVE-2026-0601 https://help.sonatype.com/en/sonatype-nexus-repository-3-88-0-release-notes.html
https://support.sonatype.com/hc/en-us/articles/47934334375955
 
Sourcecodester--Sourcecodester Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE. 2026-01-12 not yet calculated CVE-2025-66802 https://feedly.com/cve/CVE-2022-2746
https://github.com/mtgsjr/CVE-2025-66802
 
SparkyFitness--SparkyFitness SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output. 2026-01-15 not yet calculated CVE-2025-65368 https://github.com/CodeWithCJ/SparkyFitness
https://github.com/CodeWithCJ/SparkyFitness/security/advisories/GHSA-j7x6-6678-2xqp#event-521570
 
Stackideas.com--EasyDiscuss extension for Joomla Lack of input filterung leads to a persistent XSS vulnerability in the forum post handling of the Easy Discuss component for Joomla. 2026-01-16 not yet calculated CVE-2026-21623 https://stackideas.com/easydiscuss
 
Stackideas.com--EasyDiscuss extension for Joomla Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling of the Easy Discuss component for Joomla. 2026-01-16 not yet calculated CVE-2026-21624 https://stackideas.com/easydiscuss
 
Stackideas.com--EasyDiscuss extension for Joomla User provided uploads to the Easy Discuss component for Joomla aren't properly validated. Uploads are purely checked by file extensions, no mime type checks are happening. 2026-01-16 not yet calculated CVE-2026-21625 https://stackideas.com/easydiscuss
 
SteelSeries--SteelSeries SteelSeries Nahimic 3 1.10.7 allows Directory traversal. 2026-01-16 not yet calculated CVE-2025-68921 https://steelseries.gg
https://steelseries.com/nahimic
https://gist.github.com/ZeroMemoryEx/93208b7e57a5444de3654816857ddef4
 
Steven--Uploadify Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow remote code execution by uploading executable content to a web-accessible location. 2026-01-15 not yet calculated CVE-2011-10041 https://packetstorm.news/files/id/98652
https://wpscan.com/vulnerability/6946364c-9764-468e-87d5-2dd57e531985/
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/uploadify/uploadify-10-arbitrary-file-upload
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-uploadify-remote-file-upload-1-0/
https://www.vulncheck.com/advisories/uploadify-unauthenticated-arbitrary-file-upload
 
Svelte--Svelte An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3. 2026-01-15 not yet calculated CVE-2025-15265 https://fluidattacks.com/advisories/lydian
https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3
https://fluidattacks.com/advisories/lydian
 
sveltejs--kit SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5. 2026-01-15 not yet calculated CVE-2025-67647 https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35
https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226
 
sveltejs--kit SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5. 2026-01-15 not yet calculated CVE-2026-22803 https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46
https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5
https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1
 
Tenda--Tenda Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the mac parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-15 not yet calculated CVE-2025-70656 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/11/1.md
 
Tenda--Tenda Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the cloneType parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-15 not yet calculated CVE-2025-70744 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/10/1.md
 
Tenda--Tenda Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the timeZone parameter of the fromSetSysTime function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-16 not yet calculated CVE-2025-70746 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/4/1.md
 
Tenda--Tenda Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serviceName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-14 not yet calculated CVE-2025-70747 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/6/1.md
 
Tenda--Tenda Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_4CA50 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-13 not yet calculated CVE-2025-70753 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/8/1.md
 
Tenda--Tenda Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the wanSpeed parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-15 not yet calculated CVE-2025-71019 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/9/1.md
 
Tenda--Tenda Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_4C408 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-16 not yet calculated CVE-2025-71020 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/5/1.md
 
Tenda--Tenda Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serverName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-14 not yet calculated CVE-2025-71021 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/7/1.md
 
Tenda--Tenda Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the mac2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-13 not yet calculated CVE-2025-71023 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/11/1.md
 
Tenda--Tenda Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the serviceName2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-13 not yet calculated CVE-2025-71024 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/12/1.md
 
Tenda--Tenda Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the cloneType2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-13 not yet calculated CVE-2025-71025 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/10/1.md
 
Tenda--Tenda Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanSpeed2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-13 not yet calculated CVE-2025-71026 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/9/1.md
 
Tenda--Tenda Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanMTU2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. 2026-01-13 not yet calculated CVE-2025-71027 https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/8/1.md
 
The GNU C Library--glibc Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments. 2026-01-14 not yet calculated CVE-2026-0861 https://sourceware.org/bugzilla/show_bug.cgi?id=33796
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001
 
The GNU C Library--glibc Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver. 2026-01-15 not yet calculated CVE-2026-0915 https://sourceware.org/bugzilla/show_bug.cgi?id=33802
 
The Nu Html Checker--The Nu Html Checker Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd). 2026-01-16 not yet calculated CVE-2025-15104 https://fluidattacks.com/advisories/europe
https://github.com/validator/validator
 
TheLibrarian--TheLibrarian.io The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions of TheLibrarian. 2026-01-16 not yet calculated CVE-2026-0612 http://mindgard.ai/blog/thelibrarian-ios-ai-security-
https://thelibrarian.io/
 
TheLibrarian--TheLibrarian.io The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions. 2026-01-16 not yet calculated CVE-2026-0613 https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure
https://thelibrarian.io/
 
TheLibrarian--TheLibrarian.io The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions. 2026-01-16 not yet calculated CVE-2026-0615 http://mindgard.ai/blog/thelibrarian-ios-ai-security-
https://thelibrarian.io/
 
TheLibrarian--TheLibrarian.io TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions. 2026-01-16 not yet calculated CVE-2026-0616 https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure
https://thelibrarian.io/
 
TinyOS--TinyOS TinyOS versions up to and including 2.1.2 contain a global buffer overflow vulnerability in the printfUART formatted output implementation used within the ZigBee / IEEE 802.15.4 networking stack. The implementation formats output into a fixed-size global buffer and concatenates strings for %s format specifiers using strcat() without verifying remaining buffer capacity. When printfUART is invoked with a caller-controlled string longer than the available space, the unbounded sprintf/strcat sequence writes past the end of debugbuf, resulting in global memory corruption. This can cause denial of service, unintended behavior, or information disclosure via corrupted adjacent global state or UART output. 2026-01-14 not yet calculated CVE-2026-22211 https://seclists.org/fulldisclosure/2026/Jan/14
https://github.com/tinyos/tinyos-main
https://www.vulncheck.com/advisories/tinyos-global-buffer-overflow-in-printfuart
 
TinyOS--TinyOS TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under /dev/usb/, leading to stack memory corruption and application crashes. 2026-01-12 not yet calculated CVE-2026-22212 https://seclists.org/fulldisclosure/2026/Jan/14
https://github.com/tinyos/tinyos-main
https://www.vulncheck.com/advisories/tinyos-stack-based-buffer-overflow-in-mcp2200gpio
 
TOA Corporation--Multiple Network Cameras TRIFORA 3 series OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command. 2026-01-16 not yet calculated CVE-2026-20759 https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf
https://jvn.jp/en/jp/JVN08087148/
 
TOA Corporation--Multiple Network Cameras TRIFORA 3 series Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen. 2026-01-16 not yet calculated CVE-2026-20894 https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf
https://jvn.jp/en/jp/JVN08087148/
 
TOA Corporation--Multiple Network Cameras TRIFORA 3 series Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege. 2026-01-16 not yet calculated CVE-2026-22876 https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf
https://jvn.jp/en/jp/JVN08087148/
 
Tongyu--Tongyu An authentication bypass vulnerability in the Tongyu AX1800 Wi-Fi 6 Router with firmware 1.0.0 allows unauthenticated network-adjacent attackers to perform arbitrary configuration changes without providing credentials, as long as a valid admin session is active. This can result in full compromise of the device (i.e., via unauthenticated access to /boaform/formSaveConfig and /boaform/admin endpoints). 2026-01-13 not yet calculated CVE-2025-68707 https://www.tongyucom.com/product/ax1800.html
https://github.com/actuator/cve/tree/main/Tongyu
https://github.com/actuator/cve/blob/main/Tongyu/CVE-2025-68707.txt
 
TP-Link Systems Inc.--TL-WR841N v14 A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation.  A remote, unauthenticated attacker can exploit this flaw and cause Denial of Service on the web portal service.This issue affects TL-WR841N v14: before 250908. 2026-01-15 not yet calculated CVE-2025-9014 https://www.tp-link.com/us/support/faq/4894/
https://www.tp-link.com/jp/support/download/tl-wr841n/#Firmware
https://www.tp-link.com/en/support/download/tl-wr841n/#Firmware
https://www.tp-link.com/us/support/download/tl-wr841n/#Firmware
 
TP-Link Systems Inc.--VIGI InSight Sx45 Series (S245/S345/S445) Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security. 2026-01-16 not yet calculated CVE-2026-0629 https://www.vigi.com/us/support/download/
https://www.vigi.com/en/support/download/
https://www.vigi.com/in/support/download/
https://www.tp-link.com/us/support/faq/4899/
 
Typesetter--Typesetter Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session. 2026-01-14 not yet calculated CVE-2025-71164 https://github.com/Typesetter/Typesetter
https://github.com/Typesetter/Typesetter/issues/706
https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-editing-php
 
Typesetter--Typesetter Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. 2026-01-14 not yet calculated CVE-2025-71165 https://github.com/Typesetter/Typesetter
https://github.com/Typesetter/Typesetter/issues/709
https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-status-php
 
Typesetter--Typesetter Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. 2026-01-14 not yet calculated CVE-2025-71166 https://github.com/Typesetter/Typesetter
https://github.com/Typesetter/Typesetter/issues/707
https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-move-message-handling
 
TYPO3--TYPO3 CMS By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. 2026-01-13 not yet calculated CVE-2025-59020 https://typo3.org/security/advisory/typo3-core-sa-2026-001
Git commit of main branch
Git commit of 13.4 branch
Git commit of 12.4 branch
 
TYPO3--TYPO3 CMS Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user's own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs - facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. 2026-01-13 not yet calculated CVE-2025-59021 https://typo3.org/security/advisory/typo3-core-sa-2026-002
Git commit of main branch
Git commit of 13.4 branch
Git commit of 12.4 branch
 
TYPO3--TYPO3 CMS Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. 2026-01-13 not yet calculated CVE-2025-59022 https://typo3.org/security/advisory/typo3-core-sa-2026-003
Git commit of main branch
Git commit of 13.4 branch
Git commit of 12.4 branch
 
TYPO3--TYPO3 CMS TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. 2026-01-13 not yet calculated CVE-2026-0859 https://typo3.org/security/advisory/typo3-core-sa-2026-004
Git commit of main branch
Git commit of 13.4 branch
Git commit of 12.4 branch
 
Vanilla OS--fabricators ltd fabricators Ltd Vanilla OS 2 Core image v1.1.0 was discovered to contain static keys for the SSH service, allowing attackers to possibly execute a man-in-the-middle attack during connections with other hosts. 2026-01-13 not yet calculated CVE-2024-54855 http://vanilla.com
http://fabricators.com
https://github.com/Vanilla-OS/core-image/security/advisories/GHSA-67pc-hqr2-g34h
 
Viafirma--Inbox IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality to access the application by impersonating any user, including those with administrative permissions. 2026-01-12 not yet calculated CVE-2025-41077 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products
 
Viafirma--Viafirma Documents Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating other users of the application in the generation and signing of documents. 2026-01-12 not yet calculated CVE-2025-41078 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products
 
Vivotek--Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 (Firmware modules) allows OS Command Injection.This issue affects Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330: 0100a, 0106a, 0106b, 0107a, 0107b_1, 0109a, 0112a, 0113a, 0113d, 0117b, 0119e, 0120b, 0121, 0121d, 0121d_48573_1, 0122e, 0124d_48573_1, 012501, 012502, 0125c. 2026-01-13 not yet calculated CVE-2026-22755 http://www.vapidlabs.com/advisory.php?v=220
 
WeblateOrg--weblate Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2. 2026-01-14 not yet calculated CVE-2026-21889 https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3g2f-4rjg-9385
https://github.com/WeblateOrg/weblate/pull/17516
https://github.com/WeblateOrg/weblate/commit/a6eb5fd0299780eca286be8ff187dc2d10feec47
 
WordPress--Dreamer Blog The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check. 2026-01-13 not yet calculated CVE-2025-10915 https://wpscan.com/vulnerability/dab3a804-9027-4b4a-b61c-61b562045bc4/
 
WordPress--E-xact | Hosted Payment | The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. 2026-01-13 not yet calculated CVE-2025-14829 https://wpscan.com/vulnerability/872569bc-16fb-427f-accc-147f284137cd/
 
WordPress--Quiz Maker The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). 2026-01-12 not yet calculated CVE-2025-14579 https://wpscan.com/vulnerability/1ff8ea2b-6513-4d5c-b7ea-9ab39c9ea9c6/
 
WorkDo--eCommerceGo SaaS Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to '/store-ticket', using the 'subject' and 'description' parameters. 2026-01-12 not yet calculated CVE-2025-40977 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products
 
WorkDo--eCommerceGo SaaS Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to '/ticket/x/conversion', using the 'reply_description' parameter. 2026-01-12 not yet calculated CVE-2025-40978 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products
 
WorkDo--HRMGo Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation of user input by sending a POST request to '/hrmgo/ticket/changereply', using the 'description' parameter. 2026-01-12 not yet calculated CVE-2025-40975 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products
 
WorkDo--TicketGo Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's TicketGo, consisting of a lack of proper validation of user input by sending a POST request to '/ticketgo-saas/home', using the 'description' parameter. 2026-01-12 not yet calculated CVE-2025-40976 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products
 
xmall--xmall Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId. 2026-01-12 not yet calculated CVE-2023-36331 https://github.com/Exrick/xmall/issues/100
 
yhirose--cpp-httplib cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory. 2026-01-12 not yet calculated CVE-2026-22776 https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q
https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792
 
YSoft--SafeQ 6 Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools. The affected customers are only those with a password-protected scan workflow connector. This issue affects Y Soft SafeQ 6 in versions before MU106. 2026-01-14 not yet calculated CVE-2025-13175 https://www.ysoft.com/safeq
https://docs.ysoft.cloud/safeq6/latest/safeq6/release-notes-build-106
https://cert.pl/en/posts/2026/01/CVE-2025-13175
 
Zhiyuan-Zhyuan Cross site scripting vulnerability in seeyon Zhiyuan A8+ Collaborative Management Software 7.0 via the topValue parameter to the seeyon/main.do endpoint. 2026-01-16 not yet calculated CVE-2025-56451 https://www.yuque.com/076w/syst1m/zlp7c6hmowx6cg51?singleDoc
https://gist.github.com/076w/b223381ba06b05845d919fb29619777b
 

Back to top

Vulnerability Summary for the Week of January 5, 2026
Posted on Monday January 12, 2026

High Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
AA-Team--Amazon Native Shopping Recommendations Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Native Shopping Recommendations allows SQL Injection.This issue affects Amazon Native Shopping Recommendations: from n/a through 1.3. 2026-01-05 9.3 CVE-2025-30633 https://vdp.patchstack.com/database/wordpress/plugin/woozone-contextual/vulnerability/wordpress-amazon-native-shopping-recommendations-plugin-1-3-sql-injection-vulnerability?_s_id=cve
 
AA-Team--Premium Age Verification / Restriction for WordPress Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0. 2026-01-06 8.8 CVE-2025-29004 https://patchstack.com/database/wordpress/plugin/age-restriction/vulnerability/wordpress-premium-age-verification-restriction-for-wordpress-plugin-3-0-2-privilege-escalation-vulnerability?_s_id=cve
https://patchstack.com/database/wordpress/plugin/wordpress-flat-countdown/vulnerability/wordpress-responsive-coming-soon-landing-page-holding-page-for-wordpress-3-0-privilege-escalation-vulnerability?_s_id=cve
 
AA-Team--Premium SEO Pack Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through 3.3.2. 2026-01-05 8.5 CVE-2025-31044 https://vdp.patchstack.com/database/wordpress/plugin/premium-seo-pack/vulnerability/wordpress-premium-seo-pack-3-3-2-sql-injection-vulnerability?_s_id=cve
 
AA-Team--Woocommerce Sales Funnel Builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. 2026-01-06 7.1 CVE-2025-30631 https://patchstack.com/database/wordpress/plugin/woosales/vulnerability/wordpress-woocommerce-sales-funnel-builder-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
https://patchstack.com/database/wordpress/plugin/azon-addon-js-composer/vulnerability/wordpress-amazon-affiliates-addon-for-wpbakery-page-builder-formerly-visual-composer-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ABB--WebPro SNMP Card PowerValue Incorrect Implementation of Authentication Algorithm vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. 2026-01-07 8.8 CVE-2025-4676 https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009&LanguageCode=en&DocumentPartId=&Action=Launch
 
Adtecdigital--SignEdje Digital Signage Player Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital product versions. 2026-01-06 7.5 CVE-2020-36915 ExploitDB-48954
Adtec Digital Official Homepage
Zero Science Lab Disclosure (ZSL-2020-5603)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
VulnCheck Advisory: Adtec Digital SignEdje Digital Signage Player v2.08.28 Default Credentials
 
aio-libs--aiohttp AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3. 2026-01-05 7.5 CVE-2025-69223 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg
https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a
 
aksharsoftsolutions--AS Password Field In Default Registration Form The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. 2026-01-06 9.8 CVE-2025-14996 https://www.wordfence.com/threat-intel/vulnerabilities/id/061f022b-b922-4499-bb34-8ea91ba5ace3?source=cve
https://plugins.trac.wordpress.org/browser/as-password-field-in-default-registration-form/tags/2.0.0/as-password-field-default-registration.php
 
Alibaba--Fastjson Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845. 2026-01-09 10 CVE-2025-70974 https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48
https://www.seebug.org/vuldb/ssvid-98020
https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238
https://www.freebuf.com/vuls/208339.html
https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger
https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955
 
arraytics--Eventin Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) The Eventin - Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded. 2026-01-09 7.2 CVE-2025-14657 https://www.wordfence.com/threat-intel/vulnerabilities/id/e4188b26-80f8-41b8-be19-1ddcbd7e39f5?source=cve
https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/Enqueue/register.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2FEnqueue%2Fregister.php
https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/api-handler.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2Fapi-handler.php
https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/core/event/api.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fcore%2Fevent%2Fapi.php
 
Arteco-Global--Arteco Web Client DVR/NVR Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers to bypass authentication. Attackers can brute force session IDs within a specific numeric range to obtain valid sessions and access live camera streams without authorization. 2026-01-06 9.8 CVE-2020-36925 ExploitDB-49348
Arteco Official Vendor Homepage
Zero Science Lab Disclosure (ZSL-2020-5613)
Packet Storm Security Exploit Archive
IBM X-Force Exchange Vulnerability Entry 1
IBM X-Force Exchange Vulnerability Entry 2
CXSecurity Vulnerability Listing
VulnCheck Advisory: Arteco Web Client DVR/NVR Session ID Brute Force Authentication Bypass
 
AWS--Kiro IDE Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version. 2026-01-09 7.8 CVE-2026-0830 https://kiro.dev/changelog/spec-correctness-and-cli/
https://aws.amazon.com/security/security-bulletins/2026-001-AWS/
 
bg5sbk--MiniCMS A vulnerability was found in bg5sbk MiniCMS up to 1.8. The impacted element is an unknown function of the file /minicms/mc-admin/post.php of the component Trash File Restore Handler. Performing a manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 7.3 CVE-2025-15457 VDB-339490 | bg5sbk MiniCMS Trash File Restore post.php improper authentication
VDB-339490 | CTI Indicators (IOB, IOC, IOA)
Submit #725139 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 unauthorized vulnerability
https://github.com/ueh1013/VULN/issues/12
 
bg5sbk--MiniCMS A vulnerability was determined in bg5sbk MiniCMS up to 1.8. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. Executing a manipulation can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 7.3 CVE-2025-15458 VDB-339491 | bg5sbk MiniCMS Article post-edit.php improper authentication
VDB-339491 | CTI Indicators (IOB, IOC, IOA)
Submit #725142 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 unauthorized vulnerability
https://github.com/ueh1013/VULN/issues/9
 
Brecht--Custom Related Posts Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0. 2026-01-05 7.5 CVE-2025-68033 https://vdp.patchstack.com/database/wordpress/plugin/custom-related-posts/vulnerability/wordpress-custom-related-posts-plugin-1-8-0-sensitive-data-exposure-vulnerability?_s_id=cve
 
buddydev--BuddyPress Xprofile Custom Field Types The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). 2026-01-06 7.2 CVE-2025-14997 https://www.wordfence.com/threat-intel/vulnerabilities/id/89a7a717-dac3-490e-89dd-268be8eb7bf5?source=cve
https://plugins.trac.wordpress.org/browser/bp-xprofile-custom-field-types/tags/1.2.8/src/handlers/class-field-upload-helper.php
https://plugins.trac.wordpress.org/changeset/3430565/bp-xprofile-custom-field-types
 
CAYIN Technology--SMP-8000QD Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as root. 2026-01-06 8.8 CVE-2020-36910 ExploitDB-48557
Cayin Technology Official Website
Zero Science Lab Disclosure (ZSL-2020-5569)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
CXSecurity Vulnerability Listing
VulnCheck Advisory: Cayin Signage Media Player 3.0 Authenticated Remote Command Injection via NTP Parameter
 
Centreon--Infra Monitoring Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. 2026-01-05 9.8 CVE-2025-15026 https://github.com/centreon/centreon/releases
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357
 
Centreon--Infra Monitoring Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring (Awie export modules) allows SQL Injection to unauthenticated user. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. 2026-01-05 9.8 CVE-2025-15029 https://github.com/centreon/centreon/releases
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15029-centreon-awie-critical-severity-5356
 
Centreon--Infra Monitoring In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Backup configuration in the administration setup modules) allows OS Command Injection.This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. 2026-01-05 7.2 CVE-2025-5965 https://github.com/centreon/centreon/releases
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-5965-centreon-web-high-severity-5362
 
code-projects--Intern Membership Management System A vulnerability was determined in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /intern/admin/check_admin.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. 2026-01-08 7.3 CVE-2026-0700 VDB-339977 | code-projects Intern Membership Management System check_admin.php sql injection
VDB-339977 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #733001 | code-projects Intern Membership Management System check_admin.php 1.0 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20check_admin.php%20sql%20injection.md
https://code-projects.org/
 
code-projects--Online Music Site A security vulnerability has been detected in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Such manipulation of the argument username/password leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. 2026-01-05 7.3 CVE-2026-0605 VDB-339549 | code-projects Online Music Site login.php sql injection
VDB-339549 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731695 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A52.md
https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A52.md#vulnerability-details-and-poc
https://code-projects.org/
 
code-projects--Online Music Site A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. 2026-01-05 7.3 CVE-2026-0606 VDB-339550 | code-projects Online Music Site Albums.php sql injection
VDB-339550 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731696 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md
https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md#vulnerability-details-and-poc
https://code-projects.org/
 
code-projects--Online Music Site A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminViewSongs.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. 2026-01-05 7.3 CVE-2026-0607 VDB-339551 | code-projects Online Music Site AdminViewSongs.php sql injection
VDB-339551 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731697 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A53.md
https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A53.md#vulnerability-details-and-poc
https://code-projects.org/
 
code-projects--Online Music Site A vulnerability was identified in code-projects Online Music Site 1.0. The affected element is an unknown function of the file /Administrator/PHP/AdminAddUser.php. The manipulation of the argument txtusername leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. 2026-01-11 7.3 CVE-2026-0851 VDB-340446 | code-projects Online Music Site AdminAddUser.php sql injection
VDB-340446 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #733644 | Code-Projects Online Music Site V1.0 SQLinjection
https://github.com/tuo159515/sql-injection/issues/2
https://code-projects.org/
 
code-projects--Online Product Reservation System A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This vulnerability affects unknown code of the file app/user/login.php of the component User Login. The manipulation of the argument emailadd results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. 2026-01-05 7.3 CVE-2026-0583 VDB-339475 | code-projects Online Product Reservation System User Login login.php sql injection
VDB-339475 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731093 | code-projects Online Product Reservation system V1.0 SQL Injection
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md#poc
https://code-projects.org/
 
code-projects--Online Product Reservation System A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the file /order_view.php of the component GET Parameter Handler. Such manipulation of the argument transaction_id leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. 2026-01-05 7.3 CVE-2026-0585 VDB-339477 | code-projects Online Product Reservation System GET Parameter order_view.php sql injection
VDB-339477 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731096 | code-projects Online Product Reservation system V1.0 SQL Injection
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_order_view.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_order_view.php.md#poc
https://code-projects.org/
 
code-projects--Online Product Reservation System A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. 2026-01-05 7.3 CVE-2026-0589 VDB-339499 | code-projects Online Product Reservation System Administration Backend improper authentication
VDB-339499 | CTI Indicators (IOB, IOC)
Submit #731127 | code-projects Online Product Reservation System V1.0 Authentication Bypass Issues
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/auth_bypass_admin_panel.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/auth_bypass_admin_panel.md#poc
https://code-projects.org/
 
code-projects--Online Product Reservation System A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This affects an unknown function of the file /handgunner-administrator/register_code.php of the component User Registration Handler. Performing a manipulation of the argument fname/lname/address/city/province/country/zip/tel_no/email/username results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. 2026-01-05 7.3 CVE-2026-0592 VDB-339502 | code-projects Online Product Reservation System User Registration register_code.php sql injection
VDB-339502 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731130 | code-projects Online Product Reservation System V1.0 SQL Injection
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_register_code.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_register_code.php.md#poc
https://code-projects.org/
 
codename065--Download Manager The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account. 2026-01-06 7.3 CVE-2025-15364 https://www.wordfence.com/threat-intel/vulnerabilities/id/067031e8-6aa8-451c-a318-b1848c7a4f92?source=cve
https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.40/src/__/Crypt.php#L18
https://plugins.trac.wordpress.org/changeset/3431915/download-manager#file7
 
Codepeople--Sell Downloads Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12. 2026-01-05 7.5 CVE-2025-68850 https://vdp.patchstack.com/database/wordpress/plugin/sell-downloads/vulnerability/wordpress-sell-downloads-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve
 
Columbia Weather Systems--MicroServer An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device. 2026-01-07 8.8 CVE-2025-61939 https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json
 
Columbia Weather Systems--MicroServer An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system. 2026-01-07 8 CVE-2025-66620 https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json
 
Comfy-Org--ComfyUI-Manager ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5. 2026-01-10 7.5 CVE-2026-22777 https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2
https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue. 2026-01-05 10 CVE-2025-59157 https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available. 2026-01-05 10 CVE-2025-64420 https://github.com/coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack "docker compose"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue. 2026-01-05 9.7 CVE-2025-64419 https://github.com/coollabsio/coolify/security/advisories/GHSA-234r-xrrg-m8f3
https://github.com/coollabsio/coolify/commit/f86ccfaa9af572a5487da8ea46b0a125a4854cf6
 
coreruleset--coreruleset The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue. 2026-01-08 9.3 CVE-2026-21876 https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5
https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83
https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6
https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8
https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0
 
Corourke--iPhone Webclip Manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Corourke iPhone Webclip Manager allows Stored XSS.This issue affects iPhone Webclip Manager: from n/a through 0.5. 2026-01-05 7.1 CVE-2024-53735 https://vdp.patchstack.com/database/wordpress/plugin/iphone-webclip-manager/vulnerability/wordpress-iphone-webclip-manager-plugin-0-5-csrf-to-stored-xss-vulnerability?_s_id=cve
 
danny-avila--LibreChat LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF) vulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions and actions that can interact with remote services via OpenAPI specifications, supporting various HTTP methods, parameters, and authentication methods including custom headers. By default, there are no restrictions on accessible services, which means agents can also access internal components like the RAG API included in the default Docker Compose setup. This issue is fixed in version 0.8.1-rc2. 2026-01-07 9.1 CVE-2025-69222 https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8
https://github.com/danny-avila/LibreChat/commit/3b41e392ba5c0d603c1737d8582875e04eaa6e02
https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2
 
danny-avila--LibreChat LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2. 2026-01-07 7.1 CVE-2025-69220 https://github.com/danny-avila/LibreChat/security/advisories/GHSA-xcmf-rpmh-hg59
https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237
https://cwe.mitre.org/data/definitions/284.html
https://cwe.mitre.org/data/definitions/862.html
https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2
https://owasp.org/Top10/A01_2021-Broken_Access_Control
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html
https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf
 
Dasinfomedia--WPCHURCH Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH allows Privilege Escalation.This issue affects WPCHURCH: from n/a through 2.7.0. 2026-01-07 8.8 CVE-2025-31643 https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-2-7-0-privilege-escalation-vulnerability?_s_id=cve
 
Dasinfomedia--WPCHURCH Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dasinfomedia WPCHURCH allows Reflected XSS.This issue affects WPCHURCH: from n/a through 2.7.0. 2026-01-06 7.1 CVE-2025-31642 https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-plugin-2-7-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Dell--Unisphere for PowerMax Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data and resources outside of the intended sphere of control. 2026-01-06 7.6 CVE-2025-36589 https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities
 
devolo AG--devolo dLAN Cockpit devolo dLAN Cockpit 4.3.1 contains an unquoted service path vulnerability in the 'DevoloNetworkService' that allows local non-privileged users to potentially execute arbitrary code. Attackers can exploit the insecure service path configuration by inserting malicious code in the system root path to execute with elevated privileges during application startup or system reboot. 2026-01-07 8.4 CVE-2019-25231 Zero Science Lab Vulnerability Advisory
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange
Devolo Vendor Homepage
 
DevToys-app--DevToys DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently validate file paths contained within the archive. A malicious extension package could include crafted file entries such as ../../target-file, causing the extraction process to write files outside the intended extensions directory. This flaw enables an attacker to overwrite arbitrary files on the user's system with the privileges of the DevToys process. Depending on the environment, this may lead to code execution, configuration tampering, or corruption of application or system files. This issue has been patched in version 2.0.9.0. 2026-01-10 8.8 CVE-2026-22685 https://github.com/DevToys-app/DevToys/security/advisories/GHSA-ggxr-h6fm-p2qh
https://github.com/DevToys-app/DevToys/pull/1643
https://github.com/DevToys-app/DevToys/commit/02fb7d46d9c663a4ee6ed968baa6a8810405047f
 
Digital zoom studio--DZS Video Gallery Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.37. 2026-01-07 9.8 CVE-2025-47552 https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-12-25-php-object-injection-vulnerability?_s_id=cve
 
Digital zoom studio--DZS Video Gallery Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25. 2026-01-06 8.8 CVE-2025-47553 https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-25-php-object-injection-vulnerability?_s_id=cve
 
Digital zoom studio--DZS Video Gallery Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Digital zoom studio DZS Video Gallery allows Reflected XSS.This issue affects DZS Video Gallery: from n/a through 12.25. 2026-01-07 7.1 CVE-2025-32300 https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-25-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
djanym--Optional Email The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts. 2026-01-07 9.8 CVE-2025-15018 https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve
https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.11/optional-email.php?marks=44,51#L44
 
e-plugins--JobBank Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins JobBank allows Reflected XSS.This issue affects JobBank: from n/a through 1.2.2. 2026-01-06 7.1 CVE-2025-69085 https://patchstack.com/database/wordpress/plugin/jobbank/vulnerability/wordpress-jobbank-plugin-1-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
eastsidecode--WP Enable WebP The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. 2026-01-07 8.8 CVE-2025-15158 https://www.wordfence.com/threat-intel/vulnerabilities/id/fa53c5ee-fe7f-4fb2-baaa-2c1a151d4b2c?source=cve
https://plugins.trac.wordpress.org/browser/wp-enable-webp/trunk/wp-enable-webp.php?rev=1998897#L43
 
Elated-Themes--Frapp Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Frappé allows PHP Local File Inclusion.This issue affects Frappé: from n/a through 1.8. 2026-01-06 8.1 CVE-2025-69083 https://patchstack.com/database/wordpress/theme/frappe/vulnerability/wordpress-frappe-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve
 
Extreme Networks--Aerohive HiveOS Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trigger a 5-minute service disruption. 2026-01-06 7.5 CVE-2020-36907 ExploitDB-48441
Extreme Networks Product Homepage
HiveOS Product Announcements
Zero Science Lab Disclosure (ZSL-2020-5566)
NCSC Security Advisory
IBM X-Force Vulnerability Exchange
Packet Storm Security Exploit Entry
VulnCheck Advisory: Extreme Networks Aerohive HiveOS <=11.x 11.x Unauthenticated Remote Denial of Service
 
FIBAR GROUP S.A.--Home Center 3 FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user sessions or manipulate page content. 2026-01-06 7.5 CVE-2020-36905 ExploitDB-48240
Official Vendor Homepage
Zero Science Lab Disclosure (ZSL-2020-5563)
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange
VulnCheck Advisory: FIBARO System Home Center 5.021 Remote File Inclusion via Proxy API
 
FlagForgeCTF--flagForge Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path. 2026-01-08 7.5 CVE-2026-21868 https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx
 
FLIR Systems, Inc.--FLIR Thermal Camera F/FC/PT/D FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system. 2026-01-07 7.5 CVE-2017-20214 Zero Science Lab Vulnerability Advisory
Exploit Database Entry 42787
Packet Storm Security Exploit Archive
CXSecurity Vulnerability Listing
Archived FLIR Security Advisory
 
FLIR Systems, Inc.--FLIR Thermal Camera F/FC/PT/D Stream FLIR Thermal Camera F/FC/PT/D Stream firmware version 8.0.0.64 contains an unauthenticated vulnerability that allows remote attackers to access live camera streams without credentials. Attackers can exploit the vulnerability to view unauthorized thermal camera video feeds across multiple camera series without requiring any authentication. 2026-01-07 7.5 CVE-2017-20213 Zero Science Lab Vulnerability Advisory
Exploit Database Entry 42789
Packet Storm Security Exploit Archive
CXSecurity Vulnerability Listing
Archived FLIR Security Advisory
 
FLIR Systems, Inc.--FLIR Thermal Camera FC-S/PT FLIR Thermal Camera FC-S/PT firmware version 8.0.0.64 contains an authenticated OS command injection vulnerability that allows attackers to execute shell commands with root privileges. Authenticated attackers can inject arbitrary shell commands through unvalidated input parameters to gain complete control of the thermal camera system. 2026-01-07 8.8 CVE-2017-20215 Zero Science Lab Vulnerability Advisory
Exploit Database Entry 42788
Packet Storm Security Exploit Archive
CXSecurity Vulnerability Listing
Archived FLIR Security Advisory
 
FLIR Systems, Inc.--FLIR Thermal Camera PT-Series FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC). 2026-01-07 9.8 CVE-2017-20216 Zero Science Lab Vulnerability Advisory
Exploit Database Entry 42785
Packet Storm Security Exploit Archive
CXSecurity Vulnerability Listing
Archived FLIR Security Advisory
 
frappe--frappe Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended. 2026-01-05 7.5 CVE-2025-68953 https://github.com/frappe/frappe/security/advisories/GHSA-xj39-3g4p-f46v
https://github.com/frappe/frappe/commit/3867fb112c3f7be1a863e40f19e9235719f784fb
https://github.com/frappe/frappe/commit/959efd6a498cfaeaf7d4e0ab6cca78c36192d34d
 
Frenify--Arlo Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frenify Arlo arlo allows Reflected XSS.This issue affects Arlo: from n/a through 6.0.3. 2026-01-07 7.1 CVE-2025-69082 https://patchstack.com/database/wordpress/theme/arlo/vulnerability/wordpress-arlo-theme-6-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
fsylum--FS Registration Password The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. 2026-01-06 9.8 CVE-2025-15001 https://www.wordfence.com/threat-intel/vulnerabilities/id/22351b90-fc34-44ce-9241-4a0f01eb7b1c?source=cve
https://plugins.trac.wordpress.org/browser/registration-password/tags/1.0.1/src/WP/Auth.php
https://plugins.trac.wordpress.org/changeset/3431651/registration-password
 
G5Theme--Handmade Framework Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9. 2026-01-08 7.5 CVE-2026-22521 https://patchstack.com/database/wordpress/plugin/handmade-framework/vulnerability/wordpress-handmade-framework-plugin-3-9-local-file-inclusion-vulnerability?_s_id=cve
 
ggml-org--llama.cpp llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the n_discard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value is supplied and the context fills up, llama_memory_seq_rm/add receives a reversed range and negative offset, causing out-of-bounds memory writes in the token evaluation loop. This deterministic memory corruption can crash the process or enable remote code execution (RCE). There is no fix at the time of publication. 2026-01-07 8.8 CVE-2026-21869 https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8947-pfff-2f3c
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage. 2026-01-09 8 CVE-2025-13761 GitLab Issue #582237
HackerOne Bug Bounty Report #3441368
https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown. 2026-01-09 8.7 CVE-2025-9222 GitLab Issue #562561
HackerOne Bug Bounty Report #3297483
https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
 
GitLab--GitLab GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests. 2026-01-09 7.1 CVE-2025-13772 GitLab Issue #581268
https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
 
greenshot--greenshot Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311. 2026-01-08 7.8 CVE-2026-22035 https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj
https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb
https://github.com/greenshot/greenshot/releases/tag/v1.3.311
 
GT3 themes--Photo Gallery Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 themes Photo Gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through 2.7.7.26. 2026-01-06 7.1 CVE-2025-69084 https://patchstack.com/database/wordpress/plugin/gt3-photo-video-gallery/vulnerability/wordpress-photo-gallery-plugin-2-7-7-26-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Guangzhou V--V-SOL GPON/EPON OLT Platform V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to manipulate the 'parent' GET parameter. Attackers can craft malicious links that redirect logged-in users to arbitrary websites by exploiting improper input validation in the redirect mechanism. 2026-01-07 9.8 CVE-2019-25282 Zero Science Lab Vulnerability Advisory
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
CXSecurity Vulnerability Database Entry
VSOL Vendor Homepage
 
Guangzhou Yeroo Tech Co., Ltd.--iDS6 DSSPro Digital Signage System iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmission. Attackers can exploit the autoSave feature to capture user passwords during man-in-the-middle attacks on HTTP communications. 2026-01-06 7.5 CVE-2020-36917 Zero Science Lab Disclosure (ZSL-2020-5605)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
CXSecurity Vulnerability Database Entry
Archived Yeroo Tech Vendor Homepage
VulnCheck Advisory: iDS6 DSSPro Digital Signage System 6.2 Cleartext Password Disclosure via Cookie
 
haxtheweb--issues HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0. 2026-01-10 8.1 CVE-2026-22704 https://github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778
https://github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0
 
IceWhaleTech--ZimaOS ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available. 2026-01-08 9.4 CVE-2026-21891 https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-xj93-qw9p-jxq4
 
Infility--Infility Global Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global allows SQL Injection.This issue affects Infility Global: from n/a through 2.14.48. 2026-01-05 9.3 CVE-2025-68865 https://vdp.patchstack.com/database/wordpress/plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-14-38-sql-injection-vulnerability?_s_id=cve
 
INIM Electronics s.r.l.--SmartLiving SmartLAN/G/SI SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials. 2026-01-07 8.8 CVE-2019-25289 Zero Science Lab Vulnerability Advisory
Exploit Database Entry 47765
Packet Storm Security Exploit File
CXSecurity Vulnerability Issue
IBM X-Force Vulnerability Exchange Entry
Inim Vendor Homepage
 
INIM Electronics s.r.l.--Smartliving SmartLAN/G/SI INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across multiple SmartLiving device models. 2026-01-07 7.5 CVE-2019-25291 Zero Science Lab Vulnerability Advisory
Exploit Database Entry 47763
Packet Storm Security Exploit File
IBM X-Force Vulnerability Exchange Entry
INIM Vendor Homepage
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1. 2026-01-06 9.8 CVE-2026-21675 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wcwx-794g-g78f
https://github.com/InternationalColorConsortium/iccDEV/issues/182
https://github.com/InternationalColorConsortium/iccDEV/commit/510baf58fa48e00ebbb5dd577f0db4af8876bb31
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2. 2026-01-06 8.8 CVE-2026-21485 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-chp2-4gv5-2432
https://github.com/InternationalColorConsortium/iccDEV/issues/340
https://github.com/InternationalColorConsortium/iccDEV/commit/c136aac51d25cbb4d9db63f071edad4f088843df
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1. 2026-01-06 8.8 CVE-2026-21676 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-j5vv-p2hv-c392
https://github.com/InternationalColorConsortium/iccDEV/issues/215
https://github.com/InternationalColorConsortium/iccDEV/commit/e4c38a67d06073b38d58580b0cfc78ca61005f84
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1. 2026-01-06 8.8 CVE-2026-21677 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-95w5-jvqf-3994
https://github.com/InternationalColorConsortium/iccDEV/issues/181
https://github.com/InternationalColorConsortium/iccDEV/commit/201125fbda22c8e4ea95800a6b427093fa4b8a22
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow in CIccLocalizedUnicode::GetText(). This issue has been patched in version 2.3.1.2. 2026-01-07 8.8 CVE-2026-21679 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h4wg-473g-p5wc
https://github.com/InternationalColorConsortium/iccDEV/issues/328
https://github.com/InternationalColorConsortium/iccDEV/pull/329
https://github.com/InternationalColorConsortium/iccDEV/commit/2eb25ab95f0db7664ec3850390b6f89e302e7039
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow in `CIccXmlArrayType::ParseText()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 8.8 CVE-2026-21682 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-jq9m-54gr-c56c
https://github.com/InternationalColorConsortium/iccDEV/issues/178
https://github.com/InternationalColorConsortium/iccDEV/pull/229
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `icStatusCMM::CIccEvalCompare::EvaluateProfile()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 8.8 CVE-2026-21683 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-f2wp-j3fr-938w
https://github.com/InternationalColorConsortium/iccDEV/issues/183
https://github.com/InternationalColorConsortium/iccDEV/pull/228
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `SIccCalcOp::ArgsPushed()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 8.8 CVE-2026-21688 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3r2x-j7v3-pg6f
https://github.com/InternationalColorConsortium/iccDEV/issues/379
https://github.com/InternationalColorConsortium/iccDEV/pull/422
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `ToXmlCurve()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 8.8 CVE-2026-21692 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7662-mf46-wr88
https://github.com/InternationalColorConsortium/iccDEV/issues/388
https://github.com/InternationalColorConsortium/iccDEV/pull/432
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccSegmentedCurveXml::ToXml()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 8.8 CVE-2026-21693 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-v3q7-7hw6-6jq8
https://github.com/InternationalColorConsortium/iccDEV/issues/389
https://github.com/InternationalColorConsortium/iccDEV/pull/432
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 8.8 CVE-2026-22046 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7v4q-mhr2-hj7r
https://github.com/InternationalColorConsortium/iccDEV/issues/448
https://github.com/InternationalColorConsortium/iccDEV/pull/451
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `SIccCalcOp::Describe()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 8.8 CVE-2026-22047 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-22q7-8347-79m5
https://github.com/InternationalColorConsortium/iccDEV/issues/454
https://github.com/InternationalColorConsortium/iccDEV/pull/459
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-08 8.8 CVE-2026-22255 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-qv2w-mq3g-73gv
https://github.com/InternationalColorConsortium/iccDEV/issues/466
https://github.com/InternationalColorConsortium/iccDEV/pull/469
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2. 2026-01-06 7.8 CVE-2026-21486 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mg98-j5q2-674w
https://github.com/InternationalColorConsortium/iccDEV/commit/1ab7363f38a20089934d3410c88f714eea392bf5
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1. 2026-01-06 7.5 CVE-2026-21507 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hgp5-r8m9-8qpj
https://github.com/InternationalColorConsortium/iccDEV/issues/244
https://github.com/InternationalColorConsortium/iccDEV/commit/3f3ce789d0d2b608c194ed172fa38943519dc198
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1. 2026-01-06 7.8 CVE-2026-21673 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-g66g-f82c-vgm6
https://github.com/InternationalColorConsortium/iccDEV/issues/243
https://github.com/InternationalColorConsortium/iccDEV/commit/32740802ee14418bd14c429d7e2f142d92cd5c4f
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow vulnerability in IccTagXml(). This issue has been patched in version 2.3.1.2. 2026-01-07 7.8 CVE-2026-21678 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-9rp2-4c6g-hppf
https://github.com/InternationalColorConsortium/iccDEV/issues/55
https://github.com/InternationalColorConsortium/iccDEV/pull/219
https://github.com/InternationalColorConsortium/iccDEV/commit/c6c0f1cf45b48db94266132ccda5280a1a33569d
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Undefined Behavior runtime error. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 7.1 CVE-2026-21681 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-v4qq-v3c3-x62x
https://github.com/InternationalColorConsortium/iccDEV/pull/269
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagSpectralViewingConditions()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 7.1 CVE-2026-21684 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-fg9m-j9x8-8279
https://github.com/InternationalColorConsortium/iccDEV/issues/216
https://github.com/InternationalColorConsortium/iccDEV/pull/225
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLut16::Read()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 7.1 CVE-2026-21685 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c3xr-6687-5c8p
https://github.com/InternationalColorConsortium/iccDEV/issues/213
https://github.com/InternationalColorConsortium/iccDEV/pull/223
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLutAtoB::Validate()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 7.1 CVE-2026-21686 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-792q-cqq9-mq4x
https://github.com/InternationalColorConsortium/iccDEV/issues/214
https://github.com/InternationalColorConsortium/iccDEV/pull/222
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagCurve::CIccTagCurve()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 7.1 CVE-2026-21687 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prmm-g479-4fv7
https://github.com/InternationalColorConsortium/iccDEV/issues/180
https://github.com/InternationalColorConsortium/iccDEV/pull/221
 
ipaymu--iPaymu Payment Gateway for WooCommerce The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products. 2026-01-07 8.2 CVE-2026-0656 https://www.wordfence.com/threat-intel/vulnerabilities/id/7e639aed-ec67-4212-9051-1f7465bbfde2?source=cve
https://plugins.trac.wordpress.org/browser/ipaymu-for-woocommerce/tags/2.0.2/gateway.php?marks=316-336,370-380#L316
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429657%40ipaymu-for-woocommerce&new=3429657%40ipaymu-for-woocommerce
 
iWT Ltd.--FaceSentry Access Control System FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device's SQLite database. Attackers can directly read sensitive login information stored in /faceGuard/database/FaceSentryWeb.sqlite without additional authentication. 2026-01-07 8.2 CVE-2019-25279 Zero Science Lab Vulnerability Advisory
IBM X-Force Exchange Vulnerability Entry
Packet Storm Security Exploit Entry
 
iWT Ltd.--FaceSentry Access Control System FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle attacks to capture HTTP cookie authentication information during network communication. 2026-01-07 7.5 CVE-2019-25278 Zero Science Lab Vulnerability Advisory
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange Entry
 
JanStudio--Gecko Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JanStudio Gecko allows PHP Local File Inclusion.This issue affects Gecko: from n/a through 1.9.8. 2026-01-07 8.1 CVE-2025-69080 https://patchstack.com/database/wordpress/theme/gecko/vulnerability/wordpress-gecko-theme-1-9-8-local-file-inclusion-vulnerability?_s_id=cve
 
jwsthemes--FreeAgent Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent allows PHP Local File Inclusion.This issue affects FreeAgent: from n/a through 2.1.2. 2026-01-05 8.1 CVE-2025-69087 https://vdp.patchstack.com/database/wordpress/theme/freeagent/vulnerability/wordpress-freeagent-theme-2-1-2-local-file-inclusion-vulnerability?_s_id=cve
 
Jwsthemes--Issabella Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jwsthemes Issabella allows PHP Local File Inclusion.This issue affects Issabella: from n/a through 1.1.2. 2026-01-06 8.1 CVE-2025-69086 https://patchstack.com/database/wordpress/theme/issabella/vulnerability/wordpress-issabella-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve
 
kanboard--kanboard Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49. 2026-01-08 9.1 CVE-2026-21881 https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w
https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc
https://github.com/kanboard/kanboard/releases/tag/v1.2.49
 
KlbTheme--Machic Core Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6. 2026-01-05 7.1 CVE-2023-49186 https://vdp.patchstack.com/database/wordpress/plugin/machic-core/vulnerability/wordpress-machic-core-plugin-1-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
loopus--WP Cost Estimation & Payment Forms Builder The WP Cost Estimation plugin for WordPress is vulnerable to arbitrary file uploads and deletion due to missing file type validation in the lfb_upload_form and lfb_removeFile AJAX actions in versions up to, and including, 9.642. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. Additionally, the attacker can also delete files on the server such as database configuration files, subsequently uploading their own database files. 2026-01-08 9.8 CVE-2019-25296 https://www.wordfence.com/threat-intel/vulnerabilities/id/ae50aa5d-95e3-4650-9dbf-118b4ba3abda?source=cve
https://www.wordfence.com/blog/2019/02/vulnerabilities-patched-in-wp-cost-estimation-plugin/
https://www.zdnet.com/article/another-wordpress-commercial-plugin-gets-exploited-in-the-wild/
https://wpscan.com/vulnerability/9219
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-cost-estimation-payment-forms-builder-multiple-vulnerabilities-9-642/
 
MacWarrior--clipbucket-v5 ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication. 2026-01-07 9.8 CVE-2026-21875 https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-crpv-fmc4-j392
 
Marketing Fire LLC--LoginWP - Pro Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. 2026-01-05 7.5 CVE-2025-46255 https://vdp.patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve
 
Meow Apps--Media File Renamer Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7. 2026-01-05 9.1 CVE-2023-50897 https://vdp.patchstack.com/database/wordpress/plugin/media-file-renamer/vulnerability/wordpress-media-file-renamer-plugin-5-7-7-arbitrary-file-rename-lead-to-rce-vulnerability?_s_id=cve
 
Mojoomla--WPCHURCH Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla WPCHURCH allows Blind SQL Injection.This issue affects WPCHURCH: from n/a through 2.7.0. 2026-01-07 9.3 CVE-2025-32303 https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-2-7-0-sql-injection-vulnerability?_s_id=cve
 
Mojoomla--WPCHURCH Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through 2.7.0. 2026-01-06 8.1 CVE-2025-32304 https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-plugin-2-7-0-local-file-inclusion-vulnerability?_s_id=cve
 
moneyspace--Money Space The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation. 2026-01-07 8.6 CVE-2025-13371 https://www.wordfence.com/threat-intel/vulnerabilities/id/77db827d-9afd-4b59-b0ad-1ad562634c52?source=cve
https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L164
https://plugins.trac.wordpress.org/browser/money-space/trunk/view/mspaylink.php#L232
https://plugins.trac.wordpress.org/browser/money-space/tags/2.13.9/view/mspaylink.php#L232
https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L232
 
n/a--GNU Wget2 A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user's environment. 2026-01-09 8.8 CVE-2025-69194 https://access.redhat.com/security/cve/CVE-2025-69194
RHBZ#2425773
 
n/a--GNU Wget2 A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities. 2026-01-09 7.6 CVE-2025-69195 https://access.redhat.com/security/cve/CVE-2025-69195
RHBZ#2425770
 
n8n-io--n8n n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0. 2026-01-07 10 CVE-2026-21858 https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
 
n8n-io--n8n n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended. 2026-01-08 10 CVE-2026-21877 https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263
https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6
 
nasa--CryptoLib CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function reads memory without valid bounds checking when parsing AOS frame hashes. This issue has been patched in version 1.4.3. 2026-01-10 8.2 CVE-2026-21898 https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
 
nasa--CryptoLib CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_Config_Add_Gvcid_Managed_Parameters function only checks whether gvcid_counter > GVCID_MAN_PARAM_SIZE. As a result, it allows up to the 251st entry, which causes a write past the end of the array, overwriting gvcid_counter located immediately after gvcid_managed_parameters_array[250]. This leads to an out-of-bounds write, and the overwritten gvcid_counter may become an arbitrary value, potentially affecting the parameter lookup/registration logic that relies on it. This issue has been patched in version 1.4.3. 2026-01-10 7.3 CVE-2026-21897 https://github.com/nasa/CryptoLib/security/advisories/GHSA-9x7j-gx23-7m5r
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
 
nasa--CryptoLib CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, CryptoLib's KMC crypto service integration is vulnerable to a heap buffer overflow when decoding Base64-encoded ciphertext/cleartext fields returned by the KMC service. The decode destination buffer is sized using an expected output length (len_data_out), but the Base64 decoder writes output based on the actual Base64 input length and does not enforce any destination size limit. An oversized Base64 string in the KMC JSON response can cause out-of-bounds writes on the heap, resulting in process crash and potentially code execution under certain conditions. This issue has been patched in version 1.4.3. 2026-01-10 7.5 CVE-2026-22697 https://github.com/nasa/CryptoLib/security/advisories/GHSA-qjx3-83jh-2jc4
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
 
neeraj_slit--Brevo for WooCommerce The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'user_connection_id' parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-08 7.2 CVE-2025-14436 https://www.wordfence.com/threat-intel/vulnerabilities/id/670f4e26-75c9-40cd-8088-2fa4c40f6feb?source=cve
https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L164
https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L171
https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L188
https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/src/managers/admin-manager.php#L59
https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/src/views/admin_menus.php#L728
https://plugins.trac.wordpress.org/changeset/3434903/woocommerce-sendinblue-newsletter-subscription
 
NREL--BEopt NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. Attackers can exploit insecure library loading of sdl2.dll and libegl.dll by placing malicious libraries on WebDAV or SMB shares to execute unauthorized code. 2026-01-07 9.8 CVE-2019-25268 Zero Science Lab Vulnerability Advisory
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange
BEopt Product Homepage
 
opajaap--WP Photo Album Plus The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-07 7.1 CVE-2025-14835 https://www.wordfence.com/threat-intel/vulnerabilities/id/0903521d-3b07-4539-97c9-15e6bbe2cc2e?source=cve
https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L43
https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L1130
https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-filter.php#L125
https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-functions.php#L5617
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3427638%40wp-photo-album-plus%2Ftrunk&old=3426267%40wp-photo-album-plus%2Ftrunk&sfp_email=&sfph_mail=
 
OpenCTI-Platform--opencti OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacks proper authorization checks to verify ownership of the targeted resources. An attacker can exploit this by supplying an active UUID of another user. Since the API does not validate whether the requester owns the resource, the mutation executes successfully, resulting in unauthorized deletion of the entire workspace. Version 6.8.1 fixes the issue. 2026-01-05 7.1 CVE-2025-61781 https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-pr6m-q4g7-342c
 
OPEXUS--eCASE Audit OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0. 2026-01-08 7.6 CVE-2026-22230 url
url
url
 
OPEXUS--eCase Portal OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files. 2026-01-08 9.8 CVE-2026-22234 url
url
 
OPEXUS--eComplaint OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files. 2026-01-08 7.5 CVE-2026-22235 url
url
 
opf--openproject OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually. 2026-01-10 9.1 CVE-2026-22600 https://github.com/opf/openproject/security/advisories/GHSA-m8f2-cwpq-vvhh
https://github.com/opf/openproject/releases/tag/v16.6.4
 
Plexus--Plexus anblick Digital Signage Management Plexus anblick Digital Signage Management 3.1.13 contains an open redirect vulnerability in the 'PantallaLogin' script that allows attackers to manipulate the 'pagina' GET parameter. Attackers can craft malicious links that redirect users to arbitrary websites by exploiting improper input validation in the parameter. 2026-01-06 9.8 CVE-2020-36912 Zero Science Lab Disclosure (ZSL-2020-5573)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange Entry
Plexus Vendor Homepage
VulnCheck Advisory: Plexus anblick Digital Signage Management 3.1.13 Open Redirect via Pagina Parameter
 
pnpm--pnpm pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0. 2026-01-07 8.8 CVE-2025-69264 https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj
https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5
 
pnpm--pnpm pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0. 2026-01-07 7.6 CVE-2025-69262 https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx
https://github.com/pnpm/pnpm/releases/tag/v10.27.0
 
pnpm--pnpm pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0. 2026-01-07 7.5 CVE-2025-69263 https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw
https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85
 
Pro-Bravia--Sony BRAVIA Digital Signage Sony BRAVIA Digital Signage 1.7.8 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive system details through API endpoints. Attackers can retrieve network interface information, server configurations, and system metadata by sending requests to the exposed system API. 2026-01-06 7.5 CVE-2020-36922 ExploitDB-49187
Sony BRAVIA Digital Signage Official Homepage
BRAVIA Signage Software Resources
Sony Professional Display Software Product Page
Zero Science Lab Disclosure (ZSL-2020-5610)
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Database
IBM X-Force Vulnerability Exchange
VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Unauthenticated System API Information Disclosure
 
Pro-Bravia--Sony BRAVIA Digital Signage Sony BRAVIA Digital Signage 1.7.8 contains a remote file inclusion vulnerability that allows attackers to inject arbitrary client-side scripts through the content material URL parameter. Attackers can exploit this vulnerability to hijack user sessions, execute cross-site scripting code, and modify display content by manipulating the input material type. 2026-01-06 7.5 CVE-2020-36924 ExploitDB-49186
Sony BRAVIA Digital Signage Product Homepage
BRAVIA Signage Software Resources
Sony Professional Display Software Product Page
Zero Science Lab Disclosure (ZSL-2020-5612)
Packet Storm Security Exploit Archive
IBM X-Force Exchange Vulnerability Entry
CXSecurity Vulnerability Listing
VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion
 
projectworlds--House Rental and Property Listing A flaw has been found in projectworlds House Rental and Property Listing 1.0. Impacted is an unknown function of the file /app/register.php?action=reg of the component Signup. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. 2026-01-06 7.3 CVE-2026-0643 VDB-339686 | projectworlds House Rental and Property Listing Signup register.php unrestricted upload
VDB-339686 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #732563 | projectworlds.com rental And Property Listing Project V1.0 File unrestricted upload
https://github.com/1uzpk/cve/issues/4
 
Qualcomm, Inc.--Snapdragon Cryptographic issue may occur while encrypting license data. 2026-01-06 8.4 CVE-2025-47345 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while deinitializing a HDCP session. 2026-01-06 7.8 CVE-2025-47339 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while processing a video session to set video parameters. 2026-01-06 7.8 CVE-2025-47343 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while processing a secure logging command in the trusted application. 2026-01-06 7.8 CVE-2025-47346 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while processing identity credential operations in the trusted application. 2026-01-06 7.8 CVE-2025-47348 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory Corruption when multiple threads concurrently access and modify shared resources. 2026-01-06 7.8 CVE-2025-47356 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while preprocessing IOCTLs in sensors. 2026-01-06 7.8 CVE-2025-47380 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while passing pages to DSP with an unaligned starting address. 2026-01-06 7.8 CVE-2025-47388 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption when accessing resources in kernel driver. 2026-01-06 7.8 CVE-2025-47393 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption when copying overlapping buffers during memory operations due to incorrect offset calculations. 2026-01-06 7.8 CVE-2025-47394 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption occurs when a secure application is launched on a device with insufficient memory. 2026-01-06 7.8 CVE-2025-47396 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Quanta Computer--QOCA aim AI Medical Cloud Platform QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. 2026-01-05 8.8 CVE-2025-15240 https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html
https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html
 
quickjs-ng--quickjs A vulnerability was determined in quickjs-ng quickjs up to 0.11.0. This vulnerability affects the function js_typed_array_constructor of the file quickjs.c. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called c5d80831e51e48a83eab16ea867be87f091783c5. A patch should be applied to remediate this issue. 2026-01-10 7.3 CVE-2026-0821 VDB-340355 | quickjs-ng quickjs quickjs.c js_typed_array_constructor heap-based overflow
VDB-340355 | CTI Indicators (IOB, IOC, IOA)
Submit #731780 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow
https://github.com/quickjs-ng/quickjs/issues/1296
https://github.com/quickjs-ng/quickjs/pull/1299
https://github.com/quickjs-ng/quickjs/issues/1296#issue-3780003395
https://github.com/quickjs-ng/quickjs/commit/c5d80831e51e48a83eab16ea867be87f091783c5
 
Red Hat--Red Hat Ansible Automation Platform 2.5 for RHEL 8 A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker's capabilities would only be limited by role based access controls (RBAC). 2026-01-08 8.5 CVE-2025-14025 https://access.redhat.com/articles/7136004
RHSA-2026:0360
RHSA-2026:0361
RHSA-2026:0408
RHSA-2026:0409
https://access.redhat.com/security/cve/CVE-2025-14025
RHBZ#2418785
 
Red Hat--Red Hat Enterprise Linux 10 A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk. 2026-01-08 7.5 CVE-2026-0719 https://access.redhat.com/security/cve/CVE-2026-0719
RHBZ#2427906
https://gitlab.gnome.org/GNOME/libsoup/-/issues/477
 
Red Hat--Red Hat JBoss Enterprise Application Platform 8.1 A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions. 2026-01-07 9.6 CVE-2025-12543 RHSA-2026:0383
RHSA-2026:0384
RHSA-2026:0386
https://access.redhat.com/security/cve/CVE-2025-12543
RHBZ#2408784
 
RED--RED-V Super Digital Signage System RXV-A740R RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication. 2026-01-06 7.5 CVE-2020-36921 Zero Science Lab Disclosure (ZSL-2020-5609)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
CXSecurity Vulnerability Database
RED-V Vendor Homepage
VulnCheck Advisory: RED-V Super Digital Signage System 5.1.1 Log Information Disclosure Vulnerability
 
remix-run--react-router React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2. 2026-01-10 9.1 CVE-2025-61686 https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw
 
remix-run--react-router React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0. 2026-01-10 8.2 CVE-2026-21884 https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7
 
remix-run--react-router React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0. 2026-01-10 8 CVE-2026-22029 https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
 
remix-run--react-router React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. 2026-01-10 7.6 CVE-2025-59057 https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8
 
Rustaurius--Five Star Restaurant Reservations Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8. 2026-01-05 8.6 CVE-2025-68044 https://vdp.patchstack.com/database/wordpress/plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
RustCrypto--elliptic-curves RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 PKE decryption path where an invalid elliptic-curve point (C1) is decoded and the resulting value is unwrapped without checking. Specifically, AffinePoint::from_encoded_point(&encoded_c1) may return a None/CtOption::None when the supplied coordinates are syntactically valid but do not lie on the SM2 curve. The calling code previously used .unwrap(), causing a panic when presented with such input. This issue has been patched via commit 085b7be. 2026-01-10 7.5 CVE-2026-22699 https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-78p6-6878-8mj6
https://github.com/RustCrypto/elliptic-curves/pull/1602
https://github.com/RustCrypto/elliptic-curves/commit/085b7bee647029bd189e1375203418205006bcab
 
RustCrypto--elliptic-curves RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 public-key encryption (PKE) implementation: the decrypt() path performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. An attacker can submit short/undersized ciphertext or carefully-crafted DER-encoded structures to trigger bounds-check panics (Rust unwinding) which crash the calling thread or process. This issue has been patched via commit e60e991. 2026-01-10 7.5 CVE-2026-22700 https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-j9xq-69pf-pcm8
https://github.com/RustCrypto/elliptic-curves/pull/1603
https://github.com/RustCrypto/elliptic-curves/commit/e60e99167a9a2b187ebe80c994c5204b0fdaf4ab
 
SaasProject--Booking Package Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27. 2026-01-05 7.5 CVE-2024-30516 https://vdp.patchstack.com/database/wordpress/plugin/booking-package/vulnerability/wordpress-booking-package-plugin-1-6-27-price-manipulation-vulnerability?_s_id=cve
 
salvo-rs--salvo Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path), the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common ones styles/scripts/etc) so that the matching return the list HTML page instead of the Not Found page. This issue has been patched in version 0.88.1. 2026-01-08 8.8 CVE-2026-22256 https://github.com/salvo-rs/salvo/security/advisories/GHSA-rjf8-2wcw-f6mp
https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L593
 
salvo-rs--salvo Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1. 2026-01-08 8.8 CVE-2026-22257 https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j
https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581
 
Sangfor--Operation and Maintenance Management System A vulnerability was found in Sangfor Operation and Maintenance Management System up to 3.0.8. This issue affects some unknown processing of the file /isomp-protocol/protocol/getHis of the component HTTP POST Request Handler. The manipulation of the argument sessionPath results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-09 9.8 CVE-2025-15500 VDB-340345 | Sangfor Operation and Maintenance Management System HTTP POST Request getHis os command injection
VDB-340345 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #727208 | Sangfor Operation and Maintenance Management System (OSM / 运维安全管理系统) 3.0.8 OS Command Injection
https://github.com/master-abc/cve/issues/11
https://github.com/master-abc/cve/issues/11#issue-3770602189
 
Sangfor--Operation and Maintenance Management System A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipulation of the argument sessionPath causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-09 9.8 CVE-2025-15501 VDB-340346 | Sangfor Operation and Maintenance Management System getCmd WriterHandle.getCmd os command injection
VDB-340346 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #727214 | Sangfor Operation and Maintenance Management System (OSM / 运维安全管理系统) 3.0.8 OS Command Injection
https://github.com/master-abc/cve/issues/12
https://github.com/master-abc/cve/issues/12#issue-3770615262
 
Sangfor--Operation and Maintenance Management System A vulnerability has been found in Sangfor Operation and Maintenance Management System up to 3.0.8. This vulnerability affects the function uploadCN of the file VersionController.java. The manipulation of the argument filename leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-09 8.8 CVE-2025-15499 VDB-340344 | Sangfor Operation and Maintenance Management System VersionController.java uploadCN os command injection
VDB-340344 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #727207 | Sangfor Operation and Maintenance Management System (运维安全管理系统 / OSM) 3.0.8 Command Injection
https://github.com/master-abc/cve/issues/10
https://github.com/master-abc/cve/issues/10#issue-3770540830
 
Sangfor--Operation and Maintenance Management System A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.8. The affected element is the function SessionController of the file /isomp-protocol/protocol/session. Such manipulation of the argument Hostname leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-10 7.3 CVE-2025-15502 VDB-340347 | Sangfor Operation and Maintenance Management System session SessionController os command injection
VDB-340347 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #727217 | Sangfor Operation and Maintenance Management System (OSM / 运维安全管理系统) 3.0.8 OS Command Injection
https://github.com/master-abc/cve/issues/14
https://github.com/master-abc/cve/issues/14#issue-3770634476
 
Sangfor--Operation and Maintenance Management System A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-10 7.3 CVE-2025-15503 VDB-340348 | Sangfor Operation and Maintenance Management System common.jsp unrestricted upload
VDB-340348 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #727253 | Sangfor Operation and Maintenance Management System (OSM / 运维安全管理系统) 3.0.8 Unrestricted Upload
https://github.com/master-abc/cve/issues/13
https://github.com/master-abc/cve/issues/13#issue-3770623333
 
Sfwebservice--InWave Jobs Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8. 2026-01-06 9.8 CVE-2025-39477 https://patchstack.com/database/wordpress/plugin/iwjob/vulnerability/wordpress-inwave-jobs-plugin-3-5-8-broken-access-control-vulnerability?_s_id=cve
 
shabti--Frontend Admin by DynamiApps The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field. 2026-01-09 9.8 CVE-2025-14736 https://www.wordfence.com/threat-intel/vulnerabilities/id/07eb71fc-6588-490d-8947-3077ec4a9045?source=cve
https://plugins.trac.wordpress.org/changeset/3427243/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php
 
shabti--Frontend Admin by DynamiApps The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts. 2026-01-09 9.1 CVE-2025-14741 https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve
https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106
 
shabti--Frontend Admin by DynamiApps The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 7.2 CVE-2025-14937 https://www.wordfence.com/threat-intel/vulnerabilities/id/46c988ff-9cc5-4f2b-a3dd-06eaef5a7919?source=cve
https://plugins.trac.wordpress.org/changeset/3427236/acf-frontend-form-element
 
Shazdeh--Header Image Slider Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shazdeh Header Image Slider header-image-slider allows DOM-Based XSS.This issue affects Header Image Slider: from n/a through 0.3. 2026-01-06 7.1 CVE-2024-30547 https://patchstack.com/database/wordpress/plugin/header-image-slider/vulnerability/wordpress-header-image-slider-plugin-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Shenzhen Xingmeng Qihang Media Co., Ltd.--QiHang Media Web (QH.aspx) Digital Signage QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. Attackers can perform man-in-the-middle attacks to capture and potentially misuse stored authentication credentials transmitted in an insecure manner. 2026-01-06 7.5 CVE-2020-36914 Zero Science Lab Disclosure (ZSL-2020-5578)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
CXSecurity Vulnerability Database Entry
HowFor Vendor Homepage
VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Cookie Authentication Credentials Disclosure
 
solwininfotech--User Activity Log The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. 2026-01-07 7.5 CVE-2025-11877 https://www.wordfence.com/threat-intel/vulnerabilities/id/24225f47-cec2-4270-88f0-8696ebfb7168?source=cve
https://plugins.trac.wordpress.org/browser/user-activity-log/trunk/user-functions.php
 
Sony Electronics Inc.--Sony BRAVIA Digital Signage Sony BRAVIA Digital Signage 1.7.8 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization controls. Attackers can access hidden system resources like '/#/content-creation' by manipulating client-side access restrictions. 2026-01-06 9.8 CVE-2020-36923 Zero Science Lab Disclosure (ZSL-2020-5611)
IBM X-Force Exchange Vulnerability Entry
CXSecurity Vulnerability Listing
Packet Storm Security Exploit Archive
Sony Professional Display Software Product Page
BRAVIA Signage Software Resources
Sony BRAVIA Digital Signage Official Homepage
VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Client-Side Protection Bypass via IDOR
 
spinnaker--spinnaker Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This also includes calling internal spinnaker API's via a get and similar endpoints. Further, depending upon the artifact in question, auth data may be exposed to arbitrary endpoints (e.g. GitHub auth headers) leading to credentials exposure. To trigger this, a spinnaker installation MUST have two things. The first is an artifact enabled that allows user input. This includes GitHub file artifacts, BitBucket, GitLab, HTTP artifacts and similar artifact providers. JUST enabling the http artifact provider will add a "no-auth" http provider that could be used to extract link local data (e.g. AWS Metadata information). The second is a system that can consume the output of these artifacts. e.g. Rosco helm can use this to fetch values data. K8s account manifests if the API returns JSON can be used to inject that data into the pipeline itself though the pipeline would fail. This vulnerability is fixed in versions 2025.1.6, 2025.2.3, and 2025.3.0. As a workaround, disable HTTP account types that allow user input of a given URL. This is probably not feasible in most cases. Git, Docker and other artifact account types with explicit URL configurations bypass this limitation and should be safe as they limit artifact URL loading. Alternatively, use one of the various vendors which provide OPA policies to restrict pipelines from accessing or saving a pipeline with invalid URLs. 2026-01-05 7.9 CVE-2025-61916 https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h
 
spree--spree Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5. 2026-01-10 7.5 CVE-2026-22589 https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr
https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795
https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad
https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67
https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad
 
staniel359--muffon muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon's custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue. 2026-01-05 8.8 CVE-2025-55204 https://github.com/staniel359/muffon/security/advisories/GHSA-gc3f-gqph-522q
https://drive.google.com/file/d/1eCPCQ6leuVM_vecfofFv04c0t9isCBqR/view?usp=sharing
https://github.com/staniel359/muffon/releases/tag/v2.3.0
 
SUSE--harvester Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password  if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup. 2026-01-08 9.8 CVE-2025-62877 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877
https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv
 
SUSE--neuvector NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks. 2026-01-08 8.8 CVE-2025-66001 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66001
https://github.com/neuvector/neuvector/security/advisories/GHSA-4jj9-cgqc-x9h5
 
Tdmsignage--TDM Digital Signage PC Player TDM Digital Signage PC Player 4.1.0.4 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files. Attackers can leverage the 'Modify' permissions for authenticated users to replace executable files with malicious binaries and gain elevated system access. 2026-01-06 8.8 CVE-2020-36916 ExploitDB-48953
TDM Digital Signage Official Website
Sony Professional Display Software Product Page
Zero Science Lab Disclosure (ZSL-2020-5604)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
VulnCheck Advisory: TDM Digital Signage PC Player 4.1.0.4 Privilege Escalation via Insecure Permissions
 
Tencent--WeKnora WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5. 2026-01-10 10 CVE-2026-22688 https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc
https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb
 
Tencent--WeKnora WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5. 2026-01-10 8.1 CVE-2026-22687 https://github.com/Tencent/WeKnora/security/advisories/GHSA-pcwc-3fw3-8cqv
https://github.com/Tencent/WeKnora/commit/da55707022c252dd2c20f8e18145b2d899ee06a1
 
Tenda--AC23 A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-06 8.8 CVE-2026-0640 VDB-339683 | Tenda AC23 PowerSaveSet sscanf buffer overflow
VDB-339683 | CTI Indicators (IOB, IOC, IOA)
Submit #731772 | Tenda AC23 V16.03.07.52 Buffer Overflow
https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md
https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md#poc
https://www.tenda.com.cn/
 
the-hideout--tarkov-data-manager The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities. 2026-01-07 9.8 CVE-2026-21854 https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-r8w6-9xwg-6h73
https://github.com/the-hideout/tarkov-data-manager/commit/f188f0abf766cefe3f1b7b4fc6fe9dad3736174a
 
the-hideout--tarkov-data-manager The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities. 2026-01-07 9.3 CVE-2026-21855 https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89
 
the-hideout--tarkov-data-manager The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch. 2026-01-07 7.2 CVE-2026-21856 https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-4gcx-ghwc-rc78
https://github.com/the-hideout/tarkov-data-manager/commit/9bdb3a75a98a7047b6d70144eb1da1655d6992a8
 
ThemeREX Group--Hope Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Group Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through 3.0.0. 2026-01-07 8.1 CVE-2025-69081 https://patchstack.com/database/wordpress/theme/charity-is-hope/vulnerability/wordpress-hope-theme-3-0-0-local-file-inclusion-vulnerability?_s_id=cve
 
Themesgrove--WidgetKit Pro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesgrove WidgetKit Pro allows Reflected XSS.This issue affects WidgetKit Pro: from n/a through 1.13.1. 2026-01-07 7.1 CVE-2025-46494 https://patchstack.com/database/wordpress/plugin/widgetkit-pro/vulnerability/wordpress-widgetkit-pro-plugin-1-13-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Themify--Shopo Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through 1.1.4. 2026-01-05 9.9 CVE-2025-31048 https://vdp.patchstack.com/database/wordpress/theme/shopo/vulnerability/wordpress-shopo-1-1-4-arbitrary-file-upload-vulnerability?_s_id=cve
 
Themify--Themify Edmin Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection.This issue affects Themify Edmin: from n/a through 2.0.0. 2026-01-05 8.8 CVE-2025-31047 https://vdp.patchstack.com/database/wordpress/theme/edmin/vulnerability/wordpress-themify-edmin-2-0-0-php-object-injection-vulnerability?_s_id=cve
 
Themify--Themify Sidepane WordPress Theme Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5. 2026-01-06 9.9 CVE-2025-30996 https://patchstack.com/database/wordpress/theme/sidepane/vulnerability/wordpress-themify-sidepane-wordpress-theme-1-9-8-arbitrary-file-upload-vulnerability?_s_id=cve
https://patchstack.com/database/wordpress/theme/newsy/vulnerability/wordpress-themify-newsy-1-9-9-arbitrary-file-upload-vulnerability?_s_id=cve
https://patchstack.com/database/wordpress/theme/folo/vulnerability/wordpress-themify-folo-1-9-6-arbitrary-file-upload-vulnerability?_s_id=cve
https://patchstack.com/database/wordpress/theme/edmin/vulnerability/wordpress-themify-edmin-2-0-0-arbitrary-file-upload-vulnerability?_s_id=cve
https://patchstack.com/database/wordpress/theme/bloggie/vulnerability/wordpress-bloggie-2-0-8-arbitrary-file-upload-vulnerability?_s_id=cve
https://patchstack.com/database/wordpress/theme/photobox/vulnerability/wordpress-photobox-2-0-1-arbitrary-file-upload-vulnerability?_s_id=cve
https://patchstack.com/database/wordpress/theme/wigi/vulnerability/wordpress-wigi-2-0-1-arbitrary-file-upload-vulnerability?_s_id=cve
https://patchstack.com/database/wordpress/theme/rezo/vulnerability/wordpress-rezo-1-9-7-arbitrary-file-upload-vulnerability?_s_id=cve
https://patchstack.com/database/wordpress/theme/slide/vulnerability/wordpress-slide-1-7-5-arbitrary-file-upload-vulnerability?_s_id=cve
 
Trend Micro, Inc.--Trend Micro Apex Central A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations. 2026-01-08 9.8 CVE-2025-69258 https://success.trendmicro.com/en-US/solution/KA-0022071
https://success.trendmicro.com/ja-JP/solution/KA-0022081
https://www.tenable.com/security/research/tra-2026-01
 
Trend Micro, Inc.--Trend Micro Apex Central A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability.. 2026-01-08 7.5 CVE-2025-69259 https://success.trendmicro.com/en-US/solution/KA-0022071
https://success.trendmicro.com/ja-JP/solution/KA-0022081
https://www.tenable.com/security/research/tra-2026-01
 
Trend Micro, Inc.--Trend Micro Apex Central A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability. 2026-01-08 7.5 CVE-2025-69260 https://success.trendmicro.com/en-US/solution/KA-0022071
https://success.trendmicro.com/ja-JP/solution/KA-0022081
https://www.tenable.com/security/research/tra-2026-01
 
TRENDnet--TEW-713RE A vulnerability was detected in TRENDnet TEW-713RE 1.02. The impacted element is an unknown function of the file /goformX/formFSrvX. The manipulation of the argument SZCMD results in os command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-06 9.8 CVE-2025-15471 VDB-339721 | TRENDnet TEW-713RE formFSrvX os command injection
VDB-339721 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721441 | TRENDnet TEW-713RE 1.02 OS Command Injection
https://pentagonal-time-3a7.notion.site/Command-Injection-Vulnerability-in-formFSrvX-of-Trendnet-TEW-713RE-2d1e5dd4c5a5801481abe7a944763d39
 
TRENDnet--TEW-811DRU A flaw has been found in TRENDnet TEW-811DRU 1.0.2.0. This affects the function setDeviceURL  of the file uapply.cgi of the component httpd . This manipulation of the argument DeviceURL causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-06 7.2 CVE-2025-15472 VDB-339722 | TRENDnet TEW-811DRU httpd  uapply.cgi setDeviceURL  os command injection
VDB-339722 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721874 | TRENDnet TEW-811DRU 1.0.4.0 OS Command Injection
https://pentagonal-time-3a7.notion.site/TrendNet-TEW-811DRU-2d2e5dd4c5a58016a612e99853b835f8
 
TryGhost--Ghost Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0. 2026-01-10 8.1 CVE-2026-22594 https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4
https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b
https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07
 
TryGhost--Ghost Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0. 2026-01-10 8.1 CVE-2026-22595 https://github.com/TryGhost/Ghost/security/advisories/GHSA-9xg7-mwmp-xmjx
https://github.com/TryGhost/Ghost/commit/9513d2a35c21067127ce8192443d8919ddcefcc8
https://github.com/TryGhost/Ghost/commit/c3017f81a5387b253a7b8c1ba1959d430ee536a3
 
Tumult Inc--Tumult Hype Animations Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tumult Inc Tumult Hype Animations allows DOM-Based XSS.This issue affects Tumult Hype Animations: from n/a through 1.9.11. 2026-01-05 7.1 CVE-2024-30461 https://vdp.patchstack.com/database/wordpress/plugin/tumult-hype-animations/vulnerability/wordpress-tumult-hype-animations-plugin-1-9-11-csrf-to-xss-vulnerability?_s_id=cve
 
Ubiquiti Inc--UBB-XG A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: UBB-XG (Version 1.2.2 and earlier) UDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earlier) UBB (Version 3.1.5 and earlier) Mitigation: Update your UBB-XG to Version 1.2.3 or later. Update your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later. Update your UBB to Version 3.1.7 or later. 2026-01-08 8.8 CVE-2026-21638 https://community.ui.com/releases/Security-Advisory-Bulletin-060-060/cde18da7-2bc4-41bb-a9cc-48a4a4c479c1
 
Ubiquiti Inc--UCRM Argentina AFIP invoices Plugin A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. Affected Products: UCRM Argentina AFIP invoices Plugin (Version 1.2.0 and earlier) Mitigation: Update UCRM Argentina AFIP invoices Plugin to Version 1.3.0 or later. 2026-01-05 7.5 CVE-2025-59467 https://community.ui.com/releases/Security-Advisory-Bulletin-057/6d3f2a51-22b8-47a1-9296-1e9dcd64e073
 
Ubiquiti Inc--UniFi Protect Application A malicious actor with access to the adjacent network could obtain unauthorized access to a UniFi Protect Camera by exploiting a discovery protocol vulnerability in the Unifi Protect Application (Version 6.1.79 and earlier). Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later. 2026-01-05 8.8 CVE-2026-21633 https://community.ui.com/releases/Security-Advisory-Bulletin-058-058/6922ff20-8cd7-4724-8d8c-676458a2d0f9
 
UTT-- 520W A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formUser. Such manipulation of the argument passwd1 leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 8.8 CVE-2025-15459 VDB-339495 | UTT 进取 520W formUser strcpy buffer overflow
VDB-339495 | CTI Indicators (IOB, IOC, IOA)
Submit #725816 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/22.md
https://github.com/cymiao1978/cve/blob/main/new/22.md#poc
 
UTT-- 520W A vulnerability was detected in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formPptpClientConfig. Performing a manipulation of the argument EncryptionMode results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 8.8 CVE-2025-15460 VDB-339496 | UTT 进取 520W formPptpClientConfig strcpy buffer overflow
VDB-339496 | CTI Indicators (IOB, IOC, IOA)
Submit #725817 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/23.md
https://github.com/cymiao1978/cve/blob/main/new/23.md#poc
 
UTT-- 520W A flaw has been found in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/formTaskEdit. Executing a manipulation of the argument selDateType can lead to buffer overflow. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 8.8 CVE-2025-15461 VDB-339497 | UTT 进取 520W formTaskEdit strcpy buffer overflow
VDB-339497 | CTI Indicators (IOB, IOC, IOA)
Submit #725818 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/24.md
https://github.com/cymiao1978/cve/blob/main/new/24.md#poc
 
UTT-- 520W A vulnerability has been found in UTT 进取 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigAdvideo. The manipulation of the argument timestart leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 8.8 CVE-2025-15462 VDB-339498 | UTT 进取 520W ConfigAdvideo strcpy buffer overflow
VDB-339498 | CTI Indicators (IOB, IOC, IOA)
Submit #725819 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/25.md
https://github.com/cymiao1978/cve/blob/main/new/25.md#poc
 
UTT-- 520W A vulnerability was determined in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formConfigFastDirectionW. This manipulation of the argument ssid causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-11 8.8 CVE-2026-0836 VDB-340436 | UTT 进取 520W formConfigFastDirectionW strcpy buffer overflow
VDB-340436 | CTI Indicators (IOB, IOC, IOA)
Submit #729018 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/Lena-lyy/cve/blob/main/1223/26.md
 
UTT-- 520W A vulnerability was identified in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formFireWall. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-11 8.8 CVE-2026-0837 VDB-340437 | UTT 进取 520W formFireWall strcpy buffer overflow
VDB-340437 | CTI Indicators (IOB, IOC, IOA)
Submit #729019 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/Lena-lyy/cve/blob/main/1223/27.md
 
UTT-- 520W A security flaw has been discovered in UTT 进取 520W 1.7.7-180627. This impacts the function strcpy of the file /goform/ConfigWirelessBase. Performing a manipulation of the argument ssid results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-11 8.8 CVE-2026-0838 VDB-340438 | UTT 进取 520W ConfigWirelessBase strcpy buffer overflow
VDB-340438 | CTI Indicators (IOB, IOC, IOA)
Submit #729020 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/Lena-lyy/cve/blob/main/1223/28.md
 
UTT-- 520W A weakness has been identified in UTT 进取 520W 1.7.7-180627. Affected is the function strcpy of the file /goform/APSecurity. Executing a manipulation of the argument wepkey1 can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-11 8.8 CVE-2026-0839 VDB-340439 | UTT 进取 520W APSecurity strcpy buffer overflow
VDB-340439 | CTI Indicators (IOB, IOC, IOA)
Submit #729028 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/GUOTINGTING2297/cve/blob/main/1234/29.md
 
UTT-- 520W A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Affected by this vulnerability is the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-11 8.8 CVE-2026-0840 VDB-340440 | UTT 进取 520W formConfigNoticeConfig strcpy buffer overflow
VDB-340440 | CTI Indicators (IOB, IOC, IOA)
Submit #729029 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/GUOTINGTING2297/cve/blob/main/1234/30.md
 
UTT-- 520W A vulnerability was detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formPictureUrl. The manipulation of the argument importpictureurl results in buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-11 8.8 CVE-2026-0841 VDB-340441 | UTT 进取 520W formPictureUrl strcpy buffer overflow
VDB-340441 | CTI Indicators (IOB, IOC, IOA)
Submit #729030 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow
https://github.com/GUOTINGTING2297/cve/blob/main/1234/31.md
 
Veeam--Backup And Recovery This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file. 2026-01-08 7.8 CVE-2025-55125 https://www.veeam.com/kb4792
 
Veeam--Backup and Recovery This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter. 2026-01-08 9 CVE-2025-59468 https://www.veeam.com/kb4792
 
Veeam--Backup and Recovery This vulnerability allows a Backup or Tape Operator to write files as root. 2026-01-08 9 CVE-2025-59469 https://www.veeam.com/kb4792
 
Veeam--Backup and Recovery This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter. 2026-01-08 9 CVE-2025-59470 https://www.veeam.com/kb4792
 
vega--vega Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. First, they use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window`, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application's domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.Patched versions are available in `vega-selections@6.1.2` (requires ESM) for Vega v6 and `vega-selections@5.6.3` (no ESM needed) for Vega v5. As a workaround, do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do. This is a development-only debugging practice that should not be used in any situation where Vega/Vega-lite definitions can come from untrusted parties. 2026-01-05 8.1 CVE-2025-65110 https://github.com/vega/vega/security/advisories/GHSA-829q-m3qg-ph8r
 
vega--vega vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue. 2026-01-05 7.2 CVE-2025-66648 https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm
 
veronalabs--SlimStat Analytics The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report. 2026-01-09 7.2 CVE-2025-15055 https://www.wordfence.com/threat-intel/vulnerabilities/id/afbfabfc-b923-4fe9-9e8f-0cf159f488db?source=cve
https://plugins.trac.wordpress.org/changeset/3429990/wp-slimstat
 
veronalabs--SlimStat Analytics The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the Real-time Access Log report. 2026-01-09 7.2 CVE-2025-15057 https://www.wordfence.com/threat-intel/vulnerabilities/id/90920df9-1362-466b-b14b-4714087f556b?source=cve
https://plugins.trac.wordpress.org/changeset/3428488/wp-slimstat
 
Waituk--Entrada Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Waituk Entrada allows SQL Injection.This issue affects Entrada: from n/a through 5.7.7. 2026-01-05 9.3 CVE-2025-39484 https://vdp.patchstack.com/database/wordpress/theme/entrada/vulnerability/wordpress-entrada-theme-5-7-7-sql-injection-vulnerability?_s_id=cve
 
webrndexperts--Latest Registered Users The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter. 2026-01-07 7.5 CVE-2025-13493 https://www.wordfence.com/threat-intel/vulnerabilities/id/e6139543-81e3-480a-93a4-1d87b3f3f51e?source=cve
https://plugins.trac.wordpress.org/browser/latest-registered-users/trunk/latest-registered-users.php#L246
https://plugins.trac.wordpress.org/browser/latest-registered-users/tags/1.4/latest-registered-users.php#L246
https://plugins.trac.wordpress.org/browser/latest-registered-users/trunk/latest-registered-users.php#L66
 
WHILL--Model C2 Electric Wheelchair WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction. 2026-01-05 9.8 CVE-2025-14346 https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01
 
woocommerce--WooCommerce Square The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site. 2026-01-10 7.5 CVE-2025-13457 https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f4f726-7e53-4397-8d8b-7a574326adc6?source=cve
https://plugins.trac.wordpress.org/changeset/3415850/woocommerce-square
 
WPweb--Follow My Blog Post Missing Authorization vulnerability in WPweb Follow My Blog Post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Follow My Blog Post: from n/a through 2.4.0. 2026-01-05 7.5 CVE-2025-68547 https://vdp.patchstack.com/database/wordpress/plugin/follow-my-blog-post/vulnerability/wordpress-follow-my-blog-post-plugin-2-4-0-arbitrary-content-deletion-vulnerability?_s_id=cve
 
xfinitysoft--Reviewify Review Discounts & Photo/Video Reviews for WooCommerce The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to create arbitrary WooCommerce discount coupons, potentially causing financial loss to the store. 2026-01-07 7.5 CVE-2025-14070 https://www.wordfence.com/threat-intel/vulnerabilities/id/9db8756a-a177-4d39-b169-dc874cac2b3b?source=cve
https://cwe.mitre.org/data/definitions/862.html
https://plugins.trac.wordpress.org/browser/review-for-discount/trunk/admin/class-xswcrd-review-discounts-admin.php#L425
https://plugins.trac.wordpress.org/browser/review-for-discount/tags/1.0.6/admin/class-xswcrd-review-discounts-admin.php#L425
 
xwiki-contrib--macro-fullcalendar XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5. 2026-01-10 10 CVE-2025-65091 https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5
https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994
 
Yerootech--iDS6 DSSPro Digital Signage System iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by exploiting insecure direct object references. 2026-01-06 8.8 CVE-2020-36920 ExploitDB-48992
Archived Yeroo Tech Vendor Homepage
Zero Science Lab Disclosure (ZSL-2020-5608)
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Database Entry
IBM X-Force Vulnerability Exchange
VulnCheck Advisory: iDS6 DSSPro Digital Signage System 6.2 Privilege Escalation via Access Control
 
yocoadmin--Yoco Payments The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.8.8 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. 2026-01-07 7.5 CVE-2025-13801 https://www.wordfence.com/threat-intel/vulnerabilities/id/ad74d5d0-270e-41d3-9596-2f71b05af276?source=cve
https://plugins.trac.wordpress.org/browser/yoco-payment-gateway/tags/3.8.8/src/Helpers/Logs.php#L25
https://plugins.trac.wordpress.org/browser/yoco-payment-gateway/tags/3.8.8/src/Helpers/Logs.php#L59
 
zauberzeug--nicegui NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0. 2026-01-08 7.2 CVE-2026-21873 https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr
https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
 
Zenitel--ICX500 Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device. 2026-01-09 10 CVE-2025-64093 Zenitel Security Advisory
 
Zenitel--ICX500 This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database. 2026-01-09 7.5 CVE-2025-64092 Zenitel Security Advisory
 
Zenitel--TCIS-3+ This vulnerability allows authenticated attackers to execute commands via the hostname of the device. 2026-01-09 10 CVE-2025-64090 Zenitel Security Advisory
 
Zenitel--TCIS-3+ This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device. 2026-01-09 8.6 CVE-2025-64091 Zenitel Security Advisory
 
Zimbra--Collaboration Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message. 2026-01-05 7.2 CVE-2025-66376 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://wiki.zimbra.com/wiki/Security_Center
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes
 

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
aaextensions--AA Block country The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header. 2026-01-07 5.3 CVE-2025-13694 https://www.wordfence.com/threat-intel/vulnerabilities/id/037ac32a-dc2e-4e9f-9318-65dfee1c80e9?source=cve
https://plugins.trac.wordpress.org/browser/aa-block-country/trunk/aablockcountry.php#L26
https://plugins.trac.wordpress.org/browser/aa-block-country/tags/1.0.1/aablockcountry.php#L26
 
ABB--WebPro SNMP Card PowerValue Improper Check for Unusual or Exceptional Conditions vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. 2026-01-07 6.5 CVE-2025-4675 https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009&LanguageCode=en&DocumentPartId=&Action=Launch
 
ABB--WebPro SNMP Card PowerValue Insufficient Session Expiration vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. 2026-01-07 6.5 CVE-2025-4677 https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009&LanguageCode=en&DocumentPartId=&Action=Launch
 
aharonyan--Guest posting / Frontend Posting / Front Editor WP Front User Submit The Guest posting / Frontend Posting / Front Editor - WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments. 2026-01-07 5.3 CVE-2025-13419 https://www.wordfence.com/threat-intel/vulnerabilities/id/874b3448-df4c-49c4-bf4f-435cf48f6305?source=cve
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432207%40front-editor&new=3432207%40front-editor&sfp_email=&sfph_mail=
 
ahecht--AH Shortcodes The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14109 https://www.wordfence.com/threat-intel/vulnerabilities/id/0b77243f-f48b-4a94-9d60-bf96dc26fe77?source=cve
https://plugins.trac.wordpress.org/browser/ah-shortcodes/trunk/includes/shortcodes.php#L28
https://plugins.trac.wordpress.org/browser/ah-shortcodes/tags/1.0.2/includes/shortcodes.php#L28
 
airesvsg--ACF to REST API The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without checking object-specific permissions (e.g., edit_post($id), edit_user($id), manage_options). This makes it possible for authenticated attackers, with Contributor-level access and above, to modify ACF fields on posts they do not own, any user account, comments, taxonomy terms, and even the global options page via the /wp-json/acf/v3/{type}/{id} endpoints, granted they can authenticate to the site. 2026-01-07 4.3 CVE-2025-12030 https://www.wordfence.com/threat-intel/vulnerabilities/id/5ab508fa-298c-48c1-8510-f2e0a881675a?source=cve
https://plugins.trac.wordpress.org/browser/acf-to-rest-api/tags/3.3.4/v3/lib/endpoints/class-acf-to-rest-api-controller.php#L108
https://plugins.trac.wordpress.org/browser/acf-to-rest-api/tags/3.3.4/v3/lib/endpoints/class-acf-to-rest-api-controller.php#L120
 
All-Dynamics Software--enlogic:show Digital Signage System All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. Attackers can forge HTTP GET requests to welcome.php with a manipulated session token to bypass authentication and potentially execute cross-site request forgery attacks. 2026-01-06 5.3 CVE-2020-36913 Zero Science Lab Disclosure (ZSL-2020-5577)
Vendor Changelog for Version 2.0.3
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Database Entry
VulnCheck Advisory: All-Dynamics Software enlogic:show 2.0.2 Session Fixation Authentication Bypass
 
alobaidi--The Tooltip The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-13908 https://www.wordfence.com/threat-intel/vulnerabilities/id/d2bac05e-ecd0-427b-90a0-6cf78175cd19?source=cve
https://plugins.trac.wordpress.org/browser/the-tooltip/trunk/the-tooltip.php#L92
https://plugins.trac.wordpress.org/browser/the-tooltip/tags/1.0.2/the-tooltip.php#L92
 
Altera--Quartus Prime Pro Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Pro Installer (SFX) on Windows allows Search Order Hijacking.This issue affects Quartus Prime Pro: from 24.1 through 24.3.1. 2026-01-06 6.7 CVE-2025-14596 https://www.altera.com/security/security-advisory/asa-0004
 
Altera--Quartus Prime Pro Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Pro on Windows (System Console modules) allows Search Order Hijacking.This issue affects Quartus Prime Pro: from 17.0 through 25.1.1. 2026-01-06 6.7 CVE-2025-14605 https://www.altera.com/security/security-advisory/asa-0004
 
Altera--Quartus Prime Pro Insecure Temporary File vulnerability in Altera Quartus Prime Pro  Installer (SFX) on Windows allows : Use of Predictable File Names.This issue affects Quartus Prime Pro: from 24.1 through 25.1.1. 2026-01-06 6.7 CVE-2025-14612 https://www.altera.com/security/security-advisory/asa-0004
 
Altera--Quartus Prime Standard Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard Installer (SFX) on Windows, Altera Quartus Prime Lite  Installer (SFX) on Windows allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1. 2026-01-06 6.7 CVE-2025-14599 https://www.altera.com/security/security-advisory/asa-0005
 
Altera--Quartus Prime Standard Insecure Temporary File vulnerability in Altera Quartus Prime Standard  Installer (SFX) on Windows, Altera Quartus Prime Lite  Installer (SFX) on Windows allows Explore for Predictable Temporary File Names.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1. 2026-01-06 6.7 CVE-2025-14614 https://www.altera.com/security/security-advisory/asa-0005
 
Altera--Quartus Prime Standard Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard on Windows (Nios II Command Shell modules), Altera Quartus Prime Lite on Windows (Nios II Command Shell modules) allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 19.1 through 24.1; Quartus Prime Lite: from 19.1 through 24.1. 2026-01-06 6.7 CVE-2025-14625 https://www.altera.com/security/security-advisory/asa-0005
 
ameliabooking--Booking for Appointments and Events Calendar Amelia The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things. 2026-01-09 5.3 CVE-2025-14720 https://www.wordfence.com/threat-intel/vulnerabilities/id/771ed385-587c-400f-89c6-1a827c3e2c79?source=cve
https://plugins.trac.wordpress.org/changeset/3429650/ameliabooking/trunk/src/Application/Commands/Square/SquareRefundWebhookCommandHandler.php
 
amirshk--Autogen Headers Menu The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-13704 https://www.wordfence.com/threat-intel/vulnerabilities/id/a63bf106-78cf-441b-a1b3-77ec1cf6c22b?source=cve
https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L115
https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L115
https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L53
https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L53
 
amu02aftab--Client Testimonial Slider The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected administrative page. 2026-01-09 6.4 CVE-2025-13897 https://www.wordfence.com/threat-intel/vulnerabilities/id/5bf12608-4e02-4b3a-9363-991dca5ee11b?source=cve
https://plugins.trac.wordpress.org/browser/wp-client-testimonial/trunk/wp-client-testimonial.php#L117
https://plugins.trac.wordpress.org/browser/wp-client-testimonial/tags/2.0/wp-client-testimonial.php#L117
 
anand_kumar--Header and Footer Scripts The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-11453 https://www.wordfence.com/threat-intel/vulnerabilities/id/d658e087-8cc7-4653-af3c-407b6f73fb7b?source=cve
https://plugins.trac.wordpress.org/browser/header-and-footer-scripts/tags/2.2.2/shfs.php#L119
 
anilankola--Newsletter Email Subscribe The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-07 4.3 CVE-2025-14904 https://www.wordfence.com/threat-intel/vulnerabilities/id/00dd9a3c-a9f9-4fd2-9c93-0def42cec496?source=cve
https://plugins.trac.wordpress.org/browser/newsletter-email-subscribe/tags/2.4/newsletter-email-subscribe.php#L109
 
anjan011--Simple User Meta Editor The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-07 4.4 CVE-2025-14888 https://www.wordfence.com/threat-intel/vulnerabilities/id/37342a62-97cd-43ef-af27-33092e840e67?source=cve
https://plugins.trac.wordpress.org/browser/simple-user-meta-editor/tags/1.0.0/includes/templates/editor/index.php#L57
 
anwerashif--xShare The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-07 4.3 CVE-2025-13527 https://www.wordfence.com/threat-intel/vulnerabilities/id/d6006ffe-e2db-477f-8a9f-c0cf0434086b?source=cve
https://plugins.trac.wordpress.org/browser/xshare/trunk/index.php#L50
https://plugins.trac.wordpress.org/browser/xshare/tags/1.0.1/index.php#L50
 
anybodesign--AD Sliding FAQ The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14122 https://www.wordfence.com/threat-intel/vulnerabilities/id/d6c277f4-28e0-4159-a524-6576d72d2059?source=cve
https://plugins.trac.wordpress.org/browser/ad-sliding-faq/trunk/any-sliding-faq.php#L205
https://plugins.trac.wordpress.org/browser/ad-sliding-faq/tags/2.4/any-sliding-faq.php#L205
 
Arista Networks--EOS On affected platforms running Arista EOS with MACsec configuration, a specially crafted packet can cause the MACsec process to terminate unexpectedly. Continuous receipt of these packets with certain MACsec configurations can cause longer term disruption of dataplane traffic. 2026-01-06 4.3 CVE-2025-7048 https://www.arista.com/en/support/advisories-notices/security-advisory/23120-security-advisory-0132
 
arraytics--Appointment Booking Calendar WP Timetics Booking Plugin The Appointment Booking and Scheduling Calendar Plugin - WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details. 2026-01-06 6.5 CVE-2025-5919 https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d50b65-7479-4140-9231-c06c18d8be8f?source=cve
https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/api-booking.php#L56
https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/booking.php#L592
 
ashishajani--Contact Form vCard Generator The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages. 2026-01-09 5.3 CVE-2025-13717 https://www.wordfence.com/threat-intel/vulnerabilities/id/bdde4399-af90-4528-92a4-5176dfa5e453?source=cve
https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L13
https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L13
https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L105
https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L105
 
audrasjb--Key Figures The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-07 4.4 CVE-2025-14792 https://www.wordfence.com/threat-intel/vulnerabilities/id/f4943899-a25a-4e50-b33e-139ed5e8f748?source=cve
http://plugins.trac.wordpress.org/browser/key-figures/tags/1.1/admin/kf-admin.php#L201
 
authlib--authlib Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller's session altogether. This issue has been patched in version 1.6.6. 2026-01-08 5.7 CVE-2025-68158 https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523
https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489
https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228
 
Automattic--WP Job Manager Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0. 2026-01-05 5.4 CVE-2023-52212 https://vdp.patchstack.com/database/wordpress/plugin/wp-job-manager/vulnerability/wordpress-wp-job-manager-plugin-2-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
averta--Depicter Popup & Slider Builder The Popup and Slider Builder by Depicter - Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings. 2026-01-06 5.3 CVE-2025-11370 https://www.wordfence.com/threat-intel/vulnerabilities/id/d35faf39-4882-4393-9b77-57dc45ac9d04?source=cve
https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/RulesAjaxController.php
https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/ajax.php
https://plugins.trac.wordpress.org/changeset/3428118/depicter/trunk/app/routes/ajax.php
 
averta--Phlox The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-06 6.4 CVE-2025-4776 https://www.wordfence.com/threat-intel/vulnerabilities/id/a49f8150-a27d-4801-8923-31af335c3cbd?source=cve
https://themes.trac.wordpress.org/changeset/300858/
 
averta--Shortcodes and extra features for Phlox theme The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the 'tag' and 'title_tag' parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-10 6.4 CVE-2025-12379 https://www.wordfence.com/threat-intel/vulnerabilities/id/1144e0d9-692e-45a5-ac63-bcdd64a8bd8a?source=cve
https://plugins.trac.wordpress.org/browser/auxin-elements/tags/2.17.12/includes/elementor/widgets/heading-modern.php#L1194
https://plugins.trac.wordpress.org/changeset/3429103/auxin-elements/trunk/includes/elementor/widgets/heading-modern.php
 
averta--Shortcodes and extra features for Phlox theme The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to. 2026-01-06 5.3 CVE-2025-13215 https://www.wordfence.com/threat-intel/vulnerabilities/id/7f47ab91-7d91-4231-91ef-66c556ad8496?source=cve
https://plugins.trac.wordpress.org/browser/auxin-elements/tags/2.17.12/public/includes/frontend-ajax.php#L348
 
Awethemes--AweBooking Insertion of Sensitive Information Into Sent Data vulnerability in Awethemes AweBooking allows Retrieve Embedded Sensitive Data.This issue affects AweBooking: from n/a through 3.2.26. 2026-01-05 6.5 CVE-2025-68014 https://vdp.patchstack.com/database/wordpress/plugin/awebooking/vulnerability/wordpress-awebooking-plugin-3-2-26-sensitive-data-exposure-vulnerability?_s_id=cve
 
axllent--mailpit Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2. 2026-01-10 6.5 CVE-2026-22689 https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm
https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f
 
axllent--mailpit Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1. 2026-01-07 5.8 CVE-2026-21859 https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr
https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d
 
baqend--Speed Kit Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2. 2026-01-08 4.3 CVE-2026-22487 https://patchstack.com/database/wordpress/plugin/baqend/vulnerability/wordpress-speed-kit-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve
 
beshkin--Shabat Keeper The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-09 6.1 CVE-2025-13701 https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa73be6-0836-4540-8a80-e1da34c0ee0d?source=cve
https://plugins.trac.wordpress.org/browser/shabat-keeper/trunk/shabat-keeper.php#L148
https://plugins.trac.wordpress.org/browser/shabat-keeper/tags/0.4.4/shabat-keeper.php#L148
 
bg5sbk--MiniCMS A flaw has been found in bg5sbk MiniCMS up to 1.8. Impacted is the function delete_page of the file /minicms/mc-admin/page.php of the component File Recovery Request Handler. This manipulation causes improper authentication. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 6.5 CVE-2025-15455 VDB-339488 | bg5sbk MiniCMS File Recovery Request page.php delete_page improper authentication
VDB-339488 | CTI Indicators (IOB, IOC, IOA)
Submit #725137 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 Unauthorized page deletion
https://github.com/ueh1013/VULN/issues/14
 
BiggiDroid--Simple PHP CMS A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-09 4.7 CVE-2025-15495 VDB-340273 | BiggiDroid Simple PHP CMS editsite.php unrestricted upload
VDB-340273 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725890 | BiggiDroid Simple PHP CMS 1.0 Unrestricted Upload
Submit #726040 | BiggiDroid Simple PHP CMS 1.0 Unrestricted Upload (Duplicate)
https://gitee.com/hdert/ck/issues/IDGO28
https://github.com/Asim-QAZi/RCE-Simplephpblog-biggiedroid
 
bitpressadmin--Bit Form Custom Contact Form, Multi Step, Conversational Form & Payment Form builder The Bit Form - Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only blocks requests when both the nonce verification fails and the user is logged in. This makes it possible for unauthenticated attackers to replay form workflow executions and trigger all configured integrations including webhooks, email notifications, CRM integrations, and automation platforms via the bitforms_trigger_workflow AJAX action granted they can obtain the entry ID and log IDs from a legitimate form submission response. 2026-01-07 6.5 CVE-2025-14901 https://www.wordfence.com/threat-intel/vulnerabilities/id/0402e4a6-73ba-49e6-bf80-997ac83b4cfe?source=cve
https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L146
https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L30
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3429172%40bit-form%2Ftrunk&old=3420966%40bit-form%2Ftrunk&sfp_email=&sfph_mail=#file827
 
bluelabsio--records-mover A weakness has been identified in bluelabsio records-mover up to 1.5.4. The affected element is an unknown function of the component Table Object Handler. This manipulation causes sql injection. The attack needs to be launched locally. Upgrading to version 1.6.0 is sufficient to fix this issue. Patch name: 3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa. You should upgrade the affected component. 2026-01-07 5.3 CVE-2023-7333 VDB-339566 | bluelabsio records-mover Table Object sql injection
VDB-339566 | CTI Indicators (IOB, IOC, TTP)
https://github.com/bluelabsio/records-mover/pull/254
https://github.com/bluelabsio/records-mover/commit/3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa
https://github.com/bluelabsio/records-mover/releases/tag/v1.6.0
 
bruterdregz--Contact Us Simple Form The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 4.4 CVE-2025-14028 https://www.wordfence.com/threat-intel/vulnerabilities/id/2c78ab13-22ed-4f00-b132-c9ff99c51273?source=cve
https://plugins.trac.wordpress.org/browser/contact-us-simple-form/trunk/contact-us-simple-form.php#L223
https://plugins.trac.wordpress.org/browser/contact-us-simple-form/tags/1.0/contact-us-simple-form.php#L223
https://plugins.trac.wordpress.org/browser/contact-us-simple-form/trunk/contact-us-simple-form.php#L239
https://plugins.trac.wordpress.org/browser/contact-us-simple-form/tags/1.0/contact-us-simple-form.php#L239
 
BuddyDev--MediaPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev MediaPress allows Stored XSS.This issue affects MediaPress: from n/a through 1.6.2. 2026-01-08 6.5 CVE-2026-22519 https://patchstack.com/database/wordpress/plugin/mediapress/vulnerability/wordpress-mediapress-plugin-1-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
buddydev--MediaPress The MediaPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mpp-uploader shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-06 6.4 CVE-2025-14552 https://www.wordfence.com/threat-intel/vulnerabilities/id/82b5ade8-582e-4440-b043-d30e757c9467?source=cve
https://plugins.trac.wordpress.org/browser/mediapress/tags/1.6.1/core/gallery/mpp-gallery-template-tags.php#L665
 
burtrw--Lesson Plan Book The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-09 6.1 CVE-2025-13893 https://www.wordfence.com/threat-intel/vulnerabilities/id/18696937-5cc5-4e14-940d-fc25468377a3?source=cve
https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L719
https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1776
https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1910
 
bww--URL Image Importer The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. 2026-01-06 6.4 CVE-2025-14120 https://www.wordfence.com/threat-intel/vulnerabilities/id/8704320e-9624-4924-92e8-adb61356aecb?source=cve
https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L176
https://plugins.trac.wordpress.org/browser/url-image-importer/tags/1.0.7/url-image-importer.php#L176
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429292%40url-image-importer&new=3429292%40url-image-importer&sfp_email=&sfph_mail=
 
callumalden--Starred Review The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-07 6.1 CVE-2025-14118 https://www.wordfence.com/threat-intel/vulnerabilities/id/2eb65c25-9400-4c5a-a4b2-b72628725500?source=cve
https://plugins.trac.wordpress.org/browser/starred-review/trunk/starred-review.php#L29
https://plugins.trac.wordpress.org/browser/starred-review/tags/1.4.2/starred-review.php#L29
 
Campcodes--Supplier Management System A flaw has been found in Campcodes Supplier Management System 1.0. Affected by this issue is some unknown functionality of the file /retailer/edit_profile.php. This manipulation of the argument txtRetailerAddress causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. 2026-01-05 6.3 CVE-2026-0597 VDB-339506 | Campcodes Supplier Management System edit_profile.php sql injection
VDB-339506 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731433 | campcodes Supplier Management System 1.0 SQL Injection
https://github.com/dhy-spec/cve/issues/1
https://www.campcodes.com/
 
carboneio--carbone A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. Upgrading to version 3.5.6 will fix this issue. This patch is called 04f9feb24bfca23567706392f9ad2c53bbe4134e. You should upgrade the affected component. A successful exploitation can "only occur if the parent NodeJS application has the same security issue". 2026-01-07 5 CVE-2024-14020 VDB-339503 | carboneio carbone Formatter input.js prototype pollution
VDB-339503 | CTI Indicators (IOB, IOC, TTP, IOA)
https://github.com/carboneio/carbone/commit/04f9feb24bfca23567706392f9ad2c53bbe4134e
https://github.com/carboneio/carbone/releases/tag/3.5.6
 
cbutlerjr--WP-Members Membership Plugin The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames. 2026-01-07 5.3 CVE-2025-12648 https://www.wordfence.com/threat-intel/vulnerabilities/id/9d0154fd-0cab-4445-a92e-c44ae9931479?source=cve
https://plugins.trac.wordpress.org/browser/wp-members/trunk/includes/class-wp-members-forms.php#L604
https://plugins.trac.wordpress.org/browser/wp-members/trunk/includes/admin/class-wp-members-admin-api.php#L707
https://plugins.trac.wordpress.org/changeset/3427043/wp-members/trunk/includes/class-wp-members-forms.php
 
Centreon--Infra Monitoring Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (DSM extenstio configuration modules) allows Stored XSS to user with elevated privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.1, from 24.10.0 before 24.10.4, from 24.04.0 before 24.04.8. 2026-01-05 6.8 CVE-2025-12511 https://github.com/centreon/centreon/releases
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12511-centreon-dsm-medium-severity-5361
 
Centreon--Infra Monitoring Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. 2026-01-05 6.8 CVE-2025-12513 https://github.com/centreon/centreon/releases
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12513-centreon-web-medium-severity-5360
 
Centreon--Infra Monitoring Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. 2026-01-05 6.8 CVE-2025-13056 https://github.com/centreon/centreon/releases
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-13056-centreon-web-medium-severity-5358
 
Centreon--Infra Monitoring Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. 2026-01-05 5.3 CVE-2025-12519 https://github.com/centreon/centreon/releases
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12519-centreon-web-medium-severity-5359
 
charmbracelet--soft-serve Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2. 2026-01-08 5.4 CVE-2026-22253 https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j
https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42
 
chrisblackwell--1180px Shortcodes The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14114 https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf2ca43-a1d5-4809-b8ad-916b23f71a7d?source=cve
https://plugins.trac.wordpress.org/browser/1180px-shortcodes/trunk/1180px.php#L115
https://plugins.trac.wordpress.org/browser/1180px-shortcodes/tags/1.1.1/1180px.php#L115
 
Cisco--Cisco Identity Services Engine Software A vulnerability in the licensing features of&nbsp;Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information.&nbsp; This vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC. An attacker could exploit this vulnerability by uploading a malicious file to the application. A successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators. To exploit this vulnerability, the attacker must have valid administrative credentials. 2026-01-07 4.9 CVE-2026-20029 cisco-sa-ise-xxe-jWSbSDKt
 
Cisco--Cisco Secure Firewall Threat Defense (FTD) Software Multiple&nbsp;Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet inspection. This vulnerability is due to an error in buffer handling logic when processing DCE/RPC requests, which can result in a buffer use-after-free read. An attacker could exploit this vulnerability by sending a large number of DCE/RPC requests through an established connection that is inspected by Snort 3. A successful exploit could allow the attacker to unexpectedly restart the Snort 3 Detection Engine, which could cause a denial of service (DoS). 2026-01-07 5.8 CVE-2026-20026 cisco-sa-snort3-dcerpc-vulns-J9HNF4tH
 
Cisco--Cisco Secure Firewall Threat Defense (FTD) Software Multiple Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet inspection. This vulnerability is due to an error in buffer handling logic when processing DCE/RPC requests, which can result in a buffer out-of-bounds read. An attacker could exploit this vulnerability by sending a large number of DCE/RPC requests through an established connection that is inspected by Snort 3. A successful exploit could allow the attacker to obtain sensitive information in the Snort 3 data stream. 2026-01-07 5.3 CVE-2026-20027 cisco-sa-snort3-dcerpc-vulns-J9HNF4tH
 
cld378632668--JavaMall A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 6.3 CVE-2025-15448 VDB-339481 | cld378632668 JavaMall MinioController.java upload unrestricted upload
VDB-339481 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721997 | https://github.com/cld378632668/JavaMall JavaMall 1.0 Upload any file
https://github.com/zyhzheng500-maker/cve/blob/main/javamall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md
 
cld378632668--JavaMall A vulnerability was determined in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. Affected is the function delete of the file src/main/java/com/macro/mall/controller/MinioController.java. This manipulation of the argument objectName causes path traversal. The attack can be initiated remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 5.4 CVE-2025-15449 VDB-339482 | cld378632668 JavaMall MinioController.java delete path traversal
VDB-339482 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #722000 | https://github.com/cld378632668/JavaMall JavaMall 1.0 Delete any file
https://github.com/zyhzheng500-maker/cve/blob/main/JavaMall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%88%A0%E9%99%A4.md
 
clevelandwebdeveloper--Smart App Banners The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-13841 https://www.wordfence.com/threat-intel/vulnerabilities/id/add85b9b-3a4d-4c46-a90f-10c9645e249d?source=cve
https://plugins.trac.wordpress.org/browser/smart-app-banners/trunk/index.php#L321
https://plugins.trac.wordpress.org/browser/smart-app-banners/tags/1.2/index.php#L321
 
code-projects--Intern Membership Management System A flaw has been found in code-projects Intern Membership Management System 1.0. The impacted element is an unknown function of the file /intern/admin/edit_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. 2026-01-08 4.7 CVE-2026-0697 VDB-339974 | code-projects Intern Membership Management System edit_admin.php sql injection
VDB-339974 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #732998 | code-projects Intern Membership Management System 1.0 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20admin.php%20sql%20injection1.md
https://code-projects.org/
 
code-projects--Intern Membership Management System A vulnerability has been found in code-projects Intern Membership Management System 1.0. This affects an unknown function of the file /intern/admin/edit_students.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2026-01-08 4.7 CVE-2026-0698 VDB-339975 | code-projects Intern Membership Management System edit_students.php sql injection
VDB-339975 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #732999 | code-projects Intern Membership Management System 1.0 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20students_details.php%20sql%20injection.md
https://code-projects.org/
 
code-projects--Intern Membership Management System A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. 2026-01-08 4.7 CVE-2026-0699 VDB-339976 | code-projects Intern Membership Management System edit_activity.php sql injection
VDB-339976 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #733000 | code-projects Intern Membership Management System activity.php 1.0 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20activity.php%20sql%20injection.md
https://code-projects.org/
 
code-projects--Intern Membership Management System A vulnerability was identified in code-projects Intern Membership Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /intern/admin/add_admin.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. 2026-01-08 4.7 CVE-2026-0701 VDB-339978 | code-projects Intern Membership Management System add_admin.php sql injection
VDB-339978 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #733002 | code-projects Intern Membership Management System add_admin.php v1.0 sql injection
https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20add_admin.php%20sql%20injection.md
https://code-projects.org/
 
code-projects--Intern Membership Management System A security vulnerability has been detected in code-projects Intern Membership Management System 1.0. This issue affects some unknown processing of the file /intern/admin/delete_admin.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. 2026-01-08 4.7 CVE-2026-0728 VDB-340125 | code-projects Intern Membership Management System delete_admin.php sql injection
VDB-340125 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #733003 | code-projects Intern Membership Management System delete_admin.php v1.0 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20delete_admin.php%20sql%20injection.md
https://code-projects.org/
 
code-projects--Intern Membership Management System A vulnerability was detected in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /intern/admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. 2026-01-08 4.7 CVE-2026-0729 VDB-340126 | code-projects Intern Membership Management System add_activity.php sql injection
VDB-340126 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #733004 | code-projects Intern Membership Management System add_activity.php v1.0 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20add_activity.php%20sql%20injection.md
https://code-projects.org/
 
code-projects--Intern Membership Management System A vulnerability was determined in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. 2026-01-11 4.7 CVE-2026-0850 VDB-340445 | code-projects Intern Membership Management System delete_activity.php sql injection
VDB-340445 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #733486 | code-projects Intern Membership Management System delete_activity.php v1.0 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20delete_activity.php%20sql%20injection.md
https://code-projects.org/
 
code-projects--Online Product Reservation System A weakness has been identified in code-projects Online Product Reservation System 1.0. This issue affects some unknown processing of the file app/products/left_cart.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. 2026-01-05 6.3 CVE-2026-0584 VDB-339476 | code-projects Online Product Reservation System left_cart.php sql injection
VDB-339476 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731095 | code-projects Online Product Reservation system in PHP with source code V1.0 SQL Injection
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_left_cart.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_left_cart.php.md#poc
https://code-projects.org/
 
code-projects--Online Product Reservation System A vulnerability was determined in code-projects Online Product Reservation System 1.0. The affected element is an unknown function of the file /app/checkout/delete.php of the component POST Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. 2026-01-05 6.3 CVE-2026-0590 VDB-339500 | code-projects Online Product Reservation System POST Parameter delete.php sql injection
VDB-339500 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731128 | code-projects Online Product Reservation System V1.0 SQL Injection
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_delete.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_delete.php.md#poc
https://code-projects.org/
 
code-projects--Online Product Reservation System A vulnerability was identified in code-projects Online Product Reservation System 1.0. The impacted element is an unknown function of the file /app/checkout/update.php of the component Cart Update Handler. Such manipulation of the argument id/qty leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. 2026-01-05 6.3 CVE-2026-0591 VDB-339501 | code-projects Online Product Reservation System Cart Update update.php sql injection
VDB-339501 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731129 | code-projects Online Product Reservation System V1.0 SQL Injection
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_update.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_update.php.md#poc
https://code-projects.org/
 
code-projects--Online Product Reservation System A vulnerability was detected in code-projects Online Product Reservation System 1.0. The affected element is an unknown function of the file handgunner-administrator/prod.php. Performing a manipulation of the argument cat results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. 2026-01-05 4.3 CVE-2026-0586 VDB-339478 | code-projects Online Product Reservation System prod.php cross site scripting
VDB-339478 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731098 | code-projects Online Product Reservation system in PHP with source code V1.0 Improper Neutralization of Alternate XSS Syntax
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/xss_prod.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/xss_prod.php.md#poc
https://code-projects.org/
 
codeclouds--Unify The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter. 2026-01-07 5.3 CVE-2025-13529 https://www.wordfence.com/threat-intel/vulnerabilities/id/b5fd4a47-0549-4d03-b81a-ad97d3d5d390?source=cve
https://plugins.trac.wordpress.org/browser/unify/trunk/Services/Hooks.php#L154
https://plugins.trac.wordpress.org/browser/unify/tags/3.4.9/Services/Hooks.php#L154
 
Columbia Weather Systems--MicroServer MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal. 2026-01-07 6.5 CVE-2025-64305 https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json
 
coreshop--CoreShop CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8. 2026-01-08 4.9 CVE-2026-22242 https://github.com/coreshop/CoreShop/security/advisories/GHSA-ch7p-mpv4-4vg4
https://github.com/coreshop/CoreShop/commit/59e84fec59d113952b6d28a9b30c6317f9e6e5dd
 
corsonr--Easy GitHub Gist Shortcodes The Easy GitHub Gist Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the gist shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14147 https://www.wordfence.com/threat-intel/vulnerabilities/id/b117d77b-2c11-451c-b236-b55e8af68a9a?source=cve
https://plugins.trac.wordpress.org/browser/easy-github-gist-shortcodes/trunk/easy-github-gist-shortcodes.php#L24
https://plugins.trac.wordpress.org/browser/easy-github-gist-shortcodes/tags/1.0/easy-github-gist-shortcodes.php#L24
 
creativemotion--Clearfy Cache WordPress optimization plugin, Minify HTML, CSS & JS, Defer The Clearfy Cache - WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it possible for unauthenticated attackers to disable plugin/theme update notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-09 4.3 CVE-2025-13749 https://www.wordfence.com/threat-intel/vulnerabilities/id/55750dcf-c6ec-4be6-967f-60bf940fa30e?source=cve
https://research.cleantalk.org/cve-2025-13749/
https://plugins.trac.wordpress.org/changeset/3421009/clearfy
 
Crocoblock--JetEngine Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.8.1.1. 2026-01-07 4.3 CVE-2025-69333 https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-1-1-broken-access-control-vulnerability?_s_id=cve
 
croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications. 2026-01-06 6.5 CVE-2025-11723 https://www.wordfence.com/threat-intel/vulnerabilities/id/a5f3fbd2-6152-4a89-8fe9-982120d1a640?source=cve
https://plugins.trac.wordpress.org/changeset/3393919/
 
ctietze--PullQuote The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-13903 https://www.wordfence.com/threat-intel/vulnerabilities/id/0a0ee752-7fc4-46d3-9e0f-8b9317b0ea72?source=cve
https://plugins.trac.wordpress.org/browser/pullquote/trunk/includes/core.php#L12
https://plugins.trac.wordpress.org/browser/pullquote/tags/1.0/includes/core.php#L12
 
cuvixsystem--Post Like Dislike The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-07 6.1 CVE-2025-14130 https://www.wordfence.com/threat-intel/vulnerabilities/id/598529d2-16c7-4bbd-9321-aa338c94eb36?source=cve
https://plugins.trac.wordpress.org/browser/post-like-dislike/trunk/post-like-dislike.php#L106
https://plugins.trac.wordpress.org/browser/post-like-dislike/tags/1.0/post-like-dislike.php#L106
 
cyberlord92--miniOrange OTP Verification and SMS Notification for WooCommerce The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders. 2026-01-10 5.3 CVE-2025-14948 https://www.wordfence.com/threat-intel/vulnerabilities/id/f84ddc83-2079-45b9-8354-51094581b1f8?source=cve
https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification/tags/4.3.8/notifications/wcsmsnotification/handler/class-woocommercenotifications.php#L138
https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification?rev=3423647
 
D-Link--DI-8200G A vulnerability was found in D-Link DI-8200G 17.12.20A1. This affects an unknown function of the file /upgrade_filter.asp. The manipulation of the argument path results in command injection. The attack may be performed from remote. The exploit has been made public and could be used. 2026-01-08 6.3 CVE-2026-0732 VDB-340129 | D-Link DI-8200G upgrade_filter.asp command injection
VDB-340129 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #733275 | D-Link DI_8200G Router V17.12.20A1 Command Execution
https://github.com/DavCloudz/cve/blob/main/D-link/DI_8200G/DI_8200G%20V17.12.20A1%20Command%20Execution%20Vulnerability/readme.md
https://github.com/DavCloudz/cve/blob/main/D-link/DI_8200G/DI_8200G%20V17.12.20A1%20Command%20Execution%20Vulnerability/readme.md#poc
https://www.dlink.com/
 
damienoh--WP Widget Changer The WP Widget Changer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-07 6.1 CVE-2025-14131 https://www.wordfence.com/threat-intel/vulnerabilities/id/699392b4-8270-47b5-90c1-5280d1389586?source=cve
https://wordpress.org/plugins/wp-widget-changer/
https://plugins.trac.wordpress.org/browser/wp-widget-changer/trunk/widget_changer.php#L162
https://plugins.trac.wordpress.org/browser/wp-widget-changer/tags/1.2.5/widget_changer.php#L162
 
danny-avila--LibreChat LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for this agent. LibreChat allows the configuration of agents that have a predefined set of instructions and context. Private agents are not visible to other users. However, if an attacker knows the agent ID, they can read the permissions of the agent including the permissions individually assigned to other users. This issue is fixed in version 0.8.2-rc2. 2026-01-07 4.3 CVE-2025-69221 https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5ccx-4r3h-9qc7
https://github.com/danny-avila/LibreChat/commit/06ba025bd95574c815ac6968454be7d3b024391c
https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2
 
davidangel--PhotoFade The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-13847 https://www.wordfence.com/threat-intel/vulnerabilities/id/00145a6b-26fd-4cba-a446-8236438075d8?source=cve
https://plugins.trac.wordpress.org/browser/photofade/trunk/photo-fade.php#L96
https://plugins.trac.wordpress.org/browser/photofade/tags/0.2.1/photo-fade.php#L96
 
debtcom--Debt.com Business in a Box The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-13852 https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb58556-29be-4272-85fc-bb2b7c72abf4?source=cve
https://plugins.trac.wordpress.org/browser/debtcom-business-in-a-box/trunk/inc/bib_form.php#L256
https://plugins.trac.wordpress.org/browser/debtcom-business-in-a-box/tags/4.1.0/inc/bib_form.php#L256
 
Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution. 2026-01-09 6 CVE-2025-46644 https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities
 
Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. 2026-01-09 6.5 CVE-2025-46645 https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities
 
Dell--Secure Connect Gateway (SCG) Appliance Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application, version(s) versions 5.26 to 5.30, contain(s) an Execution with Unnecessary Privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. 2026-01-06 6.4 CVE-2025-46696 https://www.dell.com/support/kbdoc/en-us/000385230/dsa-2025-390-dell-secure-connect-gateway-security-update-for-multiple-vulnerabilities
 
directus--directus Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flow validates redirect targets against allowed domains, this validation is not applied to the callback endpoint. This allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon completion. The vulnerability is present in both the success and error handling paths of the callback. This vulnerability can be exploited without authentication. Version 11.14.0 contains a patch. 2026-01-08 4.3 CVE-2026-22032 https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc
https://github.com/directus/directus/commit/dad9576ea9362905cc4de8028d3877caff36dc23
 
djrowling--Niche Hero | Beautifully-designed blocks in seconds The Niche Hero | Beautifully-designed blocks in seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spacing' parameter of the nh_row shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14145 https://www.wordfence.com/threat-intel/vulnerabilities/id/52368b7d-5fe2-444c-bd7f-e4385dffa8a9?source=cve
https://plugins.trac.wordpress.org/browser/niche-hero/trunk/niche-hero.php#L302
https://plugins.trac.wordpress.org/browser/niche-hero/tags/1.0.5/niche-hero.php#L302
 
Dokan--Dokan Pro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan Dokan Pro allows Stored XSS.This issue affects Dokan Pro: from n/a through 3.14.5. 2026-01-05 6.5 CVE-2025-39497 https://vdp.patchstack.com/database/wordpress/plugin/dokan-pro/vulnerability/wordpress-dokan-pro-plugin-3-14-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
enartia--Piraeus Bank WooCommerce Payment Gateway The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue. 2026-01-07 5.3 CVE-2025-14460 https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b15198-8f44-4390-862b-35d41eb8a854?source=cve
https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/trunk/classes/WC_Piraeusbank_Gateway.php#L821
https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/tags/3.1.4/classes/WC_Piraeusbank_Gateway.php#L821
 
EngoTheme--Plant - Gardening & Houseplants WordPress Theme Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EngoTheme Plant - Gardening & Houseplants WordPress Theme allows Retrieve Embedded Sensitive Data.This issue affects Plant - Gardening & Houseplants WordPress Theme: from n/a through 1.0.0. 2026-01-06 5.3 CVE-2025-31051 https://patchstack.com/database/wordpress/theme/plant/vulnerability/wordpress-plant-gardening-houseplants-wordpress-theme-1-0-0-sensitive-data-exposure-vulnerability?_s_id=cve
 
expresstech--Quiz and Survey Master (QSM) Easy Quiz and Survey Maker The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'is_linking' parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-01-06 6.5 CVE-2025-9318 https://www.wordfence.com/threat-intel/vulnerabilities/id/e6524e66-5bd1-4616-8185-c0501a09893e?source=cve
https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/rest-api.php#L533
 
expresstech--Quiz and Survey Master (QSM) Easy Quiz and Survey Maker The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload. 2026-01-06 6.5 CVE-2025-9637 https://www.wordfence.com/threat-intel/vulnerabilities/id/88a9abf4-62a9-4695-87e7-18ff0b0075e9?source=cve
https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L281
https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L1987
https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/rest-api.php
 
expresstech--Quiz and Survey Master (QSM) Easy Quiz and Survey Maker The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results. 2026-01-06 4.3 CVE-2025-9294 https://www.wordfence.com/threat-intel/vulnerabilities/id/55895508-d0ef-4855-8d15-b8a45ba0dcb2?source=cve
https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/admin/options-page-questions-tab.php#L1116
 
FLIR Systems, Inc.--FLIR Thermal Camera F/FC/PT/D FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains an information disclosure vulnerability that allows unauthenticated attackers to read arbitrary files through unverified input parameters. Attackers can exploit the /var/www/data/controllers/api/xml.php readFile() function to access local system files without authentication. 2026-01-07 6.2 CVE-2017-20212 Zero Science Lab Vulnerability Advisory
Exploit Database Entry 42786
Packet Storm Security Exploit Archive
CXSecurity Vulnerability Listing
Archived FLIR Security Advisory
 
Flycatcher Toys--smART Sketcher A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-11 6.3 CVE-2026-0842 VDB-340442 | Flycatcher Toys smART Sketcher Bluetooth Low Energy missing authentication
VDB-340442 | CTI Indicators (IOB, IOC)
Submit #729134 | Flycatcher Toys smART Sketcher 2.0 0/1/2 Missing Authentication for Critical Function
https://github.com/davidrxchester/smart-sketcher-upload/blob/main/smartsketch-upload.py
 
fpcorso--Testimonial Master The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-07 6.1 CVE-2025-14127 https://www.wordfence.com/threat-intel/vulnerabilities/id/15e65a86-db8e-4a4a-b9c6-c688021a514f?source=cve
https://wordpress.org/plugins/testimonial-master/
https://plugins.trac.wordpress.org/browser/testimonial-master/trunk/php/tm_help_page.php#L190
https://plugins.trac.wordpress.org/browser/testimonial-master/tags/0.2.1/php/tm_help_page.php#L190
 
fulippo--WP Status Notifier The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-07 4.3 CVE-2025-13521 https://www.wordfence.com/threat-intel/vulnerabilities/id/fbffc404-9ea9-4025-8241-2c374b760ca3?source=cve
https://plugins.trac.wordpress.org/browser/wp-change-status-notifier/trunk/options-page.php#L2
https://plugins.trac.wordpress.org/browser/wp-change-status-notifier/tags/1.0/options-page.php#L2
 
furqan-khanzada--Menu Card The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-13862 https://www.wordfence.com/threat-intel/vulnerabilities/id/cec428cd-0fa1-4bc4-b7f6-faf90c31f306?source=cve
https://plugins.trac.wordpress.org/browser/menu-card/trunk/menu-card.php#L102
https://plugins.trac.wordpress.org/browser/menu-card/tags/0.8.0/menu-card.php#L102
 
galdub--Folders Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager The Folders - Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library. 2026-01-08 4.3 CVE-2025-12640 https://www.wordfence.com/threat-intel/vulnerabilities/id/ac6432a4-6597-4d1e-b63d-c007a301d1b2?source=cve
https://plugins.trac.wordpress.org/changeset/3402986/folders/tags/3.1.6/includes/media.replace.php
 
ghera74--ilGhera Support System for WooCommerce The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status. 2026-01-06 5.3 CVE-2025-14034 https://www.wordfence.com/threat-intel/vulnerabilities/id/e74fb552-3ef4-47cd-8fe6-8cc1e74b8377?source=cve
https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L1331
https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L1331
https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L865
https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L865
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426161%40wc-support-system&new=3426161%40wc-support-system&sfp_email=&sfph_mail=
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls. 2026-01-09 6.5 CVE-2025-10569 GitLab Issue #570528
HackerOne Bug Bounty Report #3284689
https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
 
GitLab--GitLab GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations. 2026-01-09 6.5 CVE-2025-13781 GitLab Issue #578756
HackerOne Bug Bounty Report #3400940
https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations. 2026-01-09 5.4 CVE-2025-11246 GitLab Issue #573728
HackerOne Bug Bounty Report #3292475
https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
 
glenwpcoder--Drag and Drop Multiple File Upload for Contact Form 7 The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. The upload of .svg files allows for Stored Cross-Site Scripting under certain circumstances. 2026-01-07 6.1 CVE-2025-14842 https://www.wordfence.com/threat-intel/vulnerabilities/id/c78a0325-5bbf-4550-8477-94247f085e40?source=cve
https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L1116
https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L108
https://plugins.trac.wordpress.org/browser/contact-form-7/trunk/includes/formatting.php#L310
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3428236%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&old=3415946%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&sfp_email=&sfph_mail=
 
greenshady--Entry Views The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-13729 https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7e9fcc-804a-46a8-95cd-b358ba7681ec?source=cve
https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/shortcodes.php#L25
https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/shortcodes.php#L36
https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/template.php#L35
 
Guangzhou V--V-SOL GPON/EPON OLT Platform V-SOL GPON/EPON OLT Platform v2.03 contains multiple reflected cross-site scripting vulnerabilities due to improper input sanitization in various script parameters. Attackers can exploit these vulnerabilities by injecting malicious HTML and script code to execute arbitrary scripts in a victim's browser session. 2026-01-07 6.1 CVE-2019-25284 Zero Science Lab Vulnerability Advisory
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
CXSecurity Vulnerability Database
VSOL Vendor Homepage
 
guchengwuyue--yshopmall A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-09 6.3 CVE-2025-15496 VDB-340274 | guchengwuyue yshopmall jobs getPage sql injection
VDB-340274 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #726464 | https://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 SQL Injection
https://github.com/guchengwuyue/yshopmall/issues/39
https://github.com/guchengwuyue/yshopmall/issues/39#issue-3769727898
 
Hakob--Re Gallery & Responsive Photo Gallery Plugin Missing Authorization vulnerability in Hakob Re Gallery & Responsive Photo Gallery Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Re Gallery & Responsive Photo Gallery Plugin: from n/a through 1.17.18. 2026-01-08 5.3 CVE-2026-22486 https://patchstack.com/database/wordpress/plugin/regallery/vulnerability/wordpress-re-gallery-responsive-photo-gallery-plugin-plugin-1-17-17-broken-access-control-vulnerability?_s_id=cve
 
harfbuzz--harfbuzz HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0. 2026-01-10 5.3 CVE-2026-22693 https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae
 
hayyatapps--Stylish Order Form Builder The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-13531 https://www.wordfence.com/threat-intel/vulnerabilities/id/2d9c4d9d-5d4c-4ea9-bf8d-0ee634f9ca7c?source=cve
https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/trunk/functions-admin.php#L74
https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/tags/1.0/functions-admin.php#L74
https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/trunk/Pages/manage-forms/includes/all-products.php#L9
https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/tags/1.0/Pages/manage-forms/includes/all-products.php#L9
 
hblpay--HBLPAY Payment Gateway for WooCommerce The HBLPAY Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'cusdata' parameter in all versions up to, and including, 5.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-07 6.1 CVE-2025-14875 https://www.wordfence.com/threat-intel/vulnerabilities/id/06362518-f2ee-485f-9e0e-1b1ada9c72db?source=cve
https://plugins.trac.wordpress.org/browser/hblpay-payment-gateway-for-woocommerce/trunk/hblpay-paymentgateway-woocommerce.php#L248
 
HCLSoftware--DevOps Deploy In HCL DevOps Deploy 8.1.2.0 through 8.1.2.3, a user with LLM configuration privileges may be able to recover a credential previously saved for performing authenticated LLM Queries. 2026-01-07 4.9 CVE-2025-62327 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127336
 
helpdeskcom--HelpDesk contact form plugin The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the plugin's license ID and contact form ID settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-07 4.3 CVE-2025-13657 https://www.wordfence.com/threat-intel/vulnerabilities/id/342ece60-faf1-4fee-bf1e-6f6107f32861?source=cve
https://plugins.trac.wordpress.org/browser/helpdesk-contact-form/trunk/includes/class-admin-page.php#L63
https://plugins.trac.wordpress.org/browser/helpdesk-contact-form/tags/1.1.5/includes/class-admin-page.php#L63
 
IdeaBox Creations--Dashboard Welcome for Beaver Builder Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through 1.0.8. 2026-01-08 5.3 CVE-2026-22488 https://patchstack.com/database/wordpress/plugin/dashboard-welcome-for-beaver-builder/vulnerability/wordpress-dashboard-welcome-for-beaver-builder-plugin-1-0-8-broken-access-control-vulnerability?_s_id=cve
 
Ideagen--DevonWay Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the 'Reports' page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS. 2026-01-08 5.5 CVE-2026-22587 url
url
 
imtiazrayhan--ConvertForce Popup Builder The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-10 6.4 CVE-2025-14506 https://www.wordfence.com/threat-intel/vulnerabilities/id/c57b9a78-53f4-40bb-ae6a-c5242b41329f?source=cve
https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L47
https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L66
https://plugins.trac.wordpress.org/changeset/3419678/
 
indieweb--IndieWeb The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-14893 https://www.wordfence.com/threat-intel/vulnerabilities/id/b29f0fea-a2db-4b2e-b7b8-d15b2395e9e6?source=cve
https://plugins.trac.wordpress.org/changeset/3423983/
 
infosatech--WP Page Permalink Extension The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter. 2026-01-09 6.5 CVE-2025-14172 https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ba37d7-8fde-4ee3-93db-d2459da34bc4?source=cve
https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/trunk/change-wp-page-permalinks.php#L188
https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/tags/1.5.4/change-wp-page-permalinks.php#L188
 
INIM Electronics s.r.l.--Smartliving SmartLAN/G/SI Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewalls and perform network enumeration through arbitrary HTTP requests. 2026-01-07 5.3 CVE-2019-25290 Zero Science Lab Vulnerability Advisory
Exploit Database Entry 47764
Packet Storm Security Exploit File
IBM X-Force Vulnerability Exchange Entry
INIM Vendor Homepage
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have an Out-of-bounds Read, Use of Out-of-range Pointer Offset and have Improper Input Validation in its CIccProfile::LoadTag function. This issue is fixed in version 2.3.1.2. 2026-01-06 6.1 CVE-2026-21487 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xq7x-9524-f7cp
https://github.com/InternationalColorConsortium/iccDEV/issues/340
https://github.com/InternationalColorConsortium/iccDEV/commit/1516e2cafc253bb06fd3700d589a4ed0f09f7bd6
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination through its CIccTagText::Read function. This issue is fixed in version 2.3.1.2. 2026-01-06 6.1 CVE-2026-21488 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4j2g-rvv4-86vg
https://github.com/InternationalColorConsortium/iccDEV/commit/9daaccceb231c43db8cab312ee5bbe9d2aa6b153
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have Out-of-bounds Read and Integer Underflow (Wrap or Wraparound) vulnerabilities in its CIccCalculatorFunc::SequenceNeedTempReset function. This issue is fixed in version 2.3.1.2. 2026-01-06 6.1 CVE-2026-21489 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-ph89-6q5h-wfw5
https://github.com/InternationalColorConsortium/iccDEV/commit/cfabfe52c9c7eb0481b62c8aad56580bb11efdad
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut16::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-06 6.1 CVE-2026-21490 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-9q9c-699q-xr2q
https://github.com/InternationalColorConsortium/iccDEV/issues/397
https://github.com/InternationalColorConsortium/iccDEV/commit/7c2cb719a9de1c00844e457e070d657314383ee3
https://github.com/InternationalColorConsortium/iccDEV/commit/e91fe722ac54ce497d410153e7405090e0565d7b
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in unicode buffer overflow in `CIccTagTextDescription`. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-06 6.1 CVE-2026-21491 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4pv4-4x2x-6j88
https://github.com/InternationalColorConsortium/iccDEV/issues/396
https://github.com/InternationalColorConsortium/iccDEV/commit/7c2cb719a9de1c00844e457e070d657314383ee3
https://github.com/InternationalColorConsortium/iccDEV/commit/e91fe722ac54ce497d410153e7405090e0565d7b
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2. 2026-01-06 6.6 CVE-2026-21493 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-p85g-f9q7-jmjx
https://github.com/InternationalColorConsortium/iccDEV/issues/358
https://github.com/InternationalColorConsortium/iccDEV/commit/7ff76d1471077172f9659de8d9536443eac7c48f
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut8::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-06 6.1 CVE-2026-21494 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hjxv-xr7w-84fc
https://github.com/InternationalColorConsortium/iccDEV/issues/398
https://github.com/InternationalColorConsortium/iccDEV/commit/7c2cb719a9de1c00844e457e070d657314383ee3
https://github.com/InternationalColorConsortium/iccDEV/commit/e91fe722ac54ce497d410153e7405090e0565d7b
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to a null pointer passed to memcpy() in CIccTagSparseMatrixArray. This issue has been patched in version 2.3.1.2. 2026-01-07 6.1 CVE-2026-21503 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h554-qrfh-53gx
https://github.com/InternationalColorConsortium/iccDEV/issues/367
https://github.com/InternationalColorConsortium/iccDEV/pull/417
https://github.com/InternationalColorConsortium/iccDEV/commit/55259a6395c4f6124b5d0e38469c77412926bd3d
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap buffer overflow in the ToneMap parser. This issue has been patched in version 2.3.1.2. 2026-01-07 6.6 CVE-2026-21504 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-rqp9-r53c-3m9h
https://github.com/InternationalColorConsortium/iccDEV/issues/366
https://github.com/InternationalColorConsortium/iccDEV/pull/415
https://github.com/InternationalColorConsortium/iccDEV/commit/14fe3785e6b1f9992375b2a24617a0d7f6a70f95
https://github.com/InternationalColorConsortium/iccDEV/commit/23a38f83f2a5874a1c4427df59ec342af3277cad
https://github.com/InternationalColorConsortium/iccDEV/blob/798be59011649a26a529600cc3cd56437634d3d0/IccProfLib/IccMpeBasic.cpp#L4557
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 6.5 CVE-2026-21680 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mgp7-w4w3-mhx4
https://github.com/InternationalColorConsortium/iccDEV/issues/322
https://github.com/InternationalColorConsortium/iccDEV/pull/325
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 6.5 CVE-2026-21689 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5rqc-w93q-589m
https://github.com/InternationalColorConsortium/iccDEV/issues/382
https://github.com/InternationalColorConsortium/iccDEV/pull/423
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTagXmlTagData::ToXml()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 6.3 CVE-2026-21690 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2f26-vh48-38g6
https://github.com/InternationalColorConsortium/iccDEV/issues/393
https://github.com/InternationalColorConsortium/iccDEV/pull/426
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer member call vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-06 5.5 CVE-2026-21492 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xpq3-v3jj-mgvx
https://github.com/InternationalColorConsortium/iccDEV/issues/394
https://github.com/InternationalColorConsortium/iccDEV/pull/401
https://github.com/InternationalColorConsortium/iccDEV/commit/b200a629ada310137d6ae5c53fc9e6d91a4b0dae
https://github.com/InternationalColorConsortium/iccDEV/commit/e72361d215351cbac0002466c4f936e94d6a99e7
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to division by zero in the TIFF Image Reader. This issue has been patched in version 2.3.1.2. 2026-01-07 5.5 CVE-2026-21495 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xhrm-79rg-5784
https://github.com/InternationalColorConsortium/iccDEV/commit/10c34179a0332a869c2b46e305a9cd23a6311dfe
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the signature parser. This issue has been patched in version 2.3.1.2. 2026-01-07 5.5 CVE-2026-21496 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wj8m-6w77-r4rw
https://github.com/InternationalColorConsortium/iccDEV/issues/381
https://github.com/InternationalColorConsortium/iccDEV/pull/405
https://github.com/InternationalColorConsortium/iccDEV/commit/0e51ceb427925b7e22f0465547df7506d35cda1c
https://github.com/InternationalColorConsortium/iccDEV/commit/b5ad23aceece3789bdf1c47bae1ecf9d7bfcd26d
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via an unknown tag parser. This issue has been patched in version 2.3.1.2. 2026-01-07 5.5 CVE-2026-21497 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7gv7-cmrv-4j85
https://github.com/InternationalColorConsortium/iccDEV/issues/374
https://github.com/InternationalColorConsortium/iccDEV/pull/403
https://github.com/InternationalColorConsortium/iccDEV/commit/9419cac7f084197941994b8b9d17def204008385
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML calculator parser. This issue has been patched in version 2.3.1.2. 2026-01-07 5.5 CVE-2026-21498 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6822-qvxq-m736
https://github.com/InternationalColorConsortium/iccDEV/issues/375
https://github.com/InternationalColorConsortium/iccDEV/pull/404
https://github.com/InternationalColorConsortium/iccDEV/commit/75f124f40ba45491211cb4b67f0e05b7c7d59553
https://github.com/InternationalColorConsortium/iccDEV/commit/bdfa31940726aaabb0a6f19194d9062ba0598959
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML parser. This issue has been patched in version 2.3.1.2. 2026-01-07 5.5 CVE-2026-21499 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c3pv-2cpf-7v2p
https://github.com/InternationalColorConsortium/iccDEV/issues/372
https://github.com/InternationalColorConsortium/iccDEV/pull/412
https://github.com/InternationalColorConsortium/iccDEV/commit/00c03013e11b35ddbd7caae4368d1add185849d9
https://github.com/InternationalColorConsortium/iccDEV/commit/af299895bbcbecca6f67d6dc3d8e1dc92f1fc3fa
https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccXML/IccLibXML/IccProfileXml.cpp#L477
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the XML calculator macro expansion. This issue has been patched in version 2.3.1.2. 2026-01-07 5.5 CVE-2026-21500 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4h4j-mm9w-2cp4
https://github.com/InternationalColorConsortium/iccDEV/issues/384
https://github.com/InternationalColorConsortium/iccDEV/pull/406
https://github.com/InternationalColorConsortium/iccDEV/commit/cce5f9b68a6c067b7ef898ccd5b000770745fb14
https://github.com/InternationalColorConsortium/iccDEV/commit/f295826a6f15add90490030f23b2ddd8593bff5b
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the calculator parser. This issue has been patched in version 2.3.1.2. 2026-01-07 5.5 CVE-2026-21501 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x7hw-h22p-2x4w
https://github.com/InternationalColorConsortium/iccDEV/issues/365
https://github.com/InternationalColorConsortium/iccDEV/pull/413
https://github.com/InternationalColorConsortium/iccDEV/commit/798be59011649a26a529600cc3cd56437634d3d0
https://github.com/InternationalColorConsortium/iccDEV/commit/f3056ed99935d479091470127ad16f8be1912bb7
https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccProfLib/IccMpeCalc.cpp#L4588
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML tag parser. This issue has been patched in version 2.3.1.2. 2026-01-07 5.5 CVE-2026-21502 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-67r8-q3mh-42j6
https://github.com/InternationalColorConsortium/iccDEV/issues/368
https://github.com/InternationalColorConsortium/iccDEV/pull/407
https://github.com/InternationalColorConsortium/iccDEV/commit/d04c236775e89a029f93efcc242fdb1fbc245a1c
https://github.com/InternationalColorConsortium/iccDEV/commit/d9e42a1fb2606e25e498eb94f34f6da89f522e35
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to an invalid enum value. This issue has been patched in version 2.3.1.2. 2026-01-07 5.5 CVE-2026-21505 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-j577-8285-qrf9
https://github.com/InternationalColorConsortium/iccDEV/issues/361
https://github.com/InternationalColorConsortium/iccDEV/pull/419
https://github.com/InternationalColorConsortium/iccDEV/commit/3bbe2088b2796cf0aa4f7fa19f7ccd9ad1c7aba5
https://github.com/InternationalColorConsortium/iccDEV/commit/b1bb72fc3e9442ee1355aabae7314bb7d3fc9d41
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to Null pointer dereference in CIccProfileXml::ParseBasic(), leading to denial of service. This issue has been patched in version 2.3.1.2. 2026-01-07 5.5 CVE-2026-21506 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wfm7-m548-x4vp
https://github.com/InternationalColorConsortium/iccDEV/issues/371
https://github.com/InternationalColorConsortium/iccDEV/pull/418
https://github.com/InternationalColorConsortium/iccDEV/commit/f2ea32372ad3ebbd29147940229cb9c5548fe033
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTag:IsTypeCompressed()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. 2026-01-07 5.4 CVE-2026-21691 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c9q5-x498-jv92
https://github.com/InternationalColorConsortium/iccDEV/issues/392
https://github.com/InternationalColorConsortium/iccDEV/pull/426
 
INTINITUM FORM--Geo Controller Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. 2026-01-05 6.5 CVE-2023-51513 https://vdp.patchstack.com/database/wordpress/plugin/cf-geoplugin/vulnerability/wordpress-geo-controller-plugin-8-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
itsourcecode--Society Management System A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown part of the file /admin/edit_activity_query.php. The manipulation of the argument Title leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. 2026-01-05 6.3 CVE-2026-0582 VDB-339474 | itsourcecode Society Management System edit_activity_query.php sql injection
VDB-339474 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731207 | itsourcecode Society Management System V1.0 SQL Injection
https://github.com/xiaotsai/tttt/issues/2
https://itsourcecode.com/
 
ivole--Customer Reviews for WooCommerce The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with customer-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While it is possible to invoke the AJAX action without authentication, the attacker would need to know a valid form ID, which requires them to place an order. This vulnerability can be exploited by unauthenticated attackers if guest checkout is enabled. However, the form ID still needs to be obtained through placing an order. 2026-01-07 6.4 CVE-2025-14891 https://www.wordfence.com/threat-intel/vulnerabilities/id/88e4eec2-2861-4d1d-97eb-67887f59c745?source=cve
https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/includes/reminders/class-cr-local-forms-ajax.php#L76
https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/templates/form-customer.php#L19
https://plugins.trac.wordpress.org/changeset/3424980/customer-reviews-woocommerce
 
iWT Ltd.--FaceSentry Access Control System FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks. 2026-01-07 6.1 CVE-2019-25277 Zero Science Lab Vulnerability Advisory
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange
 
jegstudio--Gutenverse Form Contact Form Builder, Booking, Reservation, Subscribe for Block Editor The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers. 2026-01-08 6.4 CVE-2025-14984 https://www.wordfence.com/threat-intel/vulnerabilities/id/792fa6cb-e55a-4f68-b8a8-9039fb1ff694?source=cve
https://plugins.trac.wordpress.org/browser/gutenverse-form/tags/2.3.2/lib/framework/includes/class-init.php#L837
https://plugins.trac.wordpress.org/browser/gutenverse-form/tags/2.3.2/lib/framework/includes/class-init.php#L169
https://plugins.trac.wordpress.org/changeset/3427504/gutenverse-form/trunk/lib/framework/includes/class-init.php?old=3395520&old_path=gutenverse-form%2Ftrunk%2Flib%2Fframework%2Fincludes%2Fclass-init.php
 
jegtheme--Jeg Kit for Elementor Powerful Addons for Elementor, Widgets & Templates for WordPress The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element. 2026-01-08 6.4 CVE-2025-14275 https://www.wordfence.com/threat-intel/vulnerabilities/id/8fcb4047-5173-4d10-a4bb-72f1919b9203?source=cve
https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/3.0.1/assets/js/elements/countdown.js#L1
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432624%40jeg-elementor-kit%2Ftrunk&old=3379532%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail=
 
jiujiujia--jjjfood A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-11 6.3 CVE-2026-0843 VDB-340443 | jiujiujia/victor123/wxw850227 jjjfood/jjjshop_food index sql injection
VDB-340443 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731001 | https://www.jiujiujia.net/ PHP-based Three-Dot Ordering System Vulnerable to SQL Injection lasest SQL Injection
http://101.200.76.102:38765/qwertyuiop/qwsdfvbnm/1/vuldb/JJJshop/EnglishVers%E4%B8%89%E5%8B%BE%E7%82%B9%E9%A4%90%E7%B3%BB%E7%BB%9FPHP%E7%89%88%E5%AD%98%E5%9C%A8product.category.indexSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.pdf
 
jonua--Table Field Add-on for ACF and SCF The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-06 6.4 CVE-2025-12067 https://www.wordfence.com/threat-intel/vulnerabilities/id/93f80716-a95b-49fc-805f-446d4723ca77?source=cve
https://plugins.trac.wordpress.org/changeset/3386339/
 
jseto--Travel Bucket List Wish To Go The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14053 https://www.wordfence.com/threat-intel/vulnerabilities/id/02b9450e-422f-45f1-a55b-cf401e39247c?source=cve
https://plugins.trac.wordpress.org/browser/wish-to-go/trunk/wish-to-go.php#L124
https://plugins.trac.wordpress.org/browser/wish-to-go/tags/0.5.2/wish-to-go.php#L124
 
kanboard--kanboard Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to enumerate all LDAP users, discover sensitive user attributes, and perform targeted attacks against specific accounts. This issue is fixed in version 1.2.49. 2026-01-08 5.3 CVE-2026-21880 https://github.com/kanboard/kanboard/security/advisories/GHSA-v66r-m28r-wmq7
https://github.com/kanboard/kanboard/commit/dd374079f7c2d1dab74c1680960e684ff8668586
https://github.com/kanboard/kanboard/releases/tag/v1.2.49
 
kanboard--kanboard Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the filter_var($url, FILTER_VALIDATE_URL) validation check. This vulnerability could be exploited to conduct phishing attacks, steal user credentials, or distribute malware. The issue is fixed in version 1.2.49. 2026-01-08 4.7 CVE-2026-21879 https://github.com/kanboard/kanboard/security/advisories/GHSA-mhv9-7m9w-7hcq
https://github.com/kanboard/kanboard/commit/93bcae03301a6d34185a8dba977417e6b3de519f
https://github.com/kanboard/kanboard/releases/tag/v1.2.49
 
kentothemes--Latest Tabs The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-07 4.3 CVE-2025-14999 https://www.wordfence.com/threat-intel/vulnerabilities/id/837f49e6-dcba-4451-bbbe-14890ab87207?source=cve
https://plugins.trac.wordpress.org/browser/kento-latest-tabs/trunk/admin-page.php#L7
 
kodezen--aBlocks WordPress Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & GSAP Animation Builder The aBlocks - WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services. 2026-01-07 5.4 CVE-2025-12449 https://www.wordfence.com/threat-intel/vulnerabilities/id/c10600ae-1ff0-4f12-ae53-39d9342640f4?source=cve
https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/ajax/settings.php#L16
https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/classes/abstract-request-handler.php#L486
https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/assets.php#L353
 
kromitgmbh--titra Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50. 2026-01-07 6.8 CVE-2026-21694 https://github.com/kromitgmbh/titra/security/advisories/GHSA-mr2r-wjf8-cj3c
https://github.com/kromitgmbh/titra/commit/29e6b88eca005107729e45a6f1731cf0fa5f8938
 
kromitgmbh--titra Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50. 2026-01-07 4.3 CVE-2026-21695 https://github.com/kromitgmbh/titra/security/advisories/GHSA-gc65-vr47-jppq
https://github.com/kromitgmbh/titra/commit/29e6b88eca005107729e45a6f1731cf0fa5f8938
 
Leica Geosystems AG--Leica Geosystems GR10/GR25/GR30/GR50 GNSS Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can trick logged-in users into executing unauthorized actions by crafting malicious web pages that submit requests to the application. 2026-01-07 5.3 CVE-2019-25259 Zero Science Lab Vulnerability Advisory
Exploit Database Entry 46090
Packet Storm Security Exploit File
IBM X-Force Vulnerability Exchange Entry
Leica Geosystems Vendor Homepage
 
liangshao--Flashcard Plugin for WordPress The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. 2026-01-07 6.5 CVE-2025-14867 https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fcc6e5-1f90-41e7-8d5a-2bfe8cbf46fa?source=cve
https://plugins.trac.wordpress.org/browser/flashcard/tags/0.9/flashcard.php?marks=73,109#L73
 
lnbadmin1--Nearby Now Reviews The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-13853 https://www.wordfence.com/threat-intel/vulnerabilities/id/8dc991ea-0d00-4734-9b9a-5af759e83540?source=cve
https://plugins.trac.wordpress.org/browser/nearby-now-reviews/trunk/nn-reviews.php#L160
https://plugins.trac.wordpress.org/browser/nearby-now-reviews/tags/5.2/nn-reviews.php#L160
 
loopus--WP Cost Estimation & Payment Forms Builder The WP Cost Estimation plugin for WordPress is vulnerable to Upload Directory Traversal in versions before 9.660 via the uploadFormFiles function. This allows attackers to overwrite any file with a whitelisted type on an affected site. 2026-01-08 6.5 CVE-2019-25295 https://www.wordfence.com/threat-intel/vulnerabilities/id/65a9e877-e870-4e36-985d-c0629abe3f78?source=cve
https://www.wordfence.com/blog/2019/02/vulnerabilities-patched-in-wp-cost-estimation-plugin/
https://codecanyon.net/item/wp-cost-estimation-payment-forms-builder/7818230
 
mamurjor--Mamurjor Employee Info The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-07 4.3 CVE-2025-13990 https://www.wordfence.com/threat-intel/vulnerabilities/id/8e323b87-7b2e-4e5c-94a4-a4a0712f50ba?source=cve
https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/trunk/admin/admin.php#L10
https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/trunk/admin/admin.php#L30
https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/trunk/admin/admin.php#L47
https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/tags/1.0.0/admin/admin.php#L10
https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/tags/1.0.0/admin/admin.php#L30
https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/tags/1.0.0/admin/admin.php#L47
 
manchumahara--CBX Bookmark & Favorite The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-01-06 6.5 CVE-2025-13652 https://www.wordfence.com/threat-intel/vulnerabilities/id/a8839665-8f98-4c81-b234-9201236e0194?source=cve
https://plugins.trac.wordpress.org/changeset/3413499/
 
marceljm--Featured Image from URL (FIFU) The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the fifu_input_url parameter in the FIFU Elementor widget granted they have permissions to use Elementor. 2026-01-10 4.3 CVE-2025-13393 https://www.wordfence.com/threat-intel/vulnerabilities/id/b7115070-b84d-4d69-993a-f512b9f9c081?source=cve
https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L94
https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L121
https://research.cleantalk.org/cve-2025-13393/
https://plugins.trac.wordpress.org/changeset/3428744/
 
Marketing Fire, LLC--LoginWP - Pro Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. 2026-01-05 6.5 CVE-2025-39561 https://vdp.patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-broken-access-control-vulnerability?_s_id=cve
 
mastodon--mastodon Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4. 2026-01-08 6.5 CVE-2026-22246 https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24
https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076
https://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adf
https://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57
 
matiasanca--Cool YT Player The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-13849 https://www.wordfence.com/threat-intel/vulnerabilities/id/590bdf82-8006-4729-96e5-42b0d1552d19?source=cve
https://plugins.trac.wordpress.org/browser/cool-yt-player/trunk/includes/youtube_video_wrapper.php#L58
https://plugins.trac.wordpress.org/browser/cool-yt-player/tags/1.0/includes/youtube_video_wrapper.php#L58
 
mattiaspkallio--Snillrik Restaurant The Snillrik Restaurant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'menu_style' shortcode attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14112 https://www.wordfence.com/threat-intel/vulnerabilities/id/5fb52c19-6816-423d-ab3a-6b5b2ff21e03?source=cve
https://plugins.trac.wordpress.org/browser/snillrik-restaurant-menu/trunk/classes/shortcodes.php#L42
https://plugins.trac.wordpress.org/browser/snillrik-restaurant-menu/tags/2.2.1/classes/shortcodes.php#L42
 
metodiew--Quote Comments The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecomments_add_admin function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options via the 'action' parameter. 2026-01-07 5.3 CVE-2025-14370 https://www.wordfence.com/threat-intel/vulnerabilities/id/1ebe0767-db22-4995-bdf1-5ebb48f960e9?source=cve
https://plugins.trac.wordpress.org/browser/quote-comments/tags/3.0.0/quote-comments.php#L309
 
Microsoft--Microsoft Edge for Android User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an authorized attacker to perform spoofing over a network. 2026-01-07 5.5 CVE-2025-62224 Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
 
miniflux--v2 Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue. 2026-01-08 6.5 CVE-2026-21885 https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp
 
minnur--External Media Server-Side Request Forgery (SSRF) vulnerability in minnur External Media allows Server Side Request Forgery.This issue affects External Media: from n/a through 1.0.36. 2026-01-07 4.9 CVE-2025-49335 https://patchstack.com/database/wordpress/plugin/external-media/vulnerability/wordpress-external-media-plugin-1-0-36-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
mitchoyoshitaka--Stumble! for WordPress The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-07 6.1 CVE-2025-14128 https://www.wordfence.com/threat-intel/vulnerabilities/id/19e1421d-8cb4-44b6-a982-769539b19582?source=cve
https://wordpress.org/plugins/stumble-for-wordpress/
https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/trunk/stumble.php#L143
https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/tags/1.1.1/stumble.php#L143
 
mohammed_kaludi--AMP for WP Accelerated Mobile Pages The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file. 2026-01-09 6.4 CVE-2026-0627 https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed23318-3b47-4336-a3aa-6b09f3911926?source=cve
https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/trunk/templates/features.php#L10373
https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.10/templates/features.php#L10373
https://plugins.trac.wordpress.org/changeset/3434946/accelerated-mobile-pages/trunk/templates/features.php?old=3426181&old_path=accelerated-mobile-pages%2Ftrunk%2Ftemplates%2Ffeatures.php
 
mohammed_kaludi--AMP for WP Accelerated Mobile Pages The AMP for WP - Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the amp_theme_ajaxcomments AJAX handler, which rejects requests with VALID nonces and accepts requests with MISSING or INVALID nonces. This makes it possible for unauthenticated attackers to submit comments on behalf of logged-in users via a forged request granted they can trick a user into performing an action such as clicking on a link, and the plugin's template mode is enabled. 2026-01-07 4.3 CVE-2025-14468 https://www.wordfence.com/threat-intel/vulnerabilities/id/0d195034-4617-474d-a4b1-b299c1607f89?source=cve
https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L119
https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L50
https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L698
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3426181%40accelerated-mobile-pages%2Ftrunk&old=3402644%40accelerated-mobile-pages%2Ftrunk&sfp_email=&sfph_mail=#file4
 
moosend--Moosend Landing Pages The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value. 2026-01-07 5.3 CVE-2025-13496 https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb4b3b1-47ae-4314-a386-832949456f81?source=cve
https://plugins.trac.wordpress.org/browser/moosend-landing-pages/trunk/forms/auth-request.php#L7
https://plugins.trac.wordpress.org/browser/moosend-landing-pages/tags/1.1.6/forms/auth-request.php#L7
 
mountaingrafix--MG AdvancedOptions The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-09 6.1 CVE-2025-13892 https://www.wordfence.com/threat-intel/vulnerabilities/id/86358a01-bf69-4a7f-8b78-a0d42d362d96?source=cve
https://plugins.trac.wordpress.org/browser/mg-advancedoptions/trunk/mg-advancedoptions/MG_AdvancedOptions.php#L96
https://plugins.trac.wordpress.org/browser/mg-advancedoptions/trunk/mg-advancedoptions/MG_AdvancedOptions.php#L58
 
mstoic--Mstoic Shortcodes The Mstoic Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'start' parameter of the ms_youtube_embeds shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14144 https://www.wordfence.com/threat-intel/vulnerabilities/id/6e83c039-9b15-4e0c-8b07-3b906938c138?source=cve
https://plugins.trac.wordpress.org/browser/mstoic-shortcodes/trunk/functions/shortcodes/youtube_embeds.php#L117
https://plugins.trac.wordpress.org/browser/mstoic-shortcodes/tags/2.0/functions/shortcodes/youtube_embeds.php#L117
 
mtcaptcha--MTCaptcha WordPress Plugin The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings, including sensitive values like the private key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-07 4.3 CVE-2025-13520 https://www.wordfence.com/threat-intel/vulnerabilities/id/e8c1e568-7170-40d6-b522-2c89725e0501?source=cve
https://plugins.trac.wordpress.org/browser/mtcaptcha/trunk/mt-captcha.php#L410
https://plugins.trac.wordpress.org/browser/mtcaptcha/tags/2.7.2/mt-captcha.php#L410
 
Munir Kamal--Block Slider Missing Authorization vulnerability in Munir Kamal Block Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through 2.2.3. 2026-01-08 6.5 CVE-2026-22522 https://patchstack.com/database/wordpress/plugin/block-slider/vulnerability/wordpress-block-slider-plugin-2-2-3-broken-access-control-vulnerability?_s_id=cve
 
N/A--Elliptic The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could-under certain conditions-derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs. This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1). 2026-01-08 5.6 CVE-2025-14505 https://www.herodevs.com/vulnerability-directory/cve-2025-14505
https://github.com/indutny/elliptic/issues/321
 
n/a--invoiceninja A security vulnerability has been detected in invoiceninja up to 5.12.38. The affected element is the function copy of the file /app/Jobs/Util/Import.php of the component Migration Import. The manipulation of the argument company_logo leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-07 4.7 CVE-2026-0649 VDB-339720 | invoiceninja Migration Import Import.php copy server-side request forgery
VDB-339720 | CTI Indicators (IOB, IOC, IOA)
Submit #721323 | invoiceninja <= 5.12.38. ssrf
https://note-hxlab.wetolink.com/share/fWqEpn5fX4rH
 
n/a--milvus A security vulnerability has been detected in milvus up to 2.6.7. This vulnerability affects the function expr.Exec of the file pkg/util/expr/expr.go of the component HTTP Endpoint. The manipulation of the argument code leads to deserialization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. A fix is planned for the next release 2.6.8. 2026-01-05 6.3 CVE-2025-15453 VDB-339486 | milvus HTTP Endpoint expr.go expr.Exec deserialization
VDB-339486 | CTI Indicators (IOB, IOC, IOA)
Submit #719061 | milvus-io milvus latest Not Safe Remote Expression Execution
https://github.com/milvus-io/milvus/issues/46442
https://github.com/milvus-io/milvus/issues/46442#issuecomment-3672197450
https://github.com/milvus-io/milvus/issues/46442#issue-3743414836
https://github.com/milvus-io/milvus/milestone/139
 
n8n-io--n8n n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only. 2026-01-08 6.5 CVE-2026-21894 https://github.com/n8n-io/n8n/security/advisories/GHSA-jf52-3f2h-h9j5
https://github.com/n8n-io/n8n/pull/22764
https://github.com/n8n-io/n8n/commit/a61a5991093c41863506888336e808ac1eff8d59
 
nahian91--Awesome Hotel Booking The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form. 2026-01-07 5.3 CVE-2025-14352 https://www.wordfence.com/threat-intel/vulnerabilities/id/4fe0a08e-eee2-4d48-bb38-dd58bff79118?source=cve
https://plugins.trac.wordpress.org/browser/awesome-hotel-booking/trunk/admin/admin-shortcodes/inc/room-single.php#L67
https://plugins.trac.wordpress.org/browser/awesome-hotel-booking/tags/1.0/admin/admin-shortcodes/inc/room-single.php#L67
 
nasa--CryptoLib CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping dereferences input[inputLen - 1] before checking that inputLen > 0 or that input != NULL. For inputLen == 0, this becomes an OOB read at input[-1], potentially crashing the process. If input == NULL and inputLen == 0, it dereferences NULL - 1. This issue has been patched in version 1.4.3. 2026-01-10 4.7 CVE-2026-21899 https://github.com/nasa/CryptoLib/security/advisories/GHSA-wc29-5hw7-mpj8
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
 
Nawawi Jamili--Docket Cache Missing Authorization vulnerability in Nawawi Jamili Docket Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Docket Cache: from n/a through 24.07.04. 2026-01-08 4.3 CVE-2026-22492 https://patchstack.com/database/wordpress/plugin/docket-cache/vulnerability/wordpress-docket-cache-plugin-24-07-04-broken-access-control-vulnerability?_s_id=cve
 
niklaslindemann--Bulk Landing Page Creator for WordPress LPagery Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through 2.4.9. 2026-01-08 5.4 CVE-2026-22490 https://patchstack.com/database/wordpress/plugin/lpagery/vulnerability/wordpress-bulk-landing-page-creator-for-wordpress-lpagery-plugin-2-4-4-broken-access-control-vulnerability?_s_id=cve
 
ninjateam--FastDup Fastest WordPress Migration & Duplicator The FastDup - Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information. 2026-01-06 6.5 CVE-2026-0604 https://www.wordfence.com/threat-intel/vulnerabilities/id/ac97c729-4c75-429b-bbf2-27ca322be1cf?source=cve
https://plugins.trac.wordpress.org/browser/fastdup/trunk/includes/Endpoint/TemplateApi.php#L219
https://plugins.trac.wordpress.org/browser/fastdup/tags/2.7/includes/Endpoint/TemplateApi.php#L219
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432226%40fastdup&new=3432226%40fastdup&sfp_email=&sfph_mail=#file3
 
nsthemes--NS Ie Compatibility Fixer The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link. 2026-01-07 4.3 CVE-2025-14845 https://www.wordfence.com/threat-intel/vulnerabilities/id/3c25b462-cb9e-4250-bb17-9f2a0bd7665e?source=cve
https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L29
https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L30
https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_settings_custom.php#L8
https://developer.wordpress.org/plugins/security/nonces/
https://developer.wordpress.org/reference/functions/wp_verify_nonce/
https://developer.wordpress.org/reference/functions/check_admin_referer/
 
octobercms--october October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12. 2026-01-10 6.1 CVE-2025-61674 https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x
 
octobercms--october October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12. 2026-01-10 6.1 CVE-2025-61676 https://github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6
 
openchamp--Simcast The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-07 4.3 CVE-2025-14077 https://www.wordfence.com/threat-intel/vulnerabilities/id/e3917e1a-c230-46ad-9889-6ab233ecc4d0?source=cve
https://plugins.trac.wordpress.org/browser/simcast/trunk/Simcast_OptionsManager.php#L257
https://plugins.trac.wordpress.org/browser/simcast/tags/1.0.0/Simcast_OptionsManager.php#L257
 
OpenCTI-Platform--opencti OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.3, an open redirect vulnerability exists in the OpenCTI platform's SAML authentication endpoint (/auth/saml/callback). By manipulating the RelayState parameter, an attacker can force the server to issue a 302 redirect to any external URL, enabling phishing, credential theft, and arbitrary site redirection. This issue has been patched in version 6.8.3. 2026-01-07 5.4 CVE-2025-61782 https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jc3f-c62g-v7qw
https://github.com/OpenCTI-Platform/opencti/commit/f755165a26888925c4a58018f7238ff92a0bd378
https://github.com/OpenCTI-Platform/opencti/releases/tag/6.8.3
 
OPEXUS--eCASE Audit OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0. 2026-01-08 5.5 CVE-2026-22231 url
url
url
 
OPEXUS--eCASE Audit OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0. 2026-01-08 5.5 CVE-2026-22232 url
url
url
 
OPEXUS--eCASE Audit OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0. 2026-01-08 5.5 CVE-2026-22233 url
url
url
 
opf--openproject OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3. 2026-01-10 4.3 CVE-2026-22605 https://github.com/opf/openproject/security/advisories/GHSA-fq4m-pxvm-8x2j
https://github.com/opf/openproject/releases/tag/v16.6.3
 
P5--FNIP-8x16A P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking authenticated users into loading a specially crafted form. 2026-01-06 4.3 CVE-2020-36906 ExploitDB-48362
Official Product Homepage
Zero Science Lab Disclosure (ZSL-2020-5564)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange 1
IBM X-Force Vulnerability Exchange 2
VulnCheck Advisory: P5 FNIP-8x16A FNIP-4xSH 1.0.20 Cross-Site Request Forgery via User Management
 
pagup--Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the post editor. 2026-01-09 6.4 CVE-2025-15019 https://www.wordfence.com/threat-intel/vulnerabilities/id/0af219a7-6596-47b2-ab8e-a71f20218759?source=cve
https://plugins.trac.wordpress.org/changeset/3431985/bulk-image-alt-text-with-yoast/trunk/admin/views/metabox.view.php
 
pagup--WP Google Street View (with 360 virtual tour) & Google maps + Local SEO The WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsv_map' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2026-0563 https://www.wordfence.com/threat-intel/vulnerabilities/id/2bc8a3fb-176e-4bf0-b96e-6ccb9688254b?source=cve
https://plugins.trac.wordpress.org/changeset/3432185/wp-google-street-view/trunk/includes/shortcode.php
 
Parsl--parsl Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue. 2026-01-08 5.3 CVE-2026-21892 https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58
https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974
 
Passionate Brains--GA4WP: Google Analytics for WordPress Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through 2.10.0. 2026-01-08 5.4 CVE-2026-22517 https://patchstack.com/database/wordpress/plugin/ga-for-wp/vulnerability/wordpress-ga4wp-google-analytics-for-wordpress-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve
 
pencilwp--X Addons for Elementor Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through 1.0.23. 2026-01-08 6.5 CVE-2026-22518 https://patchstack.com/database/wordpress/plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-cross-site-scripting-xss-vulnerability?_s_id=cve
 
PHPGurukul--Online Course Registration System A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. 2026-01-08 6.3 CVE-2026-0733 VDB-340130 | PHPGurukul Online Course Registration System manage-students.php sql injection
VDB-340130 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #733328 | PHPGurukul Online Course Registration System ≤ 3.1 SQL Injection Vulnerability
Submit #733331 | PHPGurukul Online Course Registration System ≤ 3.1 SQL Injection (Duplicate)
https://note-hxlab.wetolink.com/share/cU33RBoPPAF0
https://note-hxlab.wetolink.com/share/Tma34bofeB2L
https://phpgurukul.com/
 
PHPGurukul--Online Course Registration System A vulnerability was found in PHPGurukul Online Course Registration System up to 3.1. This affects an unknown part of the file /enroll.php. The manipulation of the argument studentregno/Pincode/session/department/level/course/sem results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. 2026-01-09 6.3 CVE-2026-0803 VDB-340255 | PHPGurukul Online Course Registration System enroll.php sql injection
VDB-340255 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #733344 | PHPGurukul Online Course Registration System ≤ 3.1 SQL Injection
https://note-hxlab.wetolink.com/share/qX132pk8Wofk
https://phpgurukul.com/
 
pichel--WP Js List Pages Shortcodes The WP Js List Pages Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14110 https://www.wordfence.com/threat-intel/vulnerabilities/id/3f8dced7-cbe1-4d50-9fa0-1cf441dddefa?source=cve
https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/tags/1.21/js-list-pages-shortcodes.php#L58
https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L47
https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L50
https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L58
 
POSIMYTH Innovation--The Plus Addons for Elementor Pro Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7. 2026-01-07 6.5 CVE-2025-46434 https://patchstack.com/database/wordpress/plugin/theplus_elementor_addon/vulnerability/wordpress-the-plus-addons-for-elementor-pro-plugin-6-3-7-broken-access-control-vulnerability?_s_id=cve
 
POSIMYTH--The Plus Addons for Elementor Page Builder Lite Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows DOM-Based XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.3.3. 2026-01-05 6.5 CVE-2024-23511 https://vdp.patchstack.com/database/wordpress/plugin/the-plus-addons-for-elementor-page-builder/vulnerability/wordpress-the-plus-addons-for-elementor-plugin-5-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
pr-gateway--Blog2Social: Social Media Auto Post & Scheduler The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user has the 'read' capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts. 2026-01-10 4.3 CVE-2025-14943 https://www.wordfence.com/threat-intel/vulnerabilities/id/7374db91-4e7d-4db2-9c58-bb9bdda5c85d?source=cve
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Get.php#L243
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Get.php?rev=3423620#L252
 
praveentamil--Sticky Action Buttons The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_options_page_form_submit() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-07 4.3 CVE-2025-14465 https://www.wordfence.com/threat-intel/vulnerabilities/id/82b243c7-5b58-4765-9083-4660c0b479cc?source=cve
https://plugins.trac.wordpress.org/browser/sticky-action-buttons/tags/1.0/sticky-action-buttons.php#L105
 
premmerce--Premmerce WooCommerce Customers Manager The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' parameters in all versions up to, and including, 1.1.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. 2026-01-07 6.1 CVE-2025-13369 https://www.wordfence.com/threat-intel/vulnerabilities/id/9980ec20-60ae-42eb-a2cd-146e57435398?source=cve
https://plugins.trac.wordpress.org/browser/woo-customers-manager/trunk/src/Admin/Admin.php#L135
https://plugins.trac.wordpress.org/browser/woo-customers-manager/tags/1.1.14/src/Admin/Admin.php#L135
https://plugins.trac.wordpress.org/browser/woo-customers-manager/trunk/views/admin/filter.php#L43
https://plugins.trac.wordpress.org/browser/woo-customers-manager/tags/1.1.14/views/admin/filter.php#L43
 
Project-MONAI--MONAI MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal (Zip Slip) vulnerability exists in MONAI's `_download_from_ngc_private()` function. The function uses `zipfile.ZipFile.extractall()` without path validation, while other similar download functions in the same codebase properly use the existing `safe_extract_member()` function. Commit 4014c8475626f20f158921ae0cf98ed259ae4d59 fixes this issue. 2026-01-07 5.3 CVE-2026-21851 https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-9rg3-9pvr-6p27
https://github.com/Project-MONAI/MONAI/commit/4014c8475626f20f158921ae0cf98ed259ae4d59
 
pterodactyl--panel Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0. 2026-01-06 6.5 CVE-2025-69197 https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683
https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf
https://github.com/pterodactyl/panel/releases/tag/v1.12.0
 
publishpress--Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators. 2026-01-09 5.4 CVE-2025-14718 https://www.wordfence.com/threat-intel/vulnerabilities/id/8198d81a-40c0-49c1-8c38-f5ef6fb911ad?source=cve
https://plugins.trac.wordpress.org/changeset?old_path=/post-expirator/tags/4.9.3/src/Modules/Workflows/Rest/RestApiV1.php&new_path=/post-expirator/tags/4.9.4/src/Modules/Workflows/Rest/RestApiV1.php
 
pypa--virtualenv virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1. 2026-01-10 4.5 CVE-2026-22702 https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986
https://github.com/pypa/virtualenv/pull/3013
https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc
 
Qualcomm, Inc.--Snapdragon Information disclosure while processing a firmware event. 2026-01-06 6.1 CVE-2025-47331 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while processing a config call from userspace. 2026-01-06 6.7 CVE-2025-47332 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while handling buffer mapping operations in the cryptographic driver. 2026-01-06 6.6 CVE-2025-47333 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while processing shared command buffer packet between camera userspace and kernel. 2026-01-06 6.7 CVE-2025-47334 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while parsing clock configuration data for a specific hardware type. 2026-01-06 6.7 CVE-2025-47335 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while performing sensor register read operations. 2026-01-06 6.7 CVE-2025-47336 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while accessing a synchronization object during concurrent operations. 2026-01-06 6.7 CVE-2025-47337 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Memory corruption while handling sensor utility operations. 2026-01-06 6.7 CVE-2025-47344 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Transient DOS while parsing a WLAN management frame with a Vendor Specific Information Element. 2026-01-06 6.5 CVE-2025-47395 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Transient DOS while parsing video packets received from the video firmware. 2026-01-06 5.5 CVE-2025-47330 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Qualcomm, Inc.--Snapdragon Information disclosure when a weak hashed value is returned to userland code in response to a IOCTL call to obtain a session ID. 2026-01-06 5.5 CVE-2025-47369 https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html
 
Quanta Computer--QOCA aim AI Medical Cloud Platform QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Missing Authorization vulnerability, allowing authenticated remote attackers to modify specific network packet parameters, enabling certain system functions to access other users' files. 2026-01-05 6.5 CVE-2025-15235 https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html
https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html
 
Quanta Computer--QOCA aim AI Medical Cloud Platform QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. 2026-01-05 6.5 CVE-2025-15238 https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html
https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html
 
Quanta Computer--QOCA aim AI Medical Cloud Platform QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. 2026-01-05 6.5 CVE-2025-15239 https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html
https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html
 
Quanta Computer--QOCA aim AI Medical Cloud Platform QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. 2026-01-05 4.3 CVE-2025-15236 https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html
https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html
 
Quanta Computer--QOCA aim AI Medical Cloud Platform QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. 2026-01-05 4.3 CVE-2025-15237 https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html
https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html
 
quarkusio--quarkus Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early. 2026-01-07 5.9 CVE-2025-66560 https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624
 
quickjs-ng--quickjs A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it is recommended to deploy a patch. 2026-01-10 6.3 CVE-2026-0822 VDB-340356 | quickjs-ng quickjs quickjs.c js_typed_array_sort heap-based overflow
VDB-340356 | CTI Indicators (IOB, IOC, IOA)
Submit #731783 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow
https://github.com/quickjs-ng/quickjs/issues/1297
https://github.com/quickjs-ng/quickjs/pull/1298
https://github.com/quickjs-ng/quickjs/issues/1297#issue-3780006202
https://github.com/quickjs-ng/quickjs/commit/53eefbcd695165a3bd8c584813b472cb4a69fbf5
 
RainyGao--DocSys A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. Performing a manipulation of the argument searchWord results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-09 6.3 CVE-2025-15492 VDB-340270 | RainyGao DocSys GroupMemberMapper.xml sql injection
VDB-340270 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725373 | https://github.com/RainyGao-GitHub/DocSys/releases/tag/DocSys_V2 RainyGao-GitHub 2.02.36 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A53.md
https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A53.md#vulnerability-analysis-and-reproduction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%A4%8D%E7%8E%B0
 
RainyGao--DocSys A flaw has been found in RainyGao DocSys up to 2.02.36. The impacted element is an unknown function of the file src/com/DocSystem/mapping/ReposAuthMapper.xml. Executing a manipulation of the argument searchWord can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-09 6.3 CVE-2025-15493 VDB-340271 | RainyGao DocSys ReposAuthMapper.xml sql injection
VDB-340271 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725374 | https://github.com/RainyGao-GitHub/DocSys/releases/tag/DocSys_V2 RainyGao-GitHub 2.02.36 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md
https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md#vulnerability-analysis-and-reproduction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%A4%8D%E7%8E%B0
 
RainyGao--DocSys A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-09 6.3 CVE-2025-15494 VDB-340272 | RainyGao DocSys UserMapper.xml sql injection
VDB-340272 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725407 | https://github.com/RainyGao-GitHub/DocSys/releases/tag/DocSys_V2 RainyGao-GitHub 2.02.37 SQL injection
https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A52.02.37.md
https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A52.02.37.md#vulnerability-analysis-and-reproduction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%A4%8D%E7%8E%B0
 
Red Hat--Red Hat Build of Keycloak A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications. 2026-01-08 5.3 CVE-2026-0707 https://access.redhat.com/security/cve/CVE-2026-0707
RHBZ#2427768
 
remix-run--react-router React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6. 2026-01-10 6.5 CVE-2025-68470 https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m
 
remix-run--react-router React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0. 2026-01-10 6.5 CVE-2026-22030 https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh
 
roxnor--EmailKit Email Customizer for WooCommerce & WP The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in all versions up to, and including, 1.6.1. This is due to missing path validation in the create_template REST API endpoint where user-controlled input from the emailkit-editor-template parameter is passed directly to file_get_contents() without sanitization. This makes it possible for authenticated attackers with Author-level permissions or higher to read arbitrary files on the server, including sensitive configuration files like /etc/passwd and wp-config.php, via the REST API. The file contents are stored in post meta and can be exfiltrated through MetForm's email confirmation feature. 2026-01-07 6.5 CVE-2025-14059 https://www.wordfence.com/threat-intel/vulnerabilities/id/91ebe8cb-99ec-4380-a77e-17e17144a17e?source=cve
https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L163
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419280%40emailkit%2Ftrunk&old=3373383%40emailkit%2Ftrunk&sfp_email=&sfph_mail=#file1
 
roxnor--Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records. 2026-01-06 5.3 CVE-2025-14441 https://www.wordfence.com/threat-intel/vulnerabilities/id/48f5a44d-d01f-4c41-98da-7c1f6c65c254?source=cve
https://plugins.trac.wordpress.org/browser/popup-builder-block/trunk/includes/Routes/Subscribers.php#L77
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L77
https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L64
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421671%40popup-builder-block&new=3421671%40popup-builder-block&sfp_email=&sfph_mail=
 
rubengc--GamiPress Gamification plugin to reward points, achievements, badges & ranks in WordPress The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts. 2026-01-06 4.3 CVE-2025-13812 https://www.wordfence.com/threat-intel/vulnerabilities/id/acfdd579-0be9-476b-90cd-07f417712691?source=cve
https://plugins.trac.wordpress.org/changeset/3430697/
 
ruhul080--My Album Gallery The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style_css' shortcode attribute in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14453 https://www.wordfence.com/threat-intel/vulnerabilities/id/64399c1c-ea82-483b-b320-3c6f2cb010b3?source=cve
https://plugins.trac.wordpress.org/browser/my-album-gallery/trunk/controllers/public/class-mygallery-shortcode.php#L121
https://plugins.trac.wordpress.org/browser/my-album-gallery/tags/1.0.4/controllers/public/class-mygallery-shortcode.php#L121
 
ruhul080--My Album Gallery The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image titles in all versions up to, and including, 1.0.4. This is due to insufficient input sanitization and output escaping on the 'attachment->title' attribute. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14796 https://www.wordfence.com/threat-intel/vulnerabilities/id/1dd0bb5b-2eb5-46f0-8942-2885b1138b70?source=cve
https://plugins.trac.wordpress.org/browser/my-album-gallery/tags/1.0.4/mygallery-single.php#L92
https://plugins.trac.wordpress.org/browser/my-album-gallery/tags/1.0.4/controllers/public/class-mygallery-shortcode.php#L143
 
RustCrypto--signatures RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature. This issue has been patched in version 0.1.0-rc.2. 2026-01-10 6.4 CVE-2026-22705 https://github.com/RustCrypto/signatures/security/advisories/GHSA-hcp2-x6j4-29j7
https://github.com/RustCrypto/signatures/pull/1144
https://github.com/RustCrypto/signatures/commit/035d9eef98486ecd00a8bf418c7817eb14dd6558
 
samikeijonen--EDD Download Info The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14121 https://www.wordfence.com/threat-intel/vulnerabilities/id/c0290595-d74d-404e-9d28-75abc9055031?source=cve
https://plugins.trac.wordpress.org/browser/edd-download-info/trunk/includes/shortcodes.php#L43
https://plugins.trac.wordpress.org/browser/edd-download-info/tags/1.1/includes/shortcodes.php#L43
 
Samsung Mobile--Samsung Mobile Devices Out-of-bounds read in libimagecodec.quram.so prior to SMR Jan-2026 Release 1 allows remote attacker to access out-of-bounds memory. 2026-01-09 5.3 CVE-2026-20973 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01
 
Secure Computing--SnapGear Management Console SG560 SnapGear Management Console SG560 3.1.5 contains a file manipulation vulnerability that allows authenticated users to read, write, and delete files using the edit_config_files CGI script. Attackers can manipulate POST request parameters in /cgi-bin/cgix/edit_config_files to access and modify files outside the intended /etc/config/ directory. 2026-01-06 6.5 CVE-2020-36909 ExploitDB-48556
Zero Science Lab Disclosure (ZSL-2020-5568)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
VulnCheck Advisory: Secure Computing SnapGear Management Console SG560 3.1.5 Arbitrary File Read/Write
 
Secure Computing--SnapGear Management Console SG560 SnapGear Management Console SG560 version 3.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft a malicious web page that automatically submits a form to create a new super user account with full administrative privileges when a logged-in user visits the page. 2026-01-06 5.3 CVE-2020-36908 ExploitDB-48554
Zero Science Lab Disclosure (ZSL-2020-5567)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
VulnCheck Advisory: Secure Computing SnapGear Management Console SG560 3.1.5 Cross-Site Request Forgery via Admin Users
 
sergiotoca--STM Gallery 1.9 The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-13848 https://www.wordfence.com/threat-intel/vulnerabilities/id/393d6e4a-af05-48ac-8921-f298932245a4?source=cve
https://plugins.trac.wordpress.org/browser/stm-gallery/trunk/stmgallery_v.0.9.php#L121
https://plugins.trac.wordpress.org/browser/stm-gallery/tags/0.9/stmgallery_v.0.9.php#L121
 
sfturing--hosp_order A vulnerability was identified in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. Affected by this vulnerability is the function findOrderHosNum of the file /ssm_pro/orderHos/. Such manipulation of the argument hospitalAddress/hospitalName leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 6.3 CVE-2025-15450 VDB-339483 | sfturing hosp_order orderHos findOrderHosNum sql injection
VDB-339483 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #722925 | https://github.com/sfturing/hosp_order hosp_order latest SQL Injection
https://github.com/sfturing/hosp_order/issues/111
https://github.com/sfturing/hosp_order/issues/111#issue-3760306826
 
sharethis--ShareThis Dashboard for Google Analytics The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link. 2026-01-07 4.7 CVE-2025-12540 https://www.wordfence.com/threat-intel/vulnerabilities/id/6781dcc5-db95-43ca-9042-a3c05414b7e6?source=cve
https://plugins.trac.wordpress.org/browser/googleanalytics/trunk/credentials.json?rev=3364575
 
shoheitanaka--Japanized for WooCommerce The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processed/completed. 2026-01-09 5.3 CVE-2025-14886 https://www.wordfence.com/threat-intel/vulnerabilities/id/4bf3248a-f235-472c-b751-96ac9838b27f?source=cve
https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.7.17/includes/gateways/paidy/class-wc-paidy-endpoint.php#L51
 
SigmaPlugin--Advanced Database Cleaner PRO Path Traversal: '.../...//' vulnerability in SigmaPlugin Advanced Database Cleaner PRO allows Path Traversal.This issue affects Advanced Database Cleaner PRO: from n/a through 3.2.10. 2026-01-07 6.4 CVE-2025-46256 https://patchstack.com/database/wordpress/plugin/advanced-database-cleaner-pro/vulnerability/wordpress-advanced-database-cleaner-pro-plugin-3-2-10-limited-txt-path-traversal-vulnerability?_s_id=cve
 
sigstore--cosign Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4. 2026-01-10 5.5 CVE-2026-22703 https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m
https://github.com/sigstore/cosign/pull/4623
https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176
 
smjrifle--SVG Map Plugin The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. This makes it possible for unauthenticated attackers to update the plugin's settings, delete map data, and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-07 6.1 CVE-2025-13519 https://www.wordfence.com/threat-intel/vulnerabilities/id/5aaa97cc-4deb-43b6-957d-587834eca125?source=cve
https://plugins.trac.wordpress.org/browser/svg-map-by-saedi/trunk/svg-map-by-saedi.php#L90
https://plugins.trac.wordpress.org/browser/svg-map-by-saedi/tags/1.0.0/svg-map-by-saedi.php#L90
 
SOCA Technology Co., Ltd--SOCA Access Control System SOCA Access Control System 180612 contains a cross-site scripting vulnerability in the 'senddata' POST parameter of logged_page.php that allows attackers to inject malicious scripts. Attackers can exploit this weakness by sending crafted POST requests to execute arbitrary HTML and script code in a victim's browser session. 2026-01-07 6.1 CVE-2019-25270 Zero Science Lab Vulnerability Entry
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange
SOCA Vendor Homepage
 
soniz--Curved Text The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-13854 https://www.wordfence.com/threat-intel/vulnerabilities/id/48514fdb-20c6-4a7f-8f60-e532ddd8853e?source=cve
https://plugins.trac.wordpress.org/browser/curved-text/trunk/curved-text.php#L32
https://plugins.trac.wordpress.org/browser/curved-text/tags/0.1/curved-text.php#L32
 
spree--spree Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users' address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker's order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5. 2026-01-08 6.5 CVE-2026-22588 https://github.com/spree/spree/security/advisories/GHSA-g268-72p7-9j6j
https://github.com/spree/spree/commit/02acabdce2c5f14fd687335b068d901a957a7e72
https://github.com/spree/spree/commit/17e78a91b736b49dbea8d1bb1223c284383ee5f3
https://github.com/spree/spree/commit/b409c0fd327e7ce37f63238894670d07079eefe8
https://github.com/spree/spree/commit/d3f961c442e0015661535cbd6eb22475f76d2dc7
 
spwebguy--Responsive Pricing Table The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-13418 https://www.wordfence.com/threat-intel/vulnerabilities/id/5d28fd23-fa86-4353-b1b4-af61192f8482?source=cve
https://wordpress.org/plugins/dk-pricr-responsive-pricing-table/
 
spwebguy--Responsive Pricing Table The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-15058 https://www.wordfence.com/threat-intel/vulnerabilities/id/e20a34e5-6c1c-4f12-b1d8-aa4b40a5dd00?source=cve
https://wordpress.org/plugins/dk-pricr-responsive-pricing-table/
 
stevejburge--TaxoPress: Tag, Category, and Taxonomy Manager AI Autotagger The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own. 2026-01-06 4.3 CVE-2025-14371 https://www.wordfence.com/threat-intel/vulnerabilities/id/1ef51ffb-df1e-442d-abc8-3a0308099a0b?source=cve
https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/modules/taxopress-ai/classes/TaxoPressAiAjax.php#L681
 
stylemix--MasterStudy LMS WordPress Plugin for Online Courses and Education The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates 2026-01-06 5.4 CVE-2025-13766 https://www.wordfence.com/threat-intel/vulnerabilities/id/2719739a-90dc-470b-9270-8578e0cead59?source=cve
https://plugins.trac.wordpress.org/changeset/3422825/
 
techjewel--Fluent Forms Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary forms via the publicly exposed AI builder. 2026-01-07 5.3 CVE-2025-13722 https://www.wordfence.com/threat-intel/vulnerabilities/id/f7dbf179-7099-4dfb-8dad-780f996a7005?source=cve
https://plugins.trac.wordpress.org/changeset/3406804/fluentform/tags/6.1.8/app/Modules/Ai/AiFormBuilder.php
 
Tenda--AC1206 A vulnerability was determined in Tenda AC1206 15.03.06.23. Affected by this issue is the function formBehaviorManager of the file /goform/BehaviorManager of the component httpd. Executing a manipulation of the argument modulename/option/data/switch can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. 2026-01-05 6.3 CVE-2026-0581 VDB-339473 | Tenda AC1206 httpd BehaviorManager formBehaviorManager command injection
VDB-339473 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731193 | Tenda AC1206 AC1206V1.0RTL_V15.03.06.23 Command Injection
https://github.com/ccc-iotsec/cve-/blob/Tenda/Tenda%20AC1206%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
https://www.tenda.com.cn/
 
tfrommen--Page Keys The Page Keys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_key' parameter in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-07 4.4 CVE-2025-15000 https://www.wordfence.com/threat-intel/vulnerabilities/id/2d3863ec-0cc7-4128-a19e-fc1e2c31195e?source=cve
https://plugins.trac.wordpress.org/browser/page-keys/tags/1.3.3/inc/ListTable.php#L260
 
themehigh--Email Customizer for WooCommerce | Drag and Drop Email Templates Builder The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in email templates that will execute when customers view transactional emails. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-07 4.4 CVE-2025-13974 https://www.wordfence.com/threat-intel/vulnerabilities/id/c6927b4f-f47e-47fc-a5bf-b7fa42c31412?source=cve
https://plugins.trac.wordpress.org/browser/email-customizer-for-woocommerce/tags/2.6.7/classes/inc/class-wecmf-general-template.php#L213
https://plugins.trac.wordpress.org/browser/email-customizer-for-woocommerce/trunk/classes/inc/class-wecmf-general-template.php#L213
 
ThemeHunk--Oneline Lite Missing Authorization vulnerability in ThemeHunk Oneline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through 6.6. 2026-01-07 4.3 CVE-2025-69344 https://patchstack.com/database/wordpress/theme/oneline-lite/vulnerability/wordpress-oneline-lite-theme-6-6-broken-access-control-vulnerability?_s_id=cve
 
themelocation--WP Popup Magic The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-13900 https://www.wordfence.com/threat-intel/vulnerabilities/id/c11a5f07-de89-47ec-a92e-2adc75965648?source=cve
https://plugins.trac.wordpress.org/browser/wppopupmagic/trunk/class-wppum-frontend.php#L622
https://plugins.trac.wordpress.org/browser/wppopupmagic/tags/1.0.0/class-wppum-frontend.php#L622
 
themeum--Tutor LMS eLearning and online course solution The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address. 2026-01-08 6.5 CVE-2025-13679 https://www.wordfence.com/threat-intel/vulnerabilities/id/0830d0c3-99c0-423e-99ab-f0c1cbec52d9?source=cve
https://plugins.trac.wordpress.org/changeset/3422766/tutor/tags/3.9.4/ecommerce/OrderController.php
 
themeum--Tutor LMS eLearning and online course solution The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons. 2026-01-09 4.3 CVE-2025-13628 https://www.wordfence.com/threat-intel/vulnerabilities/id/46f71f7b-7326-47b6-a23a-68a40f5bb56b?source=cve
https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php
 
themeum--Tutor LMS eLearning and online course solution The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow. 2026-01-09 4.3 CVE-2025-13934 https://www.wordfence.com/threat-intel/vulnerabilities/id/5de212c9-5c2e-4713-b1ce-022dd84520c3?source=cve
https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php
 
themeum--Tutor LMS eLearning and online course solution The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed. 2026-01-09 4.3 CVE-2025-13935 https://www.wordfence.com/threat-intel/vulnerabilities/id/7b8b111a-9626-41f4-8a13-51f576af0257?source=cve
https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php
 
thimpress--LearnPress WordPress LMS Plugin The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items. 2026-01-06 5.3 CVE-2025-13964 https://www.wordfence.com/threat-intel/vulnerabilities/id/ae363511-8a1f-476a-9851-61f7763428c2?source=cve
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/Ajax/EditCurriculumAjax.php#L52
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/Ajax/AbstractAjax.php#L18
 
thimpress--LearnPress WordPress LMS Plugin The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id. 2026-01-07 5.4 CVE-2025-14802 https://www.wordfence.com/threat-intel/vulnerabilities/id/884c4508-1ee1-4384-9fc2-29e2c9042426?source=cve
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L527
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L405
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L77
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.3/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L403
 
ThimPress--Thim Core Cross-Site Request Forgery (CSRF) vulnerability in ThimPress Thim Core allows Cross Site Request Forgery.This issue affects Thim Core: from n/a through 2.3.3. 2026-01-05 4.3 CVE-2025-53344 https://vdp.patchstack.com/database/wordpress/plugin/thim-core/vulnerability/wordpress-thim-core-plugin-plugin-2-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
tomiup--WP Recipe Manager The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-13667 https://www.wordfence.com/threat-intel/vulnerabilities/id/12b14418-28f0-4786-b8f8-a637fe007b6c?source=cve
https://plugins.trac.wordpress.org/browser/wp-recipe-manager/trunk/inc/libs/class.metaboxes.php#L203
https://plugins.trac.wordpress.org/browser/wp-recipe-manager/tags/1.0.0/inc/libs/class.metaboxes.php#L203
 
top-position--Top Position Google Finance The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2026-01-09 6.1 CVE-2025-13895 https://www.wordfence.com/threat-intel/vulnerabilities/id/fcbf81f8-8b33-4b83-91fb-626b7b5f3bb2?source=cve
https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L78
https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L56
 
TOTOLINK--WA1200 A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. 2026-01-08 5.3 CVE-2026-0731 VDB-340128 | TOTOLINK WA1200 HTTP Request cstecgi.cgi null pointer dereference
VDB-340128 | CTI Indicators (IOB, IOC, IOA)
Submit #733249 | TOTOLINK WA1200 V5.9c.2914 NULL Pointer Dereference
https://github.com/JackWesleyy/CVE/blob/main/WA1200/TOTOLINK%20WA1200%20NULL%20Pointer%20Dereference%20Vulnerability.md
https://github.com/JackWesleyy/CVE/blob/main/WA1200/TOTOLINK%20WA1200%20NULL%20Pointer%20Dereference%20Vulnerability.md#poc
https://www.totolink.net/
 
TOTOLINK--WA300 A security vulnerability has been detected in TOTOLINK WA300 5.2cu.7112_B20190227. This vulnerability affects the function sub_401510 of the file cstecgi.cgi. The manipulation of the argument UPLOAD_FILENAME leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. 2026-01-06 6.3 CVE-2026-0641 VDB-339684 | TOTOLINK WA300 cstecgi.cgi sub_401510 command injection
VDB-339684 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #732234 | TOTOLINK WA300 V5.2cu.7112_B20190227 Command Injection
https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md
https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md#poc
https://www.totolink.net/
 
tox-dev--filelock filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3. 2026-01-10 5.3 CVE-2026-22701 https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw
https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0
https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5
 
TryGhost--Ghost Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0. 2026-01-10 6.7 CVE-2026-22596 https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq
https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955
https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391
 
tugbucket--Multi-column Tag Map The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-07 4.4 CVE-2025-14057 https://www.wordfence.com/threat-intel/vulnerabilities/id/f151cb44-499e-4b08-80fb-0a573594d624?source=cve
https://plugins.trac.wordpress.org/browser/multi-column-tag-map/trunk/mctagmap_functions.php#L1845
https://plugins.trac.wordpress.org/browser/multi-column-tag-map/tags/17.0.39/mctagmap_functions.php#L1845
https://plugins.trac.wordpress.org/browser/multi-column-tag-map/tags/17.0.39/mctagmap-options.php#L65
 
Ubiquiti Inc--UniFi Connect EV Station Lite An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite (v1.5.2 and earlier) to use WiFi AutoLink feature on a device that was only adopted via Ethernet. 2026-01-05 5.3 CVE-2026-21635 https://community.ui.com/releases/Security-Advisory-Bulletin-059/0c0b7f7a-68b7-41b9-987e-554f4b40e0e6
 
Ubiquiti Inc--UniFi Protect Application A malicious actor with access to the adjacent network could overflow the UniFi Protect Application (Version 6.1.79 and earlier) discovery protocol causing it to restart. Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later. 2026-01-05 6.5 CVE-2026-21634 https://community.ui.com/releases/Security-Advisory-Bulletin-058-058/6922ff20-8cd7-4724-8d8c-676458a2d0f9
 
ultimatemember--ForumWP Forum & Discussion Board The ForumWP - Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-06 6.4 CVE-2025-13746 https://www.wordfence.com/threat-intel/vulnerabilities/id/f0eb6dc5-98e2-4d88-98f8-8a63c939b047?source=cve
https://plugins.trac.wordpress.org/browser/forumwp/tags/2.1.5/assets/front/js/tooltip.js#L25
https://plugins.trac.wordpress.org/browser/forumwp/tags/2.1.5/includes/common/class-user.php#L906
https://plugins.trac.wordpress.org/browser/forumwp/tags/2.1.5/templates/user-card.php#L57
 
viitorcloudvc--Viitor Button Shortcodes The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14113 https://www.wordfence.com/threat-intel/vulnerabilities/id/61488a15-b49f-4381-9a35-746c39f25967?source=cve
https://plugins.trac.wordpress.org/browser/viitor-shortcodes/trunk/includes/class-ww-vcsc-shortcodes.php#L51
https://plugins.trac.wordpress.org/browser/viitor-shortcodes/tags/3.0.0/includes/class-ww-vcsc-shortcodes.php#L51
 
vikasratudi--Page Expire Popup/Redirection for WordPress The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-01-06 6.5 CVE-2025-14153 https://www.wordfence.com/threat-intel/vulnerabilities/id/b0c232b2-f7c8-4a8d-b282-72f61ecfc5da?source=cve
https://plugins.trac.wordpress.org/browser/page-expire-popup/trunk/inc/vfpageexpirepopupstructure.php#L8
https://plugins.trac.wordpress.org/browser/page-expire-popup/tags/1.0/inc/vfpageexpirepopupstructure.php#L8
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3427583%40page-expire-popup&new=3427583%40page-expire-popup&sfp_email=&sfph_mail=
 
vllm-project--vllm vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0. 2026-01-10 6.5 CVE-2026-22773 https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr
 
wedevs--weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys. 2026-01-09 5.3 CVE-2025-14574 https://www.wordfence.com/threat-intel/vulnerabilities/id/cbca3d1e-0985-43d3-855e-eee07715f670?source=cve
https://plugins.trac.wordpress.org/changeset?old_path=/wedocs/tags/2.1.15&new_path=/wedocs/tags/2.1.16#file12
 
wisdmlabs--AI BotKit AI Chatbot & Live Support for WordPress (No-Code) The AI BotKit - AI Chatbot & Live Support for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the `ai_botkit_widget` shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-13887 https://www.wordfence.com/threat-intel/vulnerabilities/id/5659af1d-f248-46ff-b282-ef5397222d8d?source=cve
https://plugins.trac.wordpress.org/browser/ai-botkit-for-lead-generation/trunk/includes/public/class-shortcode-handler.php#L42
https://plugins.trac.wordpress.org/browser/ai-botkit-for-lead-generation/tags/1.1.7/includes/public/class-shortcode-handler.php#L42
 
woodpeckerleadform--Woodpecker for WordPress The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-09 6.4 CVE-2025-13967 https://www.wordfence.com/threat-intel/vulnerabilities/id/1d99c8a8-daeb-402b-990d-6bacf6e9a780?source=cve
https://plugins.trac.wordpress.org/browser/woodpecker/trunk/public/class-wfw-public.php#L109
https://plugins.trac.wordpress.org/browser/woodpecker/tags/3.0.4/public/class-wfw-public.php#L109
https://plugins.trac.wordpress.org/browser/woodpecker/trunk/public/partials/wfw-public-shortcode.php#L39
https://plugins.trac.wordpress.org/browser/woodpecker/tags/3.0.4/public/partials/wfw-public-shortcode.php#L39
 
WP Swings--Wallet System for WooCommerce Insertion of Sensitive Information Into Sent Data vulnerability in WP Swings Wallet System for WooCommerce allows Retrieve Embedded Sensitive Data.This issue affects Wallet System for WooCommerce: from n/a through 2.7.2. 2026-01-05 6.3 CVE-2025-68029 https://vdp.patchstack.com/database/wordpress/plugin/wallet-system-for-woocommerce/vulnerability/wordpress-wallet-system-for-woocommerce-plugin-2-7-1-sensitive-data-exposure-vulnerability?_s_id=cve
 
wpcommerz--twinklesmtp Email Service Provider For WordPress The twinklesmtp - Email Service Provider For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's sender settings in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2026-01-07 4.4 CVE-2025-14887 https://www.wordfence.com/threat-intel/vulnerabilities/id/223d62cc-61ee-4818-9521-a772c1d57d59?source=cve
https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L32
https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L46
https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L50
https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L84
https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L88
https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L36
 
wpdevart--Countdown Timer Widget Countdown The Countdown Timer - Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-10 6.4 CVE-2025-14555 https://www.wordfence.com/threat-intel/vulnerabilities/id/ee84c720-7997-4c09-a2f9-5e1a28bd1100?source=cve
https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L167
https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L48
https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L30
https://plugins.trac.wordpress.org/changeset/3425959/
 
wpdevelop--Booking Calendar The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details. 2026-01-09 5.3 CVE-2025-14146 https://www.wordfence.com/threat-intel/vulnerabilities/id/281a1c0e-bbd8-4cf6-94ca-b888c7d7e3af?source=cve
https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/lib/wpbc-ajax.php#L29
https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/includes/_functions/nonce_func.php#L33
https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/wpbc-activation.php#L572
https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/timeline/v2/wpbc-class-timeline_v2.php#L3187
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3434934%40booking%2Ftrunk&old=3432649%40booking%2Ftrunk&sfp_email=&sfph_mail=#file2
 
wpdevteam--BetterDocs Knowledge Base Documentation & FAQ Solution for Elementor & Block Editor The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings. 2026-01-09 6.5 CVE-2025-14980 https://www.wordfence.com/threat-intel/vulnerabilities/id/1595f231-d300-484a-a0e1-1e2bc7b82ed3?source=cve
https://research.cleantalk.org/cve-2025-14980/
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3430424%40betterdocs%2Ftags%2F4.3.4&old=3422660%40betterdocs%2Ftrunk
 
wpdevteam--Templately Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters like `session_id`, `content_id`, and `ai_page_ids` are used to construct file paths without proper sanitization. This makes it possible for unauthenticated attackers to write arbitrary `.ai.json` files to locations within the uploads directory. 2026-01-10 5.3 CVE-2026-0831 https://www.wordfence.com/threat-intel/vulnerabilities/id/778242f4-5dfa-4d72-a032-8b5521c5b8ce?source=cve
https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/Core/Importer/Utils/AIUtils.php#L414
https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/API/AIContent.php#L38
https://plugins.trac.wordpress.org/changeset/3426051/
 
wpeverest--User Registration & Membership Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce validation on the 'process_row_actions' function with the 'delete' action. This makes it possible for unauthenticated attackers to delete arbitrary post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2026-01-10 5.4 CVE-2025-14976 https://www.wordfence.com/threat-intel/vulnerabilities/id/e5495b4c-a1ac-4860-83a7-686d9436d983?source=cve
https://plugins.trac.wordpress.org/browser/user-registration/tags/4.4.8/includes/abstracts/abstract-ur-list-table.php#L290
https://plugins.trac.wordpress.org/changeset/3435099/user-registration
 
wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information. 2026-01-09 5.3 CVE-2025-14782 https://www.wordfence.com/threat-intel/vulnerabilities/id/2b28ddeb-44f5-4d19-b866-94fc2088ee6d?source=cve
https://plugins.trac.wordpress.org/changeset/3423003/forminator/trunk/library/class-export.php
 
WPShop.ru--AdsPlace'r Ad Manager, Inserter, AdSense Ads Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPShop.Ru AdsPlace'r - Ad Manager, Inserter, AdSense Ads allows DOM-Based XSS.This issue affects AdsPlace'r - Ad Manager, Inserter, AdSense Ads: from n/a through 1.1.5. 2026-01-06 6.5 CVE-2024-31088 https://patchstack.com/database/wordpress/plugin/adsplacer/vulnerability/wordpress-adsplace-r-ad-manager-inserter-adsense-ads-plugin-1-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
wptb--WP Table Builder Drag & Drop Table Builder The WP Table Builder - Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts. 2026-01-09 4.3 CVE-2025-13753 https://www.wordfence.com/threat-intel/vulnerabilities/id/95f49080-2263-4f6d-9372-30137efd8e10?source=cve
https://plugins.trac.wordpress.org/changeset/3432381/wp-table-builder
 
Wptexture--Image Slider Slideshow Authorization Bypass Through User-Controlled Key vulnerability in Wptexture Image Slider Slideshow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider Slideshow: from n/a through 1.8. 2026-01-08 4.3 CVE-2026-22489 https://patchstack.com/database/wordpress/plugin/image-slider-slideshow/vulnerability/wordpress-image-slider-slideshow-plugin-1-8-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
WPvibes--AnyWhere Elementor Pro Missing Authorization vulnerability in WPvibes AnyWhere Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyWhere Elementor Pro: from n/a through 2.29. 2026-01-05 4.3 CVE-2025-31046 https://vdp.patchstack.com/database/wordpress/theme/anywhere-elementor-pro/vulnerability/wordpress-anywhere-elementor-pro-2-29-broken-access-control-vulnerability?_s_id=cve
 
wpvibes--Form Vibes Database Manager for Forms The Form Vibes - Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2026-01-06 4.9 CVE-2025-13409 https://www.wordfence.com/threat-intel/vulnerabilities/id/28eb6998-be54-4cf9-8bb1-454c07151748?source=cve
https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.4.13/inc/modules/analytics/module.php#L62
https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.4.13/inc/modules/analytics/module.php#L51
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425061%40form-vibes&new=3425061%40form-vibes&sfp_email=&sfph_mail=
 
www15to--QR Code for WooCommerce order emails, PDF invoices, packing slips The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-14626 https://www.wordfence.com/threat-intel/vulnerabilities/id/5b2e599c-48de-4d3a-94a3-b98badfb7a98?source=cve
https://plugins.trac.wordpress.org/browser/qr-code-tag-for-wc-from-goaskle-com/tags/1.9.42/lib/qrct/QrctWp.php#L1661
https://plugins.trac.wordpress.org/browser/qr-code-tag-for-wc-from-goaskle-com/trunk/lib/qrct/QrctWp.php#L1661
 
xagio--Xagio SEO AI Powered SEO The Xagio SEO - AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. 2026-01-06 6.4 CVE-2025-14438 https://www.wordfence.com/threat-intel/vulnerabilities/id/72779dd2-04eb-445d-88a0-28a9c4d2369b?source=cve
https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.1.0.29/inc/xagio_core.php#L236
https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.1.0.29/modules/seo/models/xagio_tinymce.php#L91
https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.1.0.29/modules/seo/models/xagio_tinymce.php#L135
https://plugins.trac.wordpress.org/changeset/3426300/xagio-seo#file374
 
xwiki-contrib--macro-fullcalendar XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6. 2026-01-10 5.3 CVE-2025-65090 https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m
https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884
https://jira.xwiki.org/browse/FULLCAL-82
 
Yahei.Net--Yahei-PHP Prober Yahei-PHP Prober 0.4.7 contains a remote HTML injection vulnerability that allows attackers to execute arbitrary HTML code through the 'speed' GET parameter. Attackers can inject malicious HTML code in the 'speed' parameter of prober.php to trigger cross-site scripting in user browser sessions. 2026-01-07 6.1 CVE-2019-25280 Zero Science Lab Vulnerability Advisory
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange
Archived Yahei-PHP Product Homepage
 
Yerootech--iDS6 DSSPro Digital Signage System iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft malicious web pages to trick logged-in administrators into adding unauthorized users by exploiting the lack of CSRF protections. 2026-01-06 4.3 CVE-2020-36918 ExploitDB-48990
Zero Science Lab Disclosure (ZSL-2020-5606)
Archived Yeroo Tech Vendor Homepage
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
CXSecurity Vulnerability Database Entry
VulnCheck Advisory: iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery via User Management
 
zanderz--Recras The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2026-01-07 6.4 CVE-2025-13497 https://www.wordfence.com/threat-intel/vulnerabilities/id/ef93491a-5965-4289-b72c-d1568ff4e6e8?source=cve
https://plugins.trac.wordpress.org/browser/recras/trunk/src/OnlineBooking.php#L144
https://plugins.trac.wordpress.org/browser/recras/tags/6.4.1/src/OnlineBooking.php#L144
https://plugins.trac.wordpress.org/changeset/3432851/
 
zauberzeug--nicegui NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim's browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0. 2026-01-08 6.1 CVE-2026-21871 https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97
https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
 
zauberzeug--nicegui NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0. 2026-01-08 6.1 CVE-2026-21872 https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9
https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
 
zauberzeug--nicegui NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0. 2026-01-08 5.3 CVE-2026-21874 https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2
https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83
https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
 
ZTE--MF258K There is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. Due to improper directory permission settings, an attacker can execute write permissions in a specific directory. 2026-01-09 4.3 CVE-2025-66315 https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/4891644183717871638
 

Back to top

Low Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
AcademySoftwareFoundation--OpenColorIO A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named ebdbb75123c9d5f4643e041314e2bc988a13f20d. To fix this issue, it is recommended to deploy a patch. The fix was added to the 2.5.1 milestone. 2026-01-11 3.3 CVE-2025-15506 VDB-340444 | AcademySoftwareFoundation OpenColorIO FileRules.cpp ConvertToRegularExpression out-of-bounds
VDB-340444 | CTI Indicators (IOB, IOC, IOA)
Submit #733332 | AcademySoftwareFoundation OpenColorIO 1d77ecd Out-of-Bounds Read
https://github.com/AcademySoftwareFoundation/OpenColorIO/issues/2228
https://github.com/AcademySoftwareFoundation/OpenColorIO/pull/2231
https://github.com/oneafter/1225/blob/main/uaf
https://github.com/cozdas/OpenColorIO/commit/ebdbb75123c9d5f4643e041314e2bc988a13f20d
https://github.com/AcademySoftwareFoundation/OpenColorIO/milestone/11
 
aws--aws-sdk-net AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. This issue has been patched in version 4.0.3.3. 2026-01-10 3.7 CVE-2026-22611 https://github.com/aws/aws-sdk-net/security/advisories/GHSA-9cvc-h2w8-phrp
 
Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain a Heap-based Buffer Overflow vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service. 2026-01-09 2.3 CVE-2025-46643 https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities
 
Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Exposure of Sensitive Information to an Unauthorized Actor vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. 2026-01-09 2.7 CVE-2025-46676 https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities
 
GitLab--GitLab GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection. 2026-01-09 3.5 CVE-2025-3950 GitLab Issue #537697
HackerOne Bug Bounty Report #3106477
https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
 
HCLSoftware--BigFix IVR Insufficient session expiration in the Web UI authentication component in HCL BigFix IVR version 4.2 allows an authenticated attacker to gain prolonged unauthorized access to protected API endpoints due to excessive expiration periods. 2026-01-07 2 CVE-2025-31962 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127753
 
HCLSoftware--BigFix IVR Improper authentication and missing CSRF protection in the local setup interface component in HCL BigFix IVR version 4.2 allows a local attacker to perform unauthorized configuration changes via unauthenticated administrative configuration requests. 2026-01-07 2.9 CVE-2025-31963 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127753
 
HCLSoftware--BigFix IVR Improper service binding configuration in internal service components in HCL BigFix IVR version 4.2 allows a privileged attacker to impact service availability via exposure of administrative services bound to external network interfaces instead of the local authentication interface. 2026-01-07 2.2 CVE-2025-31964 https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127753
 
InternationalColorConsortium--iccDEV iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). This issue is fixed in version 2.3.1.1. 2026-01-06 3.3 CVE-2026-21674 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xww6-v3vg-4qc7
https://github.com/InternationalColorConsortium/iccDEV/issues/241
https://github.com/InternationalColorConsortium/iccDEV/commit/d7028d8f558bb681efe2b85f02eb4ca374502cbb
 
lief-project--LIEF A security flaw has been discovered in lief-project LIEF up to 0.17.1. Affected by this issue is the function Parser::parse_binary of the file src/ELF/Parser.tcc of the component ELF Binary Parser. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.17.2 can resolve this issue. The patch is identified as 81bd5d7ea0c390563f1c4c017c9019d154802978. It is recommended to upgrade the affected component. 2026-01-10 3.3 CVE-2025-15504 VDB-340375 | lief-project LIEF ELF Binary Parser.tcc parse_binary null pointer dereference
VDB-340375 | CTI Indicators (IOB, IOC, IOA)
Submit #733329 | lief-project LIEF 9698ea6 Memory Corruption
https://github.com/lief-project/LIEF/issues/1277
https://github.com/lief-project/LIEF/issues/1277#issuecomment-3693859001
https://github.com/oneafter/1210/blob/main/segv1
https://github.com/lief-project/LIEF/commit/81bd5d7ea0c390563f1c4c017c9019d154802978
https://github.com/lief-project/LIEF/releases/tag/0.17.2
 
Luxul--XWR-600 A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond with a technical statement. 2026-01-11 2.4 CVE-2025-15505 VDB-340435 | Luxul XWR-600 Web Administration cross site scripting
VDB-340435 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #727924 | Luxul XWR-600 Router Firmware Ver: 4.0.1 Cross Site Scripting
https://docs.google.com/document/d/1S2f5lT0b-KE9m6xq8BY6eSixv6SgsGL1e8QQzeOkq5c/
 
opf--openproject OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users' full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually. 2026-01-10 3.5 CVE-2026-22602 https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j
https://github.com/opf/openproject/pull/21281
https://github.com/opf/openproject/commit/fb39a779f521d9b08f1e0c9e8aff2b6d4643ea37
https://github.com/opf/openproject/releases/tag/v16.6.2
 
Palantir--com.palantir.acme:gotham-default-apps-bundle ### Details On October 1, 2025, Palantir discovered that images uploaded through the Dossier front-end app were not being marked correctly with the proper security levels. The regression was traced back to a change in May 2025, which was meant to allow file uploads to be shared among different artifacts (e.g. other dossiers and presentations). On deployments configured with CBAC, the front-end would present a security picker dialog to set the security level on the uploads, thereby mitigating the issue. On deployments without a CBAC configuration, no security picker dialog appears, leading to a security level of CUSTOM with no markings or datasets selected. The resulting markings and groups for the file uploads thus will be only those added by the "Default authorization rules" defined in the Auth Chooser configuration. On most environments, it is expected that the "Default authorization rules" only add the Everyone group. 2026-01-09 3.5 CVE-2025-62487 https://palantir.safebase.us/?tcuUid=c91a1b4f-72e7-4959-9e2d-3a341e5c7a1f
 
PHPGurukul--Staff Leave Management System A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File Handler. Executing a manipulation of the argument profile_pic can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. 2026-01-08 2.4 CVE-2026-0730 VDB-340127 | PHPGurukul Staff Leave Management System SVG File adminviews.py UPDATE_STAFF cross site scripting
VDB-340127 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #733160 | PHPGurukul Staff Leave Management System v1.0 Cross Site Scripting
https://github.com/rsecroot/Staff-Leave-Management-System/blob/main/Cross%20Site%20Scripting.md
https://phpgurukul.com/
 
Progress--MOVEit Transfer Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10. 2026-01-06 3.7 CVE-2025-11235 https://docs.progress.com/bundle/moveit-transfer-release-notes-2023_1/page/Fixed-Issues-in-2023.1.3.html
 
projectworlds--House Rental and Property Listing A vulnerability was detected in projectworlds House Rental and Property Listing 1.0. This issue affects some unknown processing of the file /app/complaint.php. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. 2026-01-06 2.4 CVE-2026-0642 VDB-339685 | projectworlds House Rental and Property Listing complaint.php cross site scripting
VDB-339685 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #732369 | projectworlds.com House rental And Property Listing 1.0 Cross Site Scripting
https://github.com/Pick-program/CVE/issues/4
 
questdb--ui A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.1.10 is recommended to address this issue. The patch is identified as b42fd9f18476d844ae181a10a249e003dafb823d. You should upgrade the affected component. The vendor confirmed early that the fix "is going to be released as a part of QuestDB 9.3.0" as well. 2026-01-10 3.5 CVE-2026-0824 VDB-340357 | questdb ui Web Console cross site scripting
VDB-340357 | CTI Indicators (IOB, IOC, TTP)
Submit #733253 | questdb V9.2.3(latest) xss
https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20QuestDB%20database.md
https://github.com/questdb/questdb/releases/tag/9.3.0
https://github.com/questdb/ui/pull/519#issue-3790862030
https://github.com/questdb/ui/commit/b42fd9f18476d844ae181a10a249e003dafb823d
https://github.com/questdb/ui/pull/518
 
rankology--Rankology SEO and Analytics Tool The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to add header and footer code blocks. 2026-01-07 2.7 CVE-2025-12958 https://www.wordfence.com/threat-intel/vulnerabilities/id/c97a341c-23f5-49a9-ad05-1fb387047e3b?source=cve
https://wordpress.org/plugins/rankology-seo-and-analytics-tool/
 
SourceCodester--API Key Manager App A vulnerability was found in SourceCodester API Key Manager App 1.0. Affected by this vulnerability is an unknown functionality of the component Import Key Handler. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. 2026-01-05 3.5 CVE-2026-0580 VDB-339472 | SourceCodester API Key Manager App Import Key cross site scripting
VDB-339472 | CTI Indicators (IOB, IOC, TTP)
Submit #731146 | SourceCodester API Key Manager App Using HTML, CSS and JavaScript with Source Code 0 Cross Site Scripting
Submit #731290 | SourceCodester API Key Manager App Using HTML, CSS and JavaScript with Source Code 0 Basic Cross Site Scripting (Duplicate)
https://www.sourcecodester.com/
 
Xinhu--Rainrock RockOA A security flaw has been discovered in Xinhu Rainrock RockOA up to 2.7.1. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler. The manipulation of the argument fengmian results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 3.5 CVE-2026-0587 VDB-339493 | Xinhu Rainrock RockOA Cover Image rock_page_gong.php cross site scripting
VDB-339493 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725384 | Xinhu Xinhu OA V2.7.1 (earlier versions may also be affected) Stored Cross-Site Scripting (XSS)
 
Xinhu--Rainrock RockOA A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 3.5 CVE-2026-0588 VDB-339494 | Xinhu Rainrock RockOA API rockfun.php cross site scripting
VDB-339494 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725397 | Xinhu Xinhu OA V2.7.1 JSONP Injection
 
xnx3--wangmarket A security flaw has been discovered in xnx3 wangmarket up to 4.9. Affected by this issue is some unknown functionality of the file /admin/system/variableSave.do of the component System Variables Page. Performing a manipulation of the argument Description results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 2.4 CVE-2025-15451 VDB-339484 | xnx3 wangmarket System Variables variableSave.do cross site scripting
VDB-339484 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #724838 | https://github.com/xnx3/wangmarket wangmarket 4.9 Improper Neutralization of Alternate XSS Syntax
https://www.yuque.com/cocount-eveo/lu0220/eg6s9gropfwtoz9w?singleDoc
 
xnx3--wangmarket A weakness has been identified in xnx3 wangmarket up to 4.9. This affects the function variableList of the file /admin/system/variableList.do of the component Backend Variable Search. Executing a manipulation of the argument Description can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-05 2.4 CVE-2025-15452 VDB-339485 | xnx3 wangmarket Backend Variable Search variableList.do variableList cross site scripting
VDB-339485 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #724840 | https://github.com/xnx3/wangmarket wangmarket 4.9 Improper Neutralization of Alternate XSS Syntax
https://www.yuque.com/cocount-eveo/lu0220/flbu025pfmwgudmg?singleDoc
 
zhanglun--lettura A vulnerability was detected in zhanglun lettura up to 0.1.22. This issue affects some unknown processing of the file src/components/ArticleView/ContentRender.tsx of the component RSS Handler. The manipulation results in cross site scripting. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit is now public and may be used. The patch is identified as 67213093db9923e828a6e3fd8696a998c85da2d4. It is best practice to apply a patch to resolve this issue. 2026-01-05 3.1 CVE-2025-15454 VDB-339487 | zhanglun lettura RSS ContentRender.tsx cross site scripting
VDB-339487 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725038 | lettura v0.1.22 XSS
https://gist.github.com/youremailaddress/cba7c19a4eafcb326d0e912adf132be3
https://gist.github.com/youremailaddress/cba7c19a4eafcb326d0e912adf132be3#proof-of-concept
https://github.com/zhanglun/lettura/commit/67213093db9923e828a6e3fd8696a998c85da2d4
 

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
_nK--nK Themes Helper Server-Side Request Forgery (SSRF) vulnerability in _nK nK Themes Helper nk-themes-helper allows Server Side Request Forgery.This issue affects nK Themes Helper: from n/a through <= 1.7.9. 2026-01-08 not yet calculated CVE-2025-22726 https://vdp.patchstack.com/database/Wordpress/Plugin/nk-themes-helper/vulnerability/wordpress-nk-themes-helper-plugin-1-7-9-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
ACCESSALLY, INC.--AccessAlly AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution. 2026-01-09 not yet calculated CVE-2020-36875 https://accessally.com/software-release/accessally-3-3-2/
https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/
https://www.vulncheck.com/advisories/accessally-unauthenticated-arbitrary-php-code-execution
 
aio-libs--aiohttp AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3. 2026-01-05 not yet calculated CVE-2025-69224 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2
https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0
 
aio-libs--aiohttp AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3. 2026-01-05 not yet calculated CVE-2025-69225 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8
https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96
 
aio-libs--aiohttp AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3. 2026-01-05 not yet calculated CVE-2025-69226 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76
https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
 
aio-libs--aiohttp AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3. 2026-01-05 not yet calculated CVE-2025-69227 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23
https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259
 
aio-libs--aiohttp AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3. 2026-01-05 not yet calculated CVE-2025-69228 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf
https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60
 
aio-libs--aiohttp AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3. 2026-01-05 not yet calculated CVE-2025-69229 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq
https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229
https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
 
aio-libs--aiohttp AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. This issue is fixed in 3.13.3. 2026-01-05 not yet calculated CVE-2025-69230 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g
https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326
 
AirVPN--Eddie AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6. 2026-01-06 not yet calculated CVE-2025-14979 https://fluidattacks.com/advisories/blink182
https://eddie.website/
https://github.com/AirVPN/Eddie
 
AITpro--BulletProof Security Insertion of Sensitive Information Into Sent Data vulnerability in AITpro BulletProof Security bulletproof-security allows Retrieve Embedded Sensitive Data.This issue affects BulletProof Security: from n/a through <= 6.9. 2026-01-08 not yet calculated CVE-2025-67931 https://vdp.patchstack.com/database/Wordpress/Plugin/bulletproof-security/vulnerability/wordpress-bulletproof-security-plugin-6-9-sensitive-data-exposure-vulnerability?_s_id=cve
 
AmentoTech--Workreap (theme's plugin) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows SQL Injection.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.6. 2026-01-08 not yet calculated CVE-2025-22728 https://vdp.patchstack.com/database/Wordpress/Plugin/workreap/vulnerability/wordpress-workreap-theme-s-plugin-plugin-3-3-6-sql-injection-vulnerability?_s_id=cve
 
angular--angular Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular's internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0. 2026-01-10 not yet calculated CVE-2026-22610 https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
https://github.com/angular/angular/pull/66318
https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56
 
anibalwainstein--Effect Maker Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anibalwainstein Effect Maker effect-maker allows DOM-Based XSS.This issue affects Effect Maker: from n/a through <= 1.2.1. 2026-01-08 not yet calculated CVE-2025-68867 https://vdp.patchstack.com/database/Wordpress/Plugin/effect-maker/vulnerability/wordpress-effect-maker-plugin-1-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Anthropic--MCP TypeScript SDK Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service. 2026-01-05 not yet calculated CVE-2026-0621 https://github.com/modelcontextprotocol/typescript-sdk/issues/965
https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos
 
Apache Software Foundation--Apache Kyuubi Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue. 2026-01-05 not yet calculated CVE-2025-66518 https://lists.apache.org/thread/xp460bwbyzdhho34ljd4nchyt2fmhodl
 
Apache Software Foundation--Apache Mynewt NimBLE J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange. This issue affects Apache NimBLE: through <= 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. 2026-01-10 not yet calculated CVE-2025-52435 https://github.com/apache/mynewt-nimble/commit/164f1c23c18a290908df76ed83fe848bfe4a4903
https://github.com/apache/mynewt-nimble/commit/ec3d75e909fa6dcadf1836fefc4432794a673d18
https://lists.apache.org/thread/ow8dzpsqfh9llfclh5fzh6z237brzc0s
 
Apache Software Foundation--Apache Mynewt NimBLE Out-of-bounds Read vulnerability in Apache NimBLE HCI H4 driver. Specially crafted HCI event could lead to invalid memory read in H4 driver. This issue affects Apache NimBLE: through 1.8.  This issue requires a broken or bogus Bluetooth controller and thus severity is considered low. Users are recommended to upgrade to version 1.9, which fixes the issue. 2026-01-10 not yet calculated CVE-2025-53470 https://github.com/apache/mynewt-nimble/commit/b973df0c6cf7b30efbf8eb2cafdc1ee843464b76
https://lists.apache.org/thread/32sm0944dyod4sdql77stgyw9xb2msc0
 
Apache Software Foundation--Apache Mynewt NimBLE NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. This issue requires disabled asserts and broken or bogus Bluetooth controller and thus severity is considered low. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. 2026-01-10 not yet calculated CVE-2025-53477 https://github.com/apache/mynewt-nimble/commit/0caf9baeb271ede85fcc5237ab87ddbf938600da
https://github.com/apache/mynewt-nimble/commit/3160b8c4c7ff8db4e0f9badcdf7df684b151e077
https://lists.apache.org/thread/1dxthc132hwm2tzvjblrtnschcsbw2vo
 
Apache Software Foundation--Apache Mynewt NimBLE Authentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. 2026-01-10 not yet calculated CVE-2025-62235 https://github.com/apache/mynewt-nimble/commit/41f67e391e788c5feef9030026cc5cbc5431838a
https://lists.apache.org/thread/rw2mrpfwb9d9wmq4h4b6ctcd6gpkk2ho
 
Apache Software Foundation--Apache SIS Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML format. * Parsing of Coordinate Reference Systems defined in the GML format. * Parsing of files in GPS Exchange Format (GPX). This issue affects Apache SIS from versions 0.4 through 1.5 inclusive. Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example: java -Djavax.xml.accessExternalDTD="" ... 2026-01-05 not yet calculated CVE-2025-68280 https://lists.apache.org/thread/s4ggy3zbtrrn93glgo2vn52lgcxk4bp4
 
Apache Software Foundation--Apache Struts Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. 2026-01-11 not yet calculated CVE-2025-68493 https://cwiki.apache.org/confluence/display/WW/S2-069
 
Apache Software Foundation--Apache Uniffle The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue. 2026-01-07 not yet calculated CVE-2025-68637 https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v
 
Apple--iOS and iPadOS A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment. 2026-01-09 not yet calculated CVE-2025-46286 https://support.apple.com/en-us/125884
 
Apple--macOS A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2. An app may be able to access protected files within an App Sandbox container. 2026-01-09 not yet calculated CVE-2025-46297 https://support.apple.com/en-us/125886
 
Apple--tvOS The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. 2026-01-09 not yet calculated CVE-2025-46298 https://support.apple.com/en-us/125889
https://support.apple.com/en-us/125892
https://support.apple.com/en-us/125884
https://support.apple.com/en-us/125891
https://support.apple.com/en-us/125886
https://support.apple.com/en-us/125890
 
Apple--tvOS A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may disclose internal states of the app. 2026-01-09 not yet calculated CVE-2025-46299 https://support.apple.com/en-us/125889
https://support.apple.com/en-us/125892
https://support.apple.com/en-us/125884
https://support.apple.com/en-us/125891
https://support.apple.com/en-us/125886
https://support.apple.com/en-us/125890
 
armurox--loggingredactor Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No known workarounds are available. 2026-01-08 not yet calculated CVE-2026-22041 https://github.com/armurox/loggingredactor/security/advisories/GHSA-rvjx-cfjh-5mc9
https://github.com/armurox/loggingredactor/issues/7
https://github.com/armurox/loggingredactor/releases/tag/0.0.6
 
Arraytics--Timetics Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46. 2026-01-08 not yet calculated CVE-2025-67915 https://vdp.patchstack.com/database/Wordpress/Plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-46-broken-authentication-vulnerability?_s_id=cve
 
Aruba.it Dev--Aruba HiSpeed Cache Missing Authorization vulnerability in Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Aruba HiSpeed Cache: from n/a through < 3.0.3. 2026-01-08 not yet calculated CVE-2025-67913 https://vdp.patchstack.com/database/Wordpress/Plugin/aruba-hispeed-cache/vulnerability/wordpress-aruba-hispeed-cache-plugin-3-0-3-broken-access-control-vulnerability?_s_id=cve
 
Asseco--AMDX Asseco ADMX system is used for processing medical records. It allows logged in users to access medical files belonging to other users through manipulation of GET arguments containing document IDs. This issue has been fixed in 6.09.01.62 version of ADMX. 2026-01-08 not yet calculated CVE-2025-4596 https://cert.pl/en/posts/2026/01/CVE-2025-4596
 
Asseco--InfoMedica Plus Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control.  Chained exploitation of this vulnerability and CVE-2025-8307 allows an attacker to escalate privileges. This vulnerability has been fixed in versions 4.50.1 and 5.38.0 2026-01-08 not yet calculated CVE-2025-8306 https://cert.pl/en/posts/2026/01/CVE-2025-8306/
 
Asseco--InfoMedica Plus Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. Passwords of all users are stored in a database in an encoded format. An attacker in possession of these encoded passwords is able to decode them by using an algorithm embedded in the client-side part of the software.  This vulnerability has been fixed in versions 4.50.1 and 5.38.0 2026-01-08 not yet calculated CVE-2025-8307 https://cert.pl/en/posts/2026/01/CVE-2025-8306/
 
Astoundify--Jobify Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Jobify jobify allows Reflected XSS.This issue affects Jobify: from n/a through <= 4.3.0. 2026-01-08 not yet calculated CVE-2025-67916 https://vdp.patchstack.com/database/Wordpress/Theme/jobify/vulnerability/wordpress-jobify-theme-4-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ASUS--ASCI An uncontrolled DLL loading path vulnerability exists in AsusSoftwareManagerAgent. A local attacker may influence the application to load a DLL from an attacker-controlled location, potentially resulting in arbitrary code execution. Refer to the ' Security Update for MyASUS' section on the ASUS Security Advisory for more information. 2026-01-06 not yet calculated CVE-2025-12793 https://www.asus.com/security-advisory
 
AuntyFey--AuntyFey Smart Combination Lock AuntyFey Smart Combination Lock firmware versions as of 2025-12-24 contain a vulnerability that allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to cause a denial of service by repeatedly initiating BLE connections. Sustained connection attempts interrupt keypad authentication input and repeatedly force the device into lockout states, preventing legitimate users from unlocking the device. 2026-01-07 not yet calculated CVE-2025-15474 https://github.com/nsm-barii/ble-smartlock-dos
https://www.amazon.com/dp/B0F9L1M4XG
https://www.vulncheck.com/advisories/auntyfey-smart-combination-lock-ble-connection-flood-dos
 
badkeys--badkeys badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes. This issue is fixed in version 0.0.16. 2026-01-05 not yet calculated CVE-2026-21439 https://github.com/badkeys/badkeys/security/advisories/GHSA-wjpc-4f29-83h3
https://github.com/badkeys/badkeys/issues/40
https://github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a
https://github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087
 
BBR Plugins--Better Business Reviews Missing Authorization vulnerability in BBR Plugins Better Business Reviews better-business-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Business Reviews: from n/a through <= 0.1.1. 2026-01-06 not yet calculated CVE-2025-69354 https://vdp.patchstack.com/database/Wordpress/Plugin/better-business-reviews/vulnerability/wordpress-better-business-reviews-plugin-0-1-1-broken-access-control-vulnerability?_s_id=cve
 
bdthemes--Ultimate Store Kit Elementor Addons Missing Authorization vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Store Kit Elementor Addons: from n/a through <= 2.9.4. 2026-01-06 not yet calculated CVE-2025-69336 https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-store-kit/vulnerability/wordpress-ultimate-store-kit-elementor-addons-plugin-2-9-4-broken-access-control-vulnerability?_s_id=cve
 
BeeS Software Solutions--BET ePortal BeeS Software Solutions BET Portal contains an SQL injection vulnerability in the login functionality of affected sites. The vulnerability enables arbitrary SQL commands to be executed on the backend database. 2026-01-09 not yet calculated CVE-2025-14598 https://cloudilyaerp.com/
https://afnaan.me/cve/cve-2025-14598
https://github.com/Afnaan-Ahmed/CVE-2025-14598
 
beeteam368--VidMov Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov allows Path Traversal.This issue affects VidMov: from n/a through <= 2.3.8. 2026-01-08 not yet calculated CVE-2025-67914 https://vdp.patchstack.com/database/Wordpress/Theme/vidmov/vulnerability/wordpress-vidmov-theme-2-3-8-path-traversal-vulnerability?_s_id=cve
 
bokeh--bokeh Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2. 2026-01-08 not yet calculated CVE-2026-21883 https://github.com/bokeh/bokeh/security/advisories/GHSA-793v-589g-574v
https://github.com/bokeh/bokeh/commit/cedd113b0e271b439dce768671685cf5f861812e
 
BoldGrid--Post and Page Builder by BoldGrid Missing Authorization vulnerability in BoldGrid Post and Page Builder by BoldGrid post-and-page-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post and Page Builder by BoldGrid: from n/a through <= 1.27.9. 2026-01-06 not yet calculated CVE-2025-69345 https://vdp.patchstack.com/database/Wordpress/Plugin/post-and-page-builder/vulnerability/wordpress-post-and-page-builder-by-boldgrid-plugin-1-27-9-broken-access-control-vulnerability?_s_id=cve
 
brandexponents--Oshine Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine oshin allows PHP Local File Inclusion.This issue affects Oshine: from n/a through <= 7.2.7. 2026-01-08 not yet calculated CVE-2025-14359 https://vdp.patchstack.com/database/Wordpress/Theme/oshin/vulnerability/wordpress-oshine-theme-7-2-7-local-file-inclusion-vulnerability?_s_id=cve
 
BuddhaThemes--WeDesignTech Ultimate Booking Addon Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3. 2026-01-06 not yet calculated CVE-2025-69341 https://vdp.patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve
 
Campaign Monitor--Campaign Monitor for WordPress Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.0. 2026-01-08 not yet calculated CVE-2026-0674 https://vdp.patchstack.com/database/Wordpress/Plugin/forms-for-campaign-monitor/vulnerability/wordpress-campaign-monitor-for-wordpress-plugin-2-9-0-broken-access-control-vulnerability?_s_id=cve
 
chlodigital--PRIMER by chlodigital Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in chloédigital PRIMER by chloédigital primer-by-chloedigital allows Reflected XSS.This issue affects PRIMER by chloédigital: from n/a through <= 1.0.25. 2026-01-08 not yet calculated CVE-2025-68873 https://vdp.patchstack.com/database/Wordpress/Plugin/primer-by-chloedigital/vulnerability/wordpress-primer-by-chloedigital-plugin-1-0-25-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Cloudways--Breeze Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21. 2026-01-06 not yet calculated CVE-2025-69364 https://vdp.patchstack.com/database/Wordpress/Plugin/breeze/vulnerability/wordpress-breeze-plugin-2-2-21-broken-access-control-vulnerability?_s_id=cve
 
CMSJunkie - WordPress Business Directory Plugins--WP-BusinessDirectory Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Reflected XSS.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.5. 2026-01-08 not yet calculated CVE-2025-68887 https://vdp.patchstack.com/database/Wordpress/Plugin/wp-businessdirectory/vulnerability/wordpress-wp-businessdirectory-plugin-3-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
CodexThemes--TheGem Theme Elements (for Elementor) Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. 2026-01-06 not yet calculated CVE-2025-69356 https://vdp.patchstack.com/database/Wordpress/Plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-11-0-local-file-inclusion-vulnerability?_s_id=cve
 
CodexThemes--TheGem Theme Elements (for Elementor) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. 2026-01-06 not yet calculated CVE-2025-69357 https://vdp.patchstack.com/database/Wordpress/Plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-11-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
CodexThemes--TheGem Theme Elements (for WPBakery) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements allows DOM-Based XSS.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.11.0. 2026-01-06 not yet calculated CVE-2025-69360 https://vdp.patchstack.com/database/Wordpress/Plugin/thegem-elements/vulnerability/wordpress-thegem-theme-elements-for-wpbakery-plugin-5-11-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Commvault--WebConsole The Report Builder component of the application stores user input directly in a web page and displays it to other users, which raised concerns about a possible Cross-Site Scripting (XSS) attack. Proper management of this functionality helps ensure a secure and seamless user experience.  Although the user input is not validated in the report creation, these scripts are not executed when the report is run by end users. The script is executed when the report is modified through the report builder by a user with edit permissions. The Report Builder is part of the WebConsole.  The WebConsole package is currently end of life, and is no longer maintained. We strongly recommend against installing or using it in any production environment. However, if you choose to install it, for example, to access functionality like the Report Builder, it must be deployed within a fully isolated network that has no access to sensitive data or internet connectivity. This is a critical security precaution, as the retired package may contain unpatched vulnerabilities and is no longer supported with updates or fixes. 2026-01-07 not yet calculated CVE-2025-12776 https://documentation.commvault.com/securityadvisories/CV_2025_06_3.html
 
contentstudio--Contentstudio Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7. 2026-01-08 not yet calculated CVE-2025-67910 https://vdp.patchstack.com/database/Wordpress/Plugin/contentstudio/vulnerability/wordpress-contentstudio-plugin-1-3-7-arbitrary-file-upload-vulnerability?_s_id=cve
 
CoolHappy--The Events Calendar Countdown Addon Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.15. 2026-01-06 not yet calculated CVE-2025-69348 https://vdp.patchstack.com/database/Wordpress/Plugin/countdown-for-the-events-calendar/vulnerability/wordpress-the-events-calendar-countdown-addon-plugin-1-4-15-broken-access-control-vulnerability?_s_id=cve
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Docker Compose directives during project creation or updates. By defining a malicious service that mounts the host filesystem, an attacker can achieve root-level command execution on the host OS, completely bypassing container isolation. Version 4.0.0-beta.420.7 contains a patch for the issue. 2026-01-05 not yet calculated CVE-2025-59156 https://github.com/coollabsio/coolify/security/advisories/GHSA-h5xw-7xvp-xrxr
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.g., member role) can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator later attempts to delete the project or its associated resource, the payload automatically executes in the admin's browser context. Version 4.0.0-beta.420.7 contains a patch for the issue. 2026-01-05 not yet calculated CVE-2025-59158 https://github.com/coollabsio/coolify/security/advisories/GHSA-h52r-jxv9-9vhf
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensitive `email_change_code` from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist. 2026-01-05 not yet calculated CVE-2025-59955 https://github.com/coollabsio/coolify/security/advisories/GHSA-927g-56xp-6427
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the application will throw an error, but if the attacker clicks the invite button a second time, it actually works. This way, a low privileged user can invite themselves as an administrator to the Coolify instance. After the high privileged user is invited, the attacker can initiate a password reset and log in with the new admin. As of time of publication, it is unclear if a patch is available. 2026-01-05 not yet calculated CVE-2025-64421 https://github.com/coollabsio/coolify/security/advisories/GHSA-4p6r-m39m-9cm9
https://drive.google.com/file/d/1YZHFgiZv_k9p9909A63DAErsTsh8K1rc/view?usp=drive_link
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables unlimited credential stuffing and brute-force attempts against user and admin accounts. As of time of publication, it is unclear if a patch is available. 2026-01-05 not yet calculated CVE-2025-64422 https://github.com/coollabsio/coolify/security/advisories/GHSA-688j-rm43-5r8x
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available. 2026-01-05 not yet calculated CVE-2025-64423 https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6j
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user (member) to execute system commands as root on the Coolify instance. As of time of publication, it is unclear if a patch is available. 2026-01-05 not yet calculated CVE-2025-64424 https://github.com/coollabsio/coolify/security/advisories/GHSA-qx24-jhwj-8w6x
https://drive.google.com/file/d/1rk7AYxNDkJUwo8uWbzX62PpBxpDYeyrZ/view?usp=drive_link
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available. 2026-01-05 not yet calculated CVE-2025-64425 https://github.com/coollabsio/coolify/security/advisories/GHSA-f737-2p93-g2cw
https://drive.google.com/file/d/1I5sJHcpetJbKlwVS2usAD7qmgH37Y4rw/view?usp=drive_link
 
coredns--coredns CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints. Version 1.14.0 contains a patch. 2026-01-08 not yet calculated CVE-2025-68151 https://github.com/coredns/coredns/security/advisories/GHSA-527x-5wrf-22m2
https://github.com/coredns/coredns/pull/7490
https://github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812
 
craftcms--cms Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. 2026-01-05 not yet calculated CVE-2025-68436 https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9
https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
 
craftcms--cms Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue. 2026-01-05 not yet calculated CVE-2025-68437 https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
 
craftcms--cms Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. 2026-01-05 not yet calculated CVE-2025-68454 https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383
https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
 
craftcms--cms Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. 2026-01-05 not yet calculated CVE-2025-68455 https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
 
craftcms--cms Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes. 2026-01-05 not yet calculated CVE-2025-68456 https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
 
curl--curl When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. 2026-01-08 not yet calculated CVE-2025-13034 json
www
 
curl--curl When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well. 2026-01-08 not yet calculated CVE-2025-14017 json
www
 
curl--curl When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. 2026-01-08 not yet calculated CVE-2025-14524 json
www
issue
 
curl--curl When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. 2026-01-08 not yet calculated CVE-2025-14819 json
www
 
curl--curl When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. 2026-01-08 not yet calculated CVE-2025-15079 json
www
issue
 
curl--curl When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. 2026-01-08 not yet calculated CVE-2025-15224 json
www
issue
 
CyberChimps--Responsive Addons for Elementor Missing Authorization vulnerability in CyberChimps Responsive Addons for Elementor responsive-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Addons for Elementor: from n/a through <= 2.0.8. 2026-01-06 not yet calculated CVE-2025-69363 https://vdp.patchstack.com/database/Wordpress/Plugin/responsive-addons-for-elementor/vulnerability/wordpress-responsive-addons-for-elementor-plugin-2-0-8-broken-access-control-vulnerability?_s_id=cve
 
D-Link--DSL-2640B Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device's DNS settings without valid credentials, enabling DNS hijacking ("DNSChanger") attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). 2026-01-05 not yet calculated CVE-2026-0625 https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118
https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint
 
Data Illusion Zumbrunn--NGSurvey Stored cross-site scripting (XSS, CWE-79) in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms ( on Windows and Linux servers ) allows authenticated remote users with survey creation or edit privileges to execute arbitrary JavaScript in other users' browsers, steal session information and perform unauthorized actions on their behalf via crafted survey content that is rendered without proper output encoding. 2026-01-07 not yet calculated CVE-2025-15479 https://docs.ngsurvey.com/installation-setup/change-log#id-3.6.17-2025-05-28
https://cds.thalesgroup.com/en/tcs-cert/CVE-2025-15479
 
Devolutions--PowerShell Universal Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13. 2026-01-07 not yet calculated CVE-2026-0618 https://devolutions.net/security/advisories/DEVO-2026-0001/
 
Devolutions--Remote Desktop Manager Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing. 2026-01-08 not yet calculated CVE-2026-0747 https://devolutions.net/security/advisories/DEVO-2026-0002/
 
e-plugins--ListingHub Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins ListingHub listinghub allows Reflected XSS.This issue affects ListingHub: from n/a through 1.2.6. 2026-01-08 not yet calculated CVE-2025-12551 https://vdp.patchstack.com/database/Wordpress/Plugin/listinghub/vulnerability/wordpress-listinghub-plugin-1-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve
 
e-plugins--Real Estate Pro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Real Estate Pro real-estate-pro allows Reflected XSS.This issue affects Real Estate Pro: from n/a through <= 2.1.4. 2026-01-08 not yet calculated CVE-2025-13504 https://vdp.patchstack.com/database/Wordpress/Plugin/real-estate-pro/vulnerability/wordpress-real-estate-pro-plugin-2-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
EFACEC--QC 60/90/120 An attacker with the ability to interact through the network and with access credentials, could, thanks to the unsecured (unencrypted) MQTT communications protocol, write on the server topics of the board that controls the MQTT communications 2026-01-07 not yet calculated CVE-2026-22535 https://cds.thalesgroup.com/en
 
EFACEC--QC 60/90/120 The absence of permissions control for the user XXX allows the current configuration in the sudoers file to escalate privileges without any restrictions 2026-01-07 not yet calculated CVE-2026-22536 https://cds.thalesgroup.com/en
 
EFACEC--QC 60/90/120 The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker. 2026-01-07 not yet calculated CVE-2026-22537 https://cds.thalesgroup.com/en
 
EFACEC--QC 60/90/120 As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6. 2026-01-07 not yet calculated CVE-2026-22539 https://cds.thalesgroup.com/en
 
EFACEC--QC 60/90/120 The massive sending of ICMP requests causes a denial of service on one of the boards from the EVCharger that allows control the EV interfaces. Since the board must be operating correctly for the charger to also function correctly. 2026-01-07 not yet calculated CVE-2026-22541 https://cds.thalesgroup.com/en
 
EFACEC--QC 60/90/120 An attacker with access to the system's internal network can cause a denial of service on the system by making two concurrent connections through the Telnet service. 2026-01-07 not yet calculated CVE-2026-22542 https://cds.thalesgroup.com/en
 
EFACEC--QC 60/90/120 The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials 2026-01-07 not yet calculated CVE-2026-22543 https://cds.thalesgroup.com/en
 
EFACEC--QC 60/90/120 An attacker with a network connection could detect credentials in clear text. 2026-01-07 not yet calculated CVE-2026-22544 https://cds.thalesgroup.com/en
 
EFACEC--QC60/90/120 The massive sending of ARP requests causes a denial of service on one board of the charger that allows control of the EV interfaces. Since the board must be operating correctly for the charger to also function correctly. 2026-01-07 not yet calculated CVE-2026-22540 https://cds.thalesgroup.com/en
 
Elated-Themes--Neo Ocular Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Neo Ocular neoocular allows PHP Local File Inclusion.This issue affects Neo Ocular: from n/a through < 1.2. 2026-01-08 not yet calculated CVE-2025-67920 https://vdp.patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve
 
Fahad Mahmood--RSS Feed Widget Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2. 2026-01-06 not yet calculated CVE-2025-69349 https://vdp.patchstack.com/database/Wordpress/Plugin/rss-feed-widget/vulnerability/wordpress-rss-feed-widget-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve
 
Forcepoint--Forcepoint One Endpoint (F1E) Forcepoint One DLP Client, version 23.04.5642 (and possibly newer versions), includes a restricted version of Python 2.5.4 that prevents use of the ctypes library. ctypes is a foreign function interface (FFI) for Python, enabling calls to DLLs/shared libraries, memory allocation, and direct code execution. It was demonstrated that these restrictions could be bypassed. 2026-01-06 not yet calculated CVE-2025-14026 https://support.forcepoint.com/s/article/000042256
https://kb.cert.org/vuls/id/420440
 
Fujitsu Client Computing Limited--Fujitsu Security Solution AuthConductor Client Basic V2 Origin validation error issue exists in Fujitsu Security Solution AuthConductor Client Basic V2 2.0.25.0 and earlier. If this vulnerability is exploited, an attacker who can log in to the Windows system where the affected product is installed may execute arbitrary code with SYSTEM privilege and/or modify the registry value. 2026-01-07 not yet calculated CVE-2026-20893 https://www.fmworld.net/biz/common/info/202601acc/
https://jvn.jp/en/jp/JVN24626628/
 
G5Theme--Zorka Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7. 2026-01-08 not yet calculated CVE-2026-0676 https://vdp.patchstack.com/database/Wordpress/Theme/zorka/vulnerability/wordpress-zorka-theme-1-5-7-broken-access-control-vulnerability?_s_id=cve
 
GestSup--GestSup GestSup versions up to and including 3.2.56 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This can be exploited to create privileged accounts by targeting the administrative user creation endpoint. 2026-01-09 not yet calculated CVE-2026-22194 https://gestsup.fr/index.php?page=changelog
https://www.vulncheck.com/advisories/gestsup-csrf-allows-privileged-actions
 
GestSup--GestSup GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in the search bar functionality. User-controlled search input is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. 2026-01-09 not yet calculated CVE-2026-22195 https://gestsup.fr/index.php?page=changelog
https://www.vulncheck.com/advisories/gestsup-sqli-in-search-bar
 
GestSup--GestSup GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. 2026-01-09 not yet calculated CVE-2026-22196 https://gestsup.fr/index.php?page=changelog
https://www.vulncheck.com/advisories/gestsup-sqli-in-ticket-creation
 
GestSup--GestSup GestSup versions up to and including 3.2.56 contain multiple SQL injection vulnerabilities in the asset list functionality. Multiple request parameters used to filter, search, or sort assets are incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. 2026-01-09 not yet calculated CVE-2026-22197 https://gestsup.fr/index.php?page=changelog
https://www.vulncheck.com/advisories/gestsup-multiple-sqli-in-asset-list
 
GestSup--GestSup GestSup versions up to and including 3.2.56 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator's browser session. 2026-01-09 not yet calculated CVE-2026-22198 https://gestsup.fr/index.php?page=changelog
https://www.vulncheck.com/advisories/gestsup-stored-xss-in-api-error-logs
 
getkirby--kirby Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. This vulnerability does not affect those who have not altered the deviated from default user permissions. This issue has been patched in version 5.2.2. 2026-01-08 not yet calculated CVE-2026-21896 https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f
https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47
https://github.com/getkirby/kirby/releases/tag/5.2.2
 
GitHub--Enterprise Server An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program. 2026-01-06 not yet calculated CVE-2025-13744 https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20
https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15
https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8
https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2
https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.1
 
GnuTLS--libtasn1 Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. 2026-01-07 not yet calculated CVE-2025-13151 Source Code Respoitory
Proposed Pull Request
 
Google--Chrome Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High) 2026-01-06 not yet calculated CVE-2026-0628  
gopiplus@hotmail.com--Scroll rss excerpt Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus@hotmail.com Scroll rss excerpt scroll-rss-excerpt allows Reflected XSS.This issue affects Scroll rss excerpt: from n/a through <= 5.0. 2026-01-08 not yet calculated CVE-2025-68892 https://vdp.patchstack.com/database/Wordpress/Plugin/scroll-rss-excerpt/vulnerability/wordpress-scroll-rss-excerpt-plugin-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
gunet--openeclass The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue. 2026-01-08 not yet calculated CVE-2026-22241 https://github.com/gunet/openeclass/security/advisories/GHSA-rf6j-xgqp-wjxg
https://github.com/gunet/openeclass/commit/3f9d267b79812a4dd708bb1302339e6a5abe67d9
 
hands01--e-shops Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hands01 e-shops e-shops-cart2 allows DOM-Based XSS.This issue affects e-shops: from n/a through <= 1.0.4. 2026-01-08 not yet calculated CVE-2025-68890 https://vdp.patchstack.com/database/Wordpress/Plugin/e-shops-cart2/vulnerability/wordpress-e-shops-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
https://github.com/FoobarOy/--Foomuuri A Improper Authorization vulnerability in Foomuuri llows arbitrary users to influence the firewall configuration.This issue affects Foomuuri: from ? before 0.31. 2026-01-08 not yet calculated CVE-2025-67603 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67603
https://security.opensuse.org/2026/01/07/foomuuri-lack-of-dbus-authorization.html
 
https://github.com/FoobarOy/--Foomuuri A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`. This issue affects Foomuuri: from ? before 0.31. 2026-01-08 not yet calculated CVE-2025-67858 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67858
https://security.opensuse.org/2026/01/07/foomuuri-lack-of-dbus-authorization.html
 
https://github.com/KDE/--smb4k An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability allows local users ton perform arbitrary unmounts via smb4k mount helper 2026-01-08 not yet calculated CVE-2025-66002 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66002
https://security.opensuse.org/2025/12/10/smb4k-major-issues-in-kauth-helper.html
 
https://github.com/KDE/--smb4k An External Control of File Name or Path vulnerability in smb4k allowsl ocal users to perform a local root exploit via smb4k mounthelper if they can access and control the contents of a Samba shareThis issue affects smb4k: from ? before 4.0.5. 2026-01-08 not yet calculated CVE-2025-66003 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66003
https://security.opensuse.org/2025/12/10/smb4k-major-issues-in-kauth-helper.html
 
IAMB--Crypt::Sodium::XS Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277  https://www.cve.org/CVERecord?id=CVE-2025-69277 . The libsodium vulnerability states: In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. 0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability. 2026-01-06 not yet calculated CVE-2025-15444 https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae
https://00f.net/2025/12/30/libsodium-vulnerability/
https://metacpan.org/dist/Crypt-Sodium-XS/changes
 
jcaruso001--Flaming Password Reset Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jcaruso001 Flaming Password Reset flaming-password-reset allows Stored XSS.This issue affects Flaming Password Reset: from n/a through <= 1.0.3. 2026-01-08 not yet calculated CVE-2025-68875 https://vdp.patchstack.com/database/Wordpress/Plugin/flaming-password-reset/vulnerability/wordpress-flaming-password-reset-plugin-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Jeroen Schmit--Theater for WordPress Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19. 2026-01-06 not yet calculated CVE-2025-69331 https://vdp.patchstack.com/database/Wordpress/Plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-19-broken-access-control-vulnerability?_s_id=cve
 
Joomla! Project--Joomla! CMS Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags. 2026-01-06 not yet calculated CVE-2025-63082 https://developer.joomla.org/security-centre/1016-20260101-core-inadequate-content-filtering-for-data-urls.html
 
Joomla! Project--Joomla! CMS Lack of output escaping leads to a XSS vector in the pagebreak plugin. 2026-01-06 not yet calculated CVE-2025-63083 https://developer.joomla.org/security-centre/1017-20260102-core-xss-vector-in-the-pagebreak-plugin.html
 
jvoisin--snuffleupagus Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0. 2026-01-08 not yet calculated CVE-2026-22034 https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc
https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37
https://github.com/jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c#L92-L100
https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php
https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py
https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c#L165-L166
https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/main/rfc1867.c#L1269-L1274
https://snuffleupagus.readthedocs.io/config.html#upload-validation
 
jwsthemes--OchaHouse Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes OchaHouse ochahouse allows PHP Local File Inclusion.This issue affects OchaHouse: from n/a through <= 2.2.8. 2026-01-08 not yet calculated CVE-2025-12550 https://vdp.patchstack.com/database/Wordpress/Theme/ochahouse/vulnerability/wordpress-ochahouse-theme-2-2-8-local-file-inclusion-vulnerability?_s_id=cve
 
Kaira--Blockons Missing Authorization vulnerability in Kaira Blockons blockons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blockons: from n/a through <= 1.2.15. 2026-01-08 not yet calculated CVE-2025-14360 https://vdp.patchstack.com/database/Wordpress/Plugin/blockons/vulnerability/wordpress-blockons-plugin-1-2-15-broken-access-control-vulnerability?_s_id=cve
 
KAON--CG3000T The firmware in KAON CG3000TC and CG3000T routers contains hard-coded credentials in clear text (shared across all routers of this model) that an unauthenticated remote attacker could use to execute commands with root privileges. This vulnerability has been fixed in firmware version: 1.00.67 for CG3000TC and 1.00.27 for CG3000T. 2026-01-09 not yet calculated CVE-2025-7072 https://cert.pl/posts/2026/01/CVE-2025-7072/
 
Kentico--Kentico Xperience Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user's session and perform actions in their security context. 2026-01-05 not yet calculated CVE-2025-5591 https://www.themissinglink.com.au/security-advisories/cve-2025-5591
 
Kieback&Peter--Neutrino-GLT Kieback&Peter Neutrino-GLT product is used for building management. It's web component "SM70 PHWEB" is vulnerable to shell command injection via login form. The injected commands would execute with low privileges. The vulnerability has been fixed in version 9.40.02 2026-01-07 not yet calculated CVE-2025-6225 https://cert.pl/en/posts/2026/01/CVE-2025-6225/
 
KnowageLabs--Knowage-Server Knowage is an open source analytics and business intelligence suite. Prior to version 8.1.37, there is a blind server-side request forgery vulnerability. The vulnerability allows attackers to send requests to arbitrary hosts/paths. Since the attacker is not able to read the response, the impact of this vulnerability is limited. However, an attacker should be able to leverage this vulnerability to scan the internal network. This issue has been patched in version 8.1.37. 2026-01-07 not yet calculated CVE-2025-58441 https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-m6x8-wh9v-6jxp
 
LambertGroup--CountDown With Image or Video Background Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup CountDown With Image or Video Background countdown-with-background allows Reflected XSS.This issue affects CountDown With Image or Video Background: from n/a through <= 1.5. 2026-01-08 not yet calculated CVE-2025-27002 https://vdp.patchstack.com/database/Wordpress/Plugin/countdown-with-background/vulnerability/wordpress-countdown-with-image-or-video-background-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
LambertGroup--Famous - Responsive Image And Video Grid Gallery WordPress Plugin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Famous - Responsive Image And Video Grid Gallery WordPress Plugin famous_grid_image_and_video_gallery allows Reflected XSS.This issue affects Famous - Responsive Image And Video Grid Gallery WordPress Plugin: from n/a through <= 1.4. 2026-01-08 not yet calculated CVE-2025-27004 https://vdp.patchstack.com/database/Wordpress/Plugin/famous_grid_image_and_video_gallery/vulnerability/wordpress-famous-responsive-image-and-video-grid-gallery-wordpress-plugin-plugin-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
langgenius--dify Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue. 2026-01-05 not yet calculated CVE-2025-67732 https://github.com/langgenius/dify/security/advisories/GHSA-phpv-94hg-fv9g
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: s390/fpu: Fix false-positive kmsan report in fpu_vstl() A false-positive kmsan report is detected when running ping command. An inline assembly instruction 'vstl' can write varied amount of bytes depending on value of 'index' argument. If 'index' > 0, 'vstl' writes at least 2 bytes. clang generates kmsan write helper call depending on inline assembly constraints. Constraints are evaluated compile-time, but value of 'index' argument is known only at runtime. clang currently generates call to __msan_instrument_asm_store with 1 byte as size. Manually call kmsan function to indicate correct amount of bytes written and fix false-positive report. This change fixes following kmsan reports: [ 36.563119] ===================================================== [ 36.563594] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70 [ 36.563852] virtqueue_add+0x35c6/0x7c70 [ 36.564016] virtqueue_add_outbuf+0xa0/0xb0 [ 36.564266] start_xmit+0x288c/0x4a20 [ 36.564460] dev_hard_start_xmit+0x302/0x900 [ 36.564649] sch_direct_xmit+0x340/0xea0 [ 36.564894] __dev_queue_xmit+0x2e94/0x59b0 [ 36.565058] neigh_resolve_output+0x936/0xb40 [ 36.565278] __neigh_update+0x2f66/0x3a60 [ 36.565499] neigh_update+0x52/0x60 [ 36.565683] arp_process+0x1588/0x2de0 [ 36.565916] NF_HOOK+0x1da/0x240 [ 36.566087] arp_rcv+0x3e4/0x6e0 [ 36.566306] __netif_receive_skb_list_core+0x1374/0x15a0 [ 36.566527] netif_receive_skb_list_internal+0x1116/0x17d0 [ 36.566710] napi_complete_done+0x376/0x740 [ 36.566918] virtnet_poll+0x1bae/0x2910 [ 36.567130] __napi_poll+0xf4/0x830 [ 36.567294] net_rx_action+0x97c/0x1ed0 [ 36.567556] handle_softirqs+0x306/0xe10 [ 36.567731] irq_exit_rcu+0x14c/0x2e0 [ 36.567910] do_io_irq+0xd4/0x120 [ 36.568139] io_int_handler+0xc2/0xe8 [ 36.568299] arch_cpu_idle+0xb0/0xc0 [ 36.568540] arch_cpu_idle+0x76/0xc0 [ 36.568726] default_idle_call+0x40/0x70 [ 36.568953] do_idle+0x1d6/0x390 [ 36.569486] cpu_startup_entry+0x9a/0xb0 [ 36.569745] rest_init+0x1ea/0x290 [ 36.570029] start_kernel+0x95e/0xb90 [ 36.570348] startup_continue+0x2e/0x40 [ 36.570703] [ 36.570798] Uninit was created at: [ 36.571002] kmem_cache_alloc_node_noprof+0x9e8/0x10e0 [ 36.571261] kmalloc_reserve+0x12a/0x470 [ 36.571553] __alloc_skb+0x310/0x860 [ 36.571844] __ip_append_data+0x483e/0x6a30 [ 36.572170] ip_append_data+0x11c/0x1e0 [ 36.572477] raw_sendmsg+0x1c8c/0x2180 [ 36.572818] inet_sendmsg+0xe6/0x190 [ 36.573142] __sys_sendto+0x55e/0x8e0 [ 36.573392] __s390x_sys_socketcall+0x19ae/0x2ba0 [ 36.573571] __do_syscall+0x12e/0x240 [ 36.573823] system_call+0x6e/0x90 [ 36.573976] [ 36.574017] Byte 35 of 98 is uninitialized [ 36.574082] Memory access of size 98 starts at 0000000007aa0012 [ 36.574218] [ 36.574325] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.17.0-dirty #16 NONE [ 36.574541] Tainted: [B]=BAD_PAGE, [N]=TEST [ 36.574617] Hardware name: IBM 3931 A01 703 (KVM/Linux) [ 36.574755] ===================================================== [ 63.532541] ===================================================== [ 63.533639] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70 [ 63.533989] virtqueue_add+0x35c6/0x7c70 [ 63.534940] virtqueue_add_outbuf+0xa0/0xb0 [ 63.535861] start_xmit+0x288c/0x4a20 [ 63.536708] dev_hard_start_xmit+0x302/0x900 [ 63.537020] sch_direct_xmit+0x340/0xea0 [ 63.537997] __dev_queue_xmit+0x2e94/0x59b0 [ 63.538819] neigh_resolve_output+0x936/0xb40 [ 63.539793] ip_finish_output2+0x1ee2/0x2200 [ 63.540784] __ip_finish_output+0x272/0x7a0 [ 63.541765] ip_finish_output+0x4e/0x5e0 [ 63.542791] ip_output+0x166/0x410 [ 63.543771] ip_push_pending_frames+0x1a2/0x470 [ 63.544753] raw_sendmsg+0x1f06/0x2180 [ 63.545033] inet_sendmsg+0xe6/0x190 [ 63.546006] __sys_sendto+0x55e/0x8e0 ---truncated--- 2026-01-05 not yet calculated CVE-2025-68751 https://git.kernel.org/stable/c/946357a538bb47740635c25520924351d2d91544
https://git.kernel.org/stable/c/13dcd6308cb8f67134ee5d5d762b2a66363c695b
https://git.kernel.org/stable/c/14e4e4175b64dd9216b522f6ece8af6997d063b2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iavf: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference. The fix is similar to commit 329d050bbe63 ("gve: Implement settime64 with -EOPNOTSUPP"). 2026-01-05 not yet calculated CVE-2025-68752 https://git.kernel.org/stable/c/9e3dbc3bb2e2aa728b49422b2e5344488f93f690
https://git.kernel.org/stable/c/6d080f810ffd6b8e002ce5bee8b9c551ca2535c2
https://git.kernel.org/stable/c/1e43ebcd5152b3e681a334cc6542fb21770c3a2e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-motu: add bounds check in put_user loop for DSP events In the DSP event handling code, a put_user() loop copies event data. When the user buffer size is not aligned to 4 bytes, it could overwrite beyond the buffer boundary. Fix by adding a bounds check before put_user(). 2026-01-05 not yet calculated CVE-2025-68753 https://git.kernel.org/stable/c/ea2c921d9de6e32ca50cb817b9d57bb881be70de
https://git.kernel.org/stable/c/6d4f17782ce4facf3197e79707df411ee3d7b30a
https://git.kernel.org/stable/c/0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f
https://git.kernel.org/stable/c/df692cf2b601a54b34edfdb9e683d67483aa8ce1
https://git.kernel.org/stable/c/8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187
https://git.kernel.org/stable/c/298e753880b6ea99ac30df34959a7a03b0878eed
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: rtc: amlogic-a4: fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the redundant clk_disable_unprepare() calls from the probe error path and aml_rtc_remove(), allowing the devm framework to automatically manage the clock lifecycle. 2026-01-05 not yet calculated CVE-2025-68754 https://git.kernel.org/stable/c/9fed02c16488050cd4e33e045506336b216d7301
https://git.kernel.org/stable/c/2e1c79299036614ac32b251d145fad5391f4bcab
https://git.kernel.org/stable/c/384150d7a5b60c1086790a8ee07b0629f906cca2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: staging: most: remove broken i2c driver The MOST I2C driver has been completely broken for five years without anyone noticing so remove the driver from staging. Specifically, commit 723de0f9171e ("staging: most: remove device from interface structure") started requiring drivers to set the interface device pointer before registration, but the I2C driver was never updated which results in a NULL pointer dereference if anyone ever tries to probe it. 2026-01-05 not yet calculated CVE-2025-68755 https://git.kernel.org/stable/c/6cbba922934805f86eece6ba7010b7201962695d
https://git.kernel.org/stable/c/6059a66dba7f26b21852831432e17075f1a1c783
https://git.kernel.org/stable/c/e463548fd80e779efea1cb2d3049b8a7231e6925
https://git.kernel.org/stable/c/495df2da6944477d282d5cc0c13174d06e25b310
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock blk_mq_{add,del}_queue_tag_set() functions add and remove queues from tagset, the functions make sure that tagset and queues are marked as shared when two or more queues are attached to the same tagset. Initially a tagset starts as unshared and when the number of added queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along with all the queues attached to it. When the number of attached queues drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and the remaining queues as unshared. Both functions need to freeze current queues in tagset before setting on unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions hold set->tag_list_lock mutex, which makes sense as we do not want queues to be added or deleted in the process. This used to work fine until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset") made the nvme driver quiesce tagset instead of quiscing individual queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in set->tag_list while holding set->tag_list_lock also. This results in deadlock between two threads with these stacktraces: __schedule+0x47c/0xbb0 ? timerqueue_add+0x66/0xb0 schedule+0x1c/0xa0 schedule_preempt_disabled+0xa/0x10 __mutex_lock.constprop.0+0x271/0x600 blk_mq_quiesce_tagset+0x25/0xc0 nvme_dev_disable+0x9c/0x250 nvme_timeout+0x1fc/0x520 blk_mq_handle_expired+0x5c/0x90 bt_iter+0x7e/0x90 blk_mq_queue_tag_busy_iter+0x27e/0x550 ? __blk_mq_complete_request_remote+0x10/0x10 ? __blk_mq_complete_request_remote+0x10/0x10 ? __call_rcu_common.constprop.0+0x1c0/0x210 blk_mq_timeout_work+0x12d/0x170 process_one_work+0x12e/0x2d0 worker_thread+0x288/0x3a0 ? rescuer_thread+0x480/0x480 kthread+0xb8/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 __schedule+0x47c/0xbb0 ? xas_find+0x161/0x1a0 schedule+0x1c/0xa0 blk_mq_freeze_queue_wait+0x3d/0x70 ? destroy_sched_domains_rcu+0x30/0x30 blk_mq_update_tag_set_shared+0x44/0x80 blk_mq_exit_queue+0x141/0x150 del_gendisk+0x25a/0x2d0 nvme_ns_remove+0xc9/0x170 nvme_remove_namespaces+0xc7/0x100 nvme_remove+0x62/0x150 pci_device_remove+0x23/0x60 device_release_driver_internal+0x159/0x200 unbind_store+0x99/0xa0 kernfs_fop_write_iter+0x112/0x1e0 vfs_write+0x2b1/0x3d0 ksys_write+0x4e/0xb0 do_syscall_64+0x5b/0x160 entry_SYSCALL_64_after_hwframe+0x4b/0x53 The top stacktrace is showing nvme_timeout() called to handle nvme command timeout. timeout handler is trying to disable the controller and as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not to call queue callback handlers. The thread is stuck waiting for set->tag_list_lock as it tries to walk the queues in set->tag_list. The lock is held by the second thread in the bottom stack which is waiting for one of queues to be frozen. The queue usage counter will drop to zero after nvme_timeout() finishes, and this will not happen because the thread will wait for this mutex forever. Given that [un]quiescing queue is an operation that does not need to sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list) in blk_mq_del_queue_tag_set() because we can not re-initialize it while the list is being traversed under RCU. The deleted queue will not be added/deleted to/from a tagset and it will be freed in blk_free_queue() after the end of RCU grace period. 2026-01-05 not yet calculated CVE-2025-68756 https://git.kernel.org/stable/c/ca8764c0ea1fb825f17f19704af55e9e02c9f768
https://git.kernel.org/stable/c/3baeec23a82e7ee9691f434c6ab0ab1387326108
https://git.kernel.org/stable/c/6e8d363786765a81e35083e0909e076796468edf
https://git.kernel.org/stable/c/ef0cd7b694928573f6569e61c14f5f059253162e
https://git.kernel.org/stable/c/59e25ef2b413c72da6686d431e7759302cfccafa
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/vgem-fence: Fix potential deadlock on release A timer that expires a vgem fence automatically in 10 seconds is now released with timer_delete_sync() from fence->ops.release() called on last dma_fence_put(). In some scenarios, it can run in IRQ context, which is not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while working on new IGT subtests syncobj_timeline@stress-* as user space replacements of some problematic test cases of a dma-fence-chain selftest [1]. [117.004338] ================================ [117.004340] WARNING: inconsistent lock state [117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U [117.004346] -------------------------------- [117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. [117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes: [117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190 [117.004361] {HARDIRQ-ON-W} state was registered at: [117.004363] lock_acquire+0xc4/0x2e0 [117.004366] call_timer_fn+0x80/0x2a0 [117.004368] __run_timers+0x231/0x310 [117.004370] run_timer_softirq+0x76/0xe0 [117.004372] handle_softirqs+0xd4/0x4d0 [117.004375] __irq_exit_rcu+0x13f/0x160 [117.004377] irq_exit_rcu+0xe/0x20 [117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0 [117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [117.004385] cpuidle_enter_state+0x12b/0x8a0 [117.004388] cpuidle_enter+0x2e/0x50 [117.004393] call_cpuidle+0x22/0x60 [117.004395] do_idle+0x1fd/0x260 [117.004398] cpu_startup_entry+0x29/0x30 [117.004401] start_secondary+0x12d/0x160 [117.004404] common_startup_64+0x13e/0x141 [117.004407] irq event stamp: 2282669 [117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80 [117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0 [117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18 [117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160 [117.004426] other info that might help us debug this: [117.004429] Possible unsafe locking scenario: [117.004432] CPU0 [117.004433] ---- [117.004434] lock((&fence->timer)); [117.004436] <Interrupt> [117.004438] lock((&fence->timer)); [117.004440] *** DEADLOCK *** [117.004443] 1 lock held by swapper/0/0: [117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0 [117.004450] stack backtrace: [117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary) [117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER [117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 [117.004456] Call Trace: [117.004456] <IRQ> [117.004457] dump_stack_lvl+0x91/0xf0 [117.004460] dump_stack+0x10/0x20 [117.004461] print_usage_bug.part.0+0x260/0x360 [117.004463] mark_lock+0x76e/0x9c0 [117.004465] ? register_lock_class+0x48/0x4a0 [117.004467] __lock_acquire+0xbc3/0x2860 [117.004469] lock_acquire+0xc4/0x2e0 [117.004470] ? __timer_delete_sync+0x4b/0x190 [117.004472] ? __timer_delete_sync+0x4b/0x190 [117.004473] __timer_delete_sync+0x68/0x190 [117.004474] ? __timer_delete_sync+0x4b/0x190 [117.004475] timer_delete_sync+0x10/0x20 [117.004476] vgem_fence_release+0x19/0x30 [vgem] [117.004478] dma_fence_release+0xc1/0x3b0 [117.004480] ? dma_fence_release+0xa1/0x3b0 [117.004481] dma_fence_chain_release+0xe7/0x130 [117.004483] dma_fence_release+0xc1/0x3b0 [117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80 [117.004485] dma_fence_chain_irq_work+0x59/0x80 [117.004487] irq_work_single+0x75/0xa0 [117.004490] irq_work_r ---truncated--- 2026-01-05 not yet calculated CVE-2025-68757 https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a
https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0
https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba
https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e
https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54
https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: backlight: led-bl: Add devlink to supplier LEDs LED Backlight is a consumer of one or multiple LED class devices, but devlink is currently unable to create correct supplier-producer links when the supplier is a class device. It creates instead a link where the supplier is the parent of the expected device. One consequence is that removal order is not correctly enforced. Issues happen for example with the following sections in a device tree overlay: // An LED driver chip pca9632@62 { compatible = "nxp,pca9632"; reg = <0x62>; // ... addon_led_pwm: led-pwm@3 { reg = <3>; label = "addon:led:pwm"; }; }; backlight-addon { compatible = "led-backlight"; leds = <&addon_led_pwm>; brightness-levels = <255>; default-brightness-level = <255>; }; In this example, the devlink should be created between the backlight-addon (consumer) and the pca9632@62 (supplier). Instead it is created between the backlight-addon (consumer) and the parent of the pca9632@62, which is typically the I2C bus adapter. On removal of the above overlay, the LED driver can be removed before the backlight device, resulting in: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 ... Call trace: led_put+0xe0/0x140 devm_led_release+0x6c/0x98 Another way to reproduce the bug without any device tree overlays is unbinding the LED class device (pca9632@62) before unbinding the consumer (backlight-addon): echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind Fix by adding a devlink between the consuming led-backlight device and the supplying LED device, as other drivers and subsystems do as well. 2026-01-05 not yet calculated CVE-2025-68758 https://git.kernel.org/stable/c/e06df738a9ad8417f1c4c7cd6992cda320e9e7ca
https://git.kernel.org/stable/c/30cbe4b642745a9488a0f0d78be43afe69d7555c
https://git.kernel.org/stable/c/0e63ea4378489e09eb5e920c8a50c10caacf563a
https://git.kernel.org/stable/c/60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9
https://git.kernel.org/stable/c/08c9dc6b0f2c68e5e7c374ac4499e321e435d46c
https://git.kernel.org/stable/c/9341d6698f4cfdfc374fb6944158d111ebe16a9d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA allocations in a loop. When an allocation fails, the previously successful allocations are not freed on exit. Fix that by jumping to err_free_rings label on error, which calls rtl8180_free_rx_ring() to free the allocations. Remove the free of rx_ring in rtl8180_init_rx_ring() error path, and set the freed priv->rx_buf entry to null, to avoid double free. 2026-01-05 not yet calculated CVE-2025-68759 https://git.kernel.org/stable/c/a4fb7cca9837378878e6c94d9e7af019c8fdfcdb
https://git.kernel.org/stable/c/bf8513dfa31ea015c9cf415796dca2113d293840
https://git.kernel.org/stable/c/ee7db11742b30641f21306105ad27a275e3c61d7
https://git.kernel.org/stable/c/a813a74570212cb5f3a7d3b05c0cb0cd00bace1d
https://git.kernel.org/stable/c/c9d1c4152e6d32fa74034464854bee262a60bc43
https://git.kernel.org/stable/c/9b5b9c042b30befc5b37e4539ace95af70843473
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show In iommu_mmio_write(), it validates the user-provided offset with the check: `iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4`. This assumes a 4-byte access. However, the corresponding show handler, iommu_mmio_show(), uses readq() to perform an 8-byte (64-bit) read. If a user provides an offset equal to `mmio_phys_end - 4`, the check passes, and will lead to a 4-byte out-of-bounds read. Fix this by adjusting the boundary check to use sizeof(u64), which corresponds to the size of the readq() operation. 2026-01-05 not yet calculated CVE-2025-68760 https://git.kernel.org/stable/c/b959df804c33913dbfdb90750f2d693502b3d126
https://git.kernel.org/stable/c/0ec4aaf5f3f559716a6559f3d6d9616e9470bed6
https://git.kernel.org/stable/c/a0c7005333f9a968abb058b1d77bbcd7fb7fd1e7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: hfs: fix potential use after free in hfs_correct_next_unused_CNID() This code calls hfs_bnode_put(node) which drops the refcount and then dreferences "node" on the next line. It's only safe to use "node" when we're holding a reference so flip these two lines around. 2026-01-05 not yet calculated CVE-2025-68761 https://git.kernel.org/stable/c/40a1e0142096dd7dd6cb5373841222b528698588
https://git.kernel.org/stable/c/c105e76bb17cf4b55fe89c6ad4f6a0e3972b5b08
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: netpoll: initialize work queue before error checks Prevent a kernel warning when netconsole setup fails on devices with IFF_DISABLE_NETPOLL flag. The warning (at kernel/workqueue.c:4242 in __flush_work) occurs because the cleanup path tries to cancel an uninitialized work queue. When __netpoll_setup() encounters a device with IFF_DISABLE_NETPOLL, it fails early and calls skb_pool_flush() for cleanup. This function calls cancel_work_sync(&np->refill_wq), but refill_wq hasn't been initialized yet, triggering the warning. Move INIT_WORK() to the beginning of __netpoll_setup(), ensuring the work queue is properly initialized before any potential failure points. This allows the cleanup path to safely cancel the work queue regardless of where the setup fails. 2026-01-05 not yet calculated CVE-2025-68762 https://git.kernel.org/stable/c/a90d0dc38a10347078cca60e7495ad0648838f18
https://git.kernel.org/stable/c/760bc6ceda8e2c273c0e2018ad2595967c3dd308
https://git.kernel.org/stable/c/e5235eb6cfe02a51256013a78f7b28779a7740d5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: starfive - Correctly handle return of sg_nents_for_len The return value of sg_nents_for_len was assigned to an unsigned long in starfive_hash_digest, causing negative error codes to be converted to large positive integers. Add error checking for sg_nents_for_len and return immediately on failure to prevent potential buffer overflows. 2026-01-05 not yet calculated CVE-2025-68763 https://git.kernel.org/stable/c/6cd14414394b4f3d6e1ed64b8241d1fcc2271820
https://git.kernel.org/stable/c/0c3854d65cc4402cb8c52d4d773450a06efecab6
https://git.kernel.org/stable/c/1af5c973dd744e29fa22121f43e8646b7a7a71a7
https://git.kernel.org/stable/c/9b3f71cf02e04cfaa482155e3078707fe7f8aef4
https://git.kernel.org/stable/c/e9eb52037a529fbb307c290e9951a62dd728b03d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags When a filesystem is being automounted, it needs to preserve the user-set superblock mount options, such as the "ro" flag. 2026-01-05 not yet calculated CVE-2025-68764 https://git.kernel.org/stable/c/c09070b4def1b34e473a746c6a5331ccb80902c1
https://git.kernel.org/stable/c/dce10c59211e5cd763a62ea01e79b82a629811e3
https://git.kernel.org/stable/c/612cc98698d667df804792f0c47d4e501e66da29
https://git.kernel.org/stable/c/4b296944e632cf4c6a4cc8e2585c6451eae47b1b
https://git.kernel.org/stable/c/df9b003a2ecacc7218486fbb31fe008c93097d5f
https://git.kernel.org/stable/c/8675c69816e4276b979ff475ee5fac4688f80125
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function returns an error without freeing sskb, leading to a memory leak. Fix this by calling dev_kfree_skb() on sskb in the error handling path to ensure it is properly released. 2026-01-05 not yet calculated CVE-2025-68765 https://git.kernel.org/stable/c/594ff8bb69e239678a8baa461827ce4bb90eff8f
https://git.kernel.org/stable/c/1c3c234af9407256ed670c8752923a672eea4225
https://git.kernel.org/stable/c/278bfed4529a0c9c9119f5a52ddafe69db61a75c
https://git.kernel.org/stable/c/fb905e69941b44e03fe1a24e95328d45442b6d6d
https://git.kernel.org/stable/c/4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49
https://git.kernel.org/stable/c/53d1548612670aa8b5d89745116cc33d9d172863
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then it results in an out of bounds access. The code checks for invalid values, but doesn't set the error code. Return -EINVAL in that case, instead of returning success. 2026-01-05 not yet calculated CVE-2025-68766 https://git.kernel.org/stable/c/324c60a67c4b9668497940f667db14d216cc7b1b
https://git.kernel.org/stable/c/c21c606ad398eeb86a0f3aaff9ba4f2665e286c6
https://git.kernel.org/stable/c/3873afcb57614c1aaa5b6715554d6d1c22cac95a
https://git.kernel.org/stable/c/09efe7cfbf919c4d763bc425473fcfee0dc98356
https://git.kernel.org/stable/c/efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552
https://git.kernel.org/stable/c/7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7
 
loopus--WP Attractive Donations System - Easy Stripe & Paypal donations Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. 2026-01-08 not yet calculated CVE-2025-22715 https://vdp.patchstack.com/database/Wordpress/Plugin/WP_AttractiveDonationsSystem/vulnerability/wordpress-wp-attractive-donations-system-easy-stripe-paypal-donations-plugin-1-25-arbitrary-content-deletion-vulnerability?_s_id=cve
 
loopus--WP Virtual Assistant Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in loopus WP Virtual Assistant VirtualAssistant allows Stored XSS.This issue affects WP Virtual Assistant: from n/a through <= 3.0. 2026-01-08 not yet calculated CVE-2025-22725 https://vdp.patchstack.com/database/Wordpress/Plugin/VirtualAssistant/vulnerability/wordpress-wp-virtual-assistant-plugin-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
magentech--Rozy - Flower Shop Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Rozy - Flower Shop rozy allows PHP Local File Inclusion.This issue affects Rozy - Flower Shop: from n/a through <= 1.2.25. 2026-01-08 not yet calculated CVE-2025-12549 https://vdp.patchstack.com/database/Wordpress/Theme/rozy/vulnerability/wordpress-rozy-flower-shop-theme-1-2-25-local-file-inclusion-vulnerability?_s_id=cve
 
magepeopleteam--Car Rental Manager Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.0.9. 2026-01-06 not yet calculated CVE-2025-69327 https://vdp.patchstack.com/database/Wordpress/Plugin/car-rental-manager/vulnerability/wordpress-car-rental-manager-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve
 
mastodon--mastodon Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`) to avoid the "confused deputy" problem. The list of disallowed IP address ranges was lacking some IP address ranges that can be used to reach local IP addresses. An attacker can use an IP address in the affected ranges to make Mastodon perform HTTP requests against loopback or local network hosts, potentially allowing access to otherwise private resources and services. This is fixed in Mastodon v4.5.4, v4.4.11, v4.3.17 and v4.2.29. 2026-01-08 not yet calculated CVE-2026-22245 https://github.com/mastodon/mastodon/security/advisories/GHSA-xfrj-c749-jxxq
https://github.com/mastodon/mastodon/commit/0f4e8a6240b5af1f2c3f34d2793d8610c6ef2aca
https://github.com/mastodon/mastodon/commit/17022907866710a72a1b1fc0a5ce9538bad1b4c3
https://github.com/mastodon/mastodon/commit/71ae4cf2cf5138ccdda64b1b1d665849b688686d
 
MediaTek, Inc.--MT2718, MT6580, MT6739, MT6761, MT6765, MT6768, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6855, MT6873, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8195, MT8196, MT8370, MT8390, MT8391, MT8395, MT8676, MT8678, MT8696, MT8755, MT8766, MT8768, MT8781, MT8786, MT8788E, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893 In KeyInstall, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10276761; Issue ID: MSV-5141. 2026-01-06 not yet calculated CVE-2025-20795 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8796 In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149879; Issue ID: MSV-4658. 2026-01-06 not yet calculated CVE-2025-20787 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT2718, MT6765, MT6768, MT6781, MT6833, MT6835, MT6853, MT6855, MT6877, MT6879, MT6893, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8367, MT8391, MT8676, MT8678, MT8696, MT8766, MT8768, MT8781, MT8786, MT8788E, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893 In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10315812; Issue ID: MSV-5534. 2026-01-06 not yet calculated CVE-2025-20797 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT2718, MT6765, MT6768, MT6781, MT6833, MT6835, MT6853, MT6855, MT6877, MT6879, MT6893, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8367, MT8391, MT8676, MT8678, MT8696, MT8766, MT8768, MT8781, MT8786, MT8788E, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893 In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10315812; Issue ID: MSV-5533. 2026-01-06 not yet calculated CVE-2025-20798 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT2718, MT6899, MT6989, MT6991, MT8678, MT8793 In mminfra, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10267349; Issue ID: MSV-5033. 2026-01-06 not yet calculated CVE-2025-20800 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689259 / MOLY01586470; Issue ID: MSV-4847. 2026-01-06 not yet calculated CVE-2025-20794 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01430930; Issue ID: MSV-4836. 2026-01-06 not yet calculated CVE-2025-20793 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT2735, MT2737, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01311265; Issue ID: MSV-4655. 2026-01-06 not yet calculated CVE-2025-20761 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT2735, MT2737, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 In Modem, there is a possible read of uninitialized heap data due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01676750; Issue ID: MSV-4653. 2026-01-06 not yet calculated CVE-2025-20760 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184870; Issue ID: MSV-4729. 2026-01-06 not yet calculated CVE-2025-20778 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 In display, there is a possible use after free due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184084; Issue ID: MSV-4720. 2026-01-06 not yet calculated CVE-2025-20779 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184061; Issue ID: MSV-4712. 2026-01-06 not yet calculated CVE-2025-20780 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4699. 2026-01-06 not yet calculated CVE-2025-20781 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4685. 2026-01-06 not yet calculated CVE-2025-20782 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4684. 2026-01-06 not yet calculated CVE-2025-20783 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 In display, there is a possible memory corruption due to uninitialized data. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4683. 2026-01-06 not yet calculated CVE-2025-20784 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149882; Issue ID: MSV-4677. 2026-01-06 not yet calculated CVE-2025-20785 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149882; Issue ID: MSV-4673. 2026-01-06 not yet calculated CVE-2025-20786 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6835, MT6835T, MT6878, MT6878M, MT6897, MT6899, MT6991, MT8676, MT8678, MT8755, MT8792, MT8793, MT8863, MT8873, MT8883 In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01685181; Issue ID: MSV-4760. 2026-01-06 not yet calculated CVE-2025-20762 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6878, MT6897, MT6899, MT6985, MT6989, MT6991, MT6993, MT8792, MT8796, MT8798 In seninf, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10251210; Issue ID: MSV-4926. 2026-01-06 not yet calculated CVE-2025-20801 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6899, MT6991 In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS10198951; Issue ID: MSV-4503. 2026-01-06 not yet calculated CVE-2025-20804 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6899, MT6991, MT6993, MT8793 In c2ps, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10274607; Issue ID: MSV-5049. 2026-01-06 not yet calculated CVE-2025-20799 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6899, MT6991, MT8793 In dpe, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS10199779; Issue ID: MSV-4504. 2026-01-06 not yet calculated CVE-2025-20803 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6899, MT6991, MT8793 In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114696; Issue ID: MSV-4480. 2026-01-06 not yet calculated CVE-2025-20805 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6899, MT6991, MT8793 In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114835; Issue ID: MSV-4479. 2026-01-06 not yet calculated CVE-2025-20806 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6899, MT6991, MT8793 In dpe, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114841; Issue ID: MSV-4451. 2026-01-06 not yet calculated CVE-2025-20807 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6989, MT8796, MT8893 In imgsys, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS10314745; Issue ID: MSV-5553. 2026-01-06 not yet calculated CVE-2025-20796 https://corp.mediatek.com/product-security-bulletin/January-2026
 
MediaTek, Inc.--MT6991, MT8196, MT8367, MT8781, MT8786, MT8793 In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10238968; Issue ID: MSV-4914. 2026-01-06 not yet calculated CVE-2025-20802 https://corp.mediatek.com/product-security-bulletin/January-2026
 
Microsoft--Playwright Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim's web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints. 2026-01-07 not yet calculated CVE-2025-9611 https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-8rgw-6xp9-2fg3
https://github.com/microsoft/playwright/commit/1313fbd
https://www.vulncheck.com/advisories/microsoft-playwright-mcp-server-dns-rebinding-via-missing-origin-header-validation
 
Mikado-Themes--Curly Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3. 2026-01-08 not yet calculated CVE-2025-67936 https://vdp.patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-local-file-inclusion-vulnerability?_s_id=cve
 
Mikado-Themes--Hendon Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7. 2026-01-08 not yet calculated CVE-2025-67937 https://vdp.patchstack.com/database/Wordpress/Theme/hendon/vulnerability/wordpress-hendon-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve
 
Mikado-Themes--Optimize Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4. 2026-01-08 not yet calculated CVE-2025-67935 https://vdp.patchstack.com/database/Wordpress/Theme/optimizewp/vulnerability/wordpress-optimize-theme-2-4-local-file-inclusion-vulnerability?_s_id=cve
 
Mikado-Themes--Wellspring Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8. 2026-01-08 not yet calculated CVE-2025-67934 https://vdp.patchstack.com/database/Wordpress/Theme/wellspring/vulnerability/wordpress-wellspring-theme-2-8-local-file-inclusion-vulnerability?_s_id=cve
 
n/a-- GL Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 An issue in GL Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. GL.Inet AX1800 Version 4.6.4 & 4.6.8 in the GL.iNet custom opkg wrapper script located at /usr/libexec/opkg-call. The script is executed with root privileges when triggered via the LuCI web interface or authenticated API calls to manage packages. The vulnerable code uses shell redirection to create a lock file in the world-writable /tmp directory. 2026-01-08 not yet calculated CVE-2025-67091 https://www.gl-inet.com/
https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub
https://aleksazatezalo.medium.com/critical-authentication-bypass-vulnerability-in-gl-inet-gl-axt1800-router-firmware-f19442ca721d
 
n/a-- realme Internet browser v.45.13.4.1 An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser 2026-01-05 not yet calculated CVE-2025-67316 http://internet.com
http://realme.com
https://gist.github.com/Brucewebva/ceb365b7cea0d0b8ec0ce6755177de83
 
n/a--@sylphxltd/filesystem-mcp v0.5.8 @sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its "read_content" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope. 2026-01-07 not yet calculated CVE-2025-67366 https://github.com/sylphxltd/filesystem-mcp/issues/134
https://github.com/sylphxltd/filesystem-mcp
 
n/a--AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10 An issue was discovered in the AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10. The vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail endpoint 2026-01-08 not yet calculated CVE-2025-56425 https://www.optimal-systems.de/enaio
https://mind-bytes.de/smtp-injection-in-enaio-component-appconnector-cve-2025-56425/
 
n/a--Area9 Rhapsode 1.47.3 In Area9 Rhapsode 1.47.3, an authenticated attacker can exploit the operation, url, and filename parameters via POST request to read arbitrary files from the server filesystem. Fixed in 1.47.4 (#7254) and further versions. 2026-01-09 not yet calculated CVE-2025-67810 https://area9.com
https://security.area9lyceum.com/cve-2025-67810/
 
n/a--Area9 Rhapsode 1.47.3 Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. Fixed in v.1.47.4 and beyond. 2026-01-09 not yet calculated CVE-2025-67811 https://area9.com
https://security.area9lyceum.com/cve-2025-67811/
 
n/a--ARIS 10.0.23.0.3587512 A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware 2026-01-07 not yet calculated CVE-2025-66837 https://www.softwareag.com/
https://github.com/saykino/CVE-2025-66837/
 
n/a--Aris v10.0.23.0.3587512 and before In Aris v10.0.23.0.3587512 and before, the file upload functionality does not enforce any rate limiting or throttling, allowing users to upload files at an unrestricted rate. An attacker can exploit this behavior to rapidly upload a large volume of files, potentially leading to resource exhaustion such as disk space depletion, increased server load, or degraded performance 2026-01-07 not yet calculated CVE-2025-66838 https://www.softwareag.com/
https://github.com/saykino/CVE-2025-66838/
 
n/a--Axtion ODISSAAS ODIS v1.8.4 A DLL hijacking vulnerability in Axtion ODISSAAS ODIS v1.8.4 allows attackers to execute arbitrary code via a crafted DLL file. 2026-01-09 not yet calculated CVE-2025-66715 https://www.axtion.nl/odis/
https://b1tsec.gitbook.io/offensive-repo/cve-repository/cve-2025-66715
 
n/a--Blue Access Cobalt v02.000.195 Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker to selectively proxy requests in order to operate functionality on the web application without the need to authenticate with legitimate credentials. 2026-01-06 not yet calculated CVE-2025-60534 http://blue.com
https://github.com/PilotPatrickk/Published-CVEs/blob/main/CVE-2025-60534.md
 
n/a--ComfyUI-Manager prior to version 3.38 An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface 2026-01-05 not yet calculated CVE-2025-67303 https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md
https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338/commits/e44c5cef58fb4973670b86433b9d24d077b44a26
 
n/a--CouchCMS 2.4 An Information Disclosure vulnerability in CouchCMS 2.4 allow an Admin user to read arbitrary files via traversing directories back after back. It can Disclosure the source code or any other confidential information if weaponize accordingly. 2026-01-09 not yet calculated CVE-2025-67004 https://www.couchcms.com/
https://github.com/CouchCMS/CouchCMS
https://gist.github.com/thepiyushkumarshukla/d01f8004c43692f18c75548f4739955a
 
n/a--D-Link DIR895LA1 v102b07 A Command Injection Vulnerability has been discovered in the DHCP daemon service of D-Link DIR895LA1 v102b07. The vulnerability exists in the lease renewal processing logic where the DHCP hostname parameter is directly concatenated into a system command without proper sanitization. When a DHCP client renews an existing lease with a malicious hostname, arbitrary commands can be executed with root privileges. 2026-01-09 not yet calculated CVE-2025-69542 https://tzh00203.notion.site/D-Link-DIR895LA1-v102b07-Command-Injection-in-DHCPd-2d4b5c52018a80a1a5ccfb317b308861?source=copy_link
 
n/a--D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control. 2026-01-08 not yet calculated CVE-2025-65731 https://www.dlink.com/en/security-bulletin/
https://www.dlink.com/uk/en/products/dir-605l-wireless-n-300-home-cloud-router
https://gist.github.com/whitej3rry/f142a93bac360f9b1126f552f64957ea
https://github.com/whitej3rry/CVE-2025-65731
 
n/a--DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 allows an attacker to retrieve sensitive information from the underlying SQL database via Blind SQL Injection through the user parameter in the login page. This allows an attacker to steal credentials, which may be cleartext, from existing users (and admins) and use them to authenticate to the application. 2026-01-06 not yet calculated CVE-2025-59379 https://isensix.com/guardian/
https://info.dwyeromega.com/brands
https://github.com/PilotPatrickk/Published-CVEs/blob/main/CVE-2025-59379.md
 
n/a--EDIMAX BR-6208AC V2_1.02 EDIMAX BR-6208AC V2_1.02 is vulnerable to Command Injection. This arises because the pppUserName field is directly passed to a shell command via the system() function without proper sanitization. An attacker can exploit this by injecting malicious commands into the pppUserName field, allowing arbitrary code execution. 2026-01-09 not yet calculated CVE-2025-70161 https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-setWAN-handler-2d3b5c52018a80d7ae8dce2bf5e3294c?source=copy_link
 
n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 There is an issue on the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 that enables remote attacker to create financial discrepancies by purchasing items with a negative quantity. This vulnerability is possible due to reliance on client-side input validation controls. 2026-01-08 not yet calculated CVE-2025-61546 https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61546
 
n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 Cross-Site Request Forgery (CSRF) is present on all functions in edu Business Solutions Print Shop Pro WebDesk version 18.34. The application does not implement proper CSRF tokens or other other protective measures, allowing a remote attacker to trick authenticated users into unknowingly executing unintended actions within their session. This can lead to unauthorized data modification such as credential updates. 2026-01-08 not yet calculated CVE-2025-61547 https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61547
 
n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 SQL Injection is present on the hfInventoryDistFormID parameter in the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. Unsanitized user input is incorporated directly into SQL queries without proper parameterization or escaping. This vulnerability allows remote attackers to execute arbitrary SQL commands 2026-01-08 not yet calculated CVE-2025-61548 https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61548
 
n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 Cross-Site Scripting (XSS) is present on the LoginID parameter on the /PSP/app/web/reg/reg_display.asp endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. Unsanitized user input is reflected in HTTP responses without proper HTML encoding or escaping. This allows attackers to execute arbitrary JavaScript in the context of a victim s browser session 2026-01-08 not yet calculated CVE-2025-61549 https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61549
 
n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 Cross-Site Scripting (XSS) is present on the ctl00_Content01_fieldValue parameters on the /psp/appNet/TemplateOrder/TemplatePreview.aspx endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. User-supplied input is stored and later rendered in HTML pages without proper output encoding or sanitization. This allows attackers to persistently inject arbitrary JavaScript that executes in the context of other users' sessions 2026-01-08 not yet calculated CVE-2025-61550 https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61550
 
n/a--Employee Leave Management System v.2.1 Cross Site Request Forgery vulnerability in Employee Leave Management System v.2.1 allows a remote attacker to escalate privileges via the manage-employee.php component 2026-01-05 not yet calculated CVE-2025-67315 https://phpgurukul.com/employee-leaves-management-system-elms/
https://github.com/r-pradyun/CVE-2025-67315
 
n/a--evershop 2.1.0 A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tiles during the processing of SVG files, resulting in unbounded resource consumption and system-wide denial of service. 2026-01-05 not yet calculated CVE-2025-67419 https://github.com/evershopcommerce/evershop
https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67419
 
n/a--evershop 2.1.0 A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks. 2026-01-05 not yet calculated CVE-2025-67427 https://github.com/evershopcommerce/evershop
https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67427
 
n/a--fast-filesystem-mcp version 3.4.0 fast-filesystem-mcp version 3.4.0 contains a critical path traversal vulnerability in its file operation tools including fast_read_file. This vulnerability arises from improper path validation that fails to resolve symbolic links to their actual physical paths. The safePath and isPathAllowed functions use path.resolve() which does not handle symlinks, allowing attackers to bypass directory access restrictions by creating symlinks within allowed directories that point to restricted system paths. When these symlinks are accessed through valid path references, the validation checks are circumvented, enabling access to unauthorized files. 2026-01-07 not yet calculated CVE-2025-67364 https://github.com/efforthye/fast-filesystem-mcp/issues/10
https://github.com/efforthye/fast-filesystem-mcp
 
n/a--fluidsynth-2.4.6 and earlier versions fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file. 2026-01-09 not yet calculated CVE-2025-56225 https://github.com/FluidSynth/fluidsynth/issues/1602
https://github.com/FluidSynth/fluidsynth/pull/1607
 
n/a--Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 The LuCI web interface on Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. Fix available in version 4.8.2 GL.Inet AX1800 Version 4.6.4 & 4.6.8 lacks rate limiting or account lockout mechanisms on the authentication endpoint (`/cgi-bin/luci`). An unauthenticated attacker on the local network can perform unlimited password attempts against the admin interface. 2026-01-08 not yet calculated CVE-2025-67090 https://www.gl-inet.com/security/
https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub
https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51
 
n/a--GL-iNet GL-AXT1800 router firmware v4.6.8 A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4.6.8. The vulnerability is present in the `plugins.install_package` RPC method, which fails to properly sanitize user input in package names. Authenticated attackers can exploit this to execute arbitrary commands with root privileges 2026-01-08 not yet calculated CVE-2025-67089 https://www.gl-inet.com/security-updates/
https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub
 
n/a--H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and remote attackers could gain root-level control over the devices. 2026-01-06 not yet calculated CVE-2025-60262 https://www.notion.so/23e54a1113e780d686fbe1624ee0465d
https://www.notion.so/Misconfiguration-in-H3C-23e54a1113e780d686fbe1624ee0465d
 
n/a--Hero Motocorp Vida V1 Pro 2.0.7 An issue in Hero Motocorp Vida V1 Pro 2.0.7 allows a local attacker to cause a denial of service via the BLE component 2026-01-09 not yet calculated CVE-2025-67133 http://hero.com
http://vida.com
https://threadpoolx.gitbook.io/docs/cve/cve-2025-67133-denial-of-service-via-unauthenticated-ble-connection
 
n/a--indieka900 online-shopping-system-php 1.0 indieka900 online-shopping-system-php 1.0 is vulnerable to SQL Injection in master/review_action.php via the proId parameter. 2026-01-08 not yet calculated CVE-2025-61246 https://github.com/hackergovind/CVE-2025-61246
 
n/a--Insiders Technologies GmbH e-invoice pro before release 1 An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script 2026-01-08 not yet calculated CVE-2025-56424 https://insiders-technologies.com/en/e-invoice/
https://mind-bytes.de/xml-external-entity-xxe-injection-in-e-invoice-pro-cve-2025-56424/
 
n/a--Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the administrative panel. 2026-01-09 not yet calculated CVE-2025-67070 https://github.com/teteco/intelbras-cftv-admin-bypass
 
n/a--JimuReport thru version 2.1.3 JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary Java code. A different vulnerability than CVE-2025-10770. 2026-01-08 not yet calculated CVE-2025-66913 https://github.com/jeecgboot/jimureport/issues/4306
https://gist.github.com/Catherines77/f15d53e9705b24cf018e5bffed3e8234
 
n/a--KAYSUS KS-WR1200 routers with firmware 107 KAYSUS KS-WR1200 routers with firmware 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change the hardcoded password. (Changing the management GUI password does not affect SSH/TELNET authentication.) Any LAN-adjacent attacker can trivially log in with root privileges. 2026-01-08 not yet calculated CVE-2025-68718 https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html
https://github.com/actuator/cve/tree/main/KAYSUS
https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68718.txt
 
n/a--KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges. 2026-01-08 not yet calculated CVE-2025-68716 https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html
https://github.com/actuator/cve/tree/main/KAYSUS
https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68716.txt
 
n/a--KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw lets attackers piggyback on another user's active session to retrieve sensitive configuration data or execute privileged actions without authentication. 2026-01-08 not yet calculated CVE-2025-68717 https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html
https://github.com/actuator/cve/tree/main/KAYSUS
https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68717.txt
 
n/a--KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such as /etc/shadow, enabling credential recovery and potential full compromise of the device. 2026-01-08 not yet calculated CVE-2025-68719 https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html
https://github.com/actuator/cve/tree/main/KAYSUS
https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68719.txt
 
n/a--Mega-Fence (webgate-lib.*) 25.1.914 and prior  Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant state (e.g., WG_CLIENT_IP cookie). Deployments that rely on this value for IP allowlists may be bypassed. 2026-01-05 not yet calculated CVE-2025-65328 https://drive.proton.me/urls/MY05PVBFXG#xDd2Xqy98WM9
https://raw.githubusercontent.com/p1aintext/CVE/main/CVE-2025-65328.md
 
n/a--Nitro PDF Pro for Windows before 14.42.0.34. An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34. In certain cases, it displays signer information from a non-verified PDF field rather than from the verified certificate subject. This could allow a document to present inconsistent signer details. The display logic was updated to ensure signer information consistently reflects the verified certificate identity. 2026-01-08 not yet calculated CVE-2025-67825 https://gonitro.com
https://www.gonitro.com/documentation/release-notes
 
n/a--NJHYST HY511 POE core before 2.1 and plugins before 0.1. An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page. 2026-01-06 not yet calculated CVE-2025-65212 https://github.com/a2148001284/test1/blob/main/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E5%90%8E%E5%8F%B0%E6%BC%8F%E6%B4%9EEN.md
https://gist.github.com/a2148001284/bcdda75fc8718454f16a7b9259463719
 
n/a--OpenAirInterface CN5G AMF<=v2.0.1 OpenAirInterface CN5G AMF<=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized remote attackers can send malicious JSON data to AMF's SBI interface to launch a denial-of-service attack. 2026-01-07 not yet calculated CVE-2025-66786 https://github.com/swallele/Vulnerability/blob/main/Openairinterface/Dos/Json_Dos.md
 
n/a--OpenAirInterface CN5G AMF<=v2.1.9 OpenAirInterface CN5G AMF<=v2.1.9 has a buffer overflow vulnerability in processing NAS messages. Unauthorized remote attackers can launch a denial-of-service attack and potentially execute malicious code by accessing port N1 and sending an imsi string longer than 1000 to AMF. 2026-01-07 not yet calculated CVE-2025-65805 https://github.com/swallele/Vulnerability/blob/main/Openairinterface/Buffer_Overflow/Vulnerability_Report.md
 
n/a--Panda Wireless PWRU0 devices with firmware 2.2.9 An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modify WAN, LAN, and wireless settings directly, leading to privilege escalation and denial of service. 2026-01-08 not yet calculated CVE-2025-68715 https://github.com/actuator/cve/tree/main/PandaWireless
https://github.com/actuator/cve/blob/main/PandaWireless/CVE-2025-68715.txt
 
n/a--Passy v.1.6.3 An issue in Passy v.1.6.3 allows a remote authenticated attacker to execute arbitrary commands via a crafted HTTP request using a specific payload injection. 2026-01-05 not yet calculated CVE-2025-67397 https://www.passy.it/
https://github.com/giulioschiavone/Vulnerability-Research/tree/main/CVE-2025-67397
 
n/a--Perch CMS version 3.2 A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the "Help button url" setting within the admin panel. The injected payload is stored and executed when any authenticated user clicks the Help button, potentially leading to session hijacking, information disclosure, privilege escalation, and unauthorized administrative actions. 2026-01-07 not yet calculated CVE-2025-66686 https://github.com/mertdurum06/Perch-v3.2
https://github.com/mertdurum06/Perch-v3.2/blob/main/Perch%20v3.2_Poc.txt
 
n/a--phpgurukul Hostel Management System v2.1 Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). When an administrator opens the complaint, injected HTML/JavaScript executes in the admin's browser. 2026-01-08 not yet calculated CVE-2025-63611 https://phpgurukul.com/hostel-management-system/
https://medium.com/@tanushkushtk01/cve-2025-63611-stored-cross-site-scripting-xss-in-hostel-management-system-v2-1-a23c2efc86ea
 
n/a--Plesk Obsidian versions 8.0.1 through 18.0.73 Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance. 2026-01-08 not yet calculated CVE-2025-65518 http://plesk.com
https://github.com/Jainil-89/CVE-2025-65518/blob/main/cve.md
https://docs.plesk.com/release-notes/obsidian/change-log/
 
n/a--pss.sale.com 1.0 SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancel_order.php endpoint. 2026-01-09 not yet calculated CVE-2025-51626 https://gitee.com/XiaoLiuChu/pss.sale.com/tree/master
https://gist.github.com/hnking-star/17d4c9c990c2324ef109fecb4fc4630c
 
n/a--QloApps versions 1.7.0 and earlier Unrestricted file upload in the hotel review feature in QloApps versions 1.7.0 and earlier allows remote unauthenticated attackers to achieve remote code execution. 2026-01-08 not yet calculated CVE-2025-67325 https://github.com/Qloapps/QloApps
https://github.com/mr7s3d0/CVE-2025-67325
 
n/a--RuoYi-Vue-Plus versions 5.5.1 and earlier The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File class to perform arbitrary file reading and writing. 2026-01-08 not yet calculated CVE-2025-66916 https://gitee.com/dromara/RuoYi-Vue-Plus
https://github.com/Catherines77/code-au/blob/main/ruoyi-vue-plus/QLExpress.md
https://gist.github.com/Catherines77/e3f06b9c4cc6298579e858088a243c3d
 
n/a--Samsung Magician 6.3.0 through 8.3.2 on Windows An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges. 2026-01-05 not yet calculated CVE-2025-57836 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-57836/
 
n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in an out-of-bounds access, leading to a denial of service. 2026-01-05 not yet calculated CVE-2025-52515 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52515/
 
n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. An invalid kernel address dereference in the issimian device driver leads to a denial of service. 2026-01-05 not yet calculated CVE-2025-52516 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52516/
 
n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in a double free, leading to a denial of service. 2026-01-05 not yet calculated CVE-2025-52517 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52517/
 
n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, and 2500. Improper validation of user-space input in the issimian device driver leads to information disclosure and a denial of service. 2026-01-05 not yet calculated CVE-2025-52519 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52519/
 
n/a--Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580 An issue was discovered in the WiFi driver in Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580. Mishandling of an NL80211 vendor command leads to a buffer overflow. 2026-01-05 not yet calculated CVE-2025-49495 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-49495/
 
n/a--Samsung Mobile Processor Exynos 1380, 1480, 2400, and 1580 An issue was discovered in Samsung Mobile Processor Exynos 1380, 1480, 2400, and 1580. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow during handling of an IOCTL message. 2026-01-05 not yet calculated CVE-2025-53966 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-53966/
 
n/a--Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400 An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The lack of a length check leads to out-of-bounds writes via malformed NAS packets. 2026-01-05 not yet calculated CVE-2025-27807 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-27807/
 
n/a--Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400 An issue was discovered in L2 in c. Incorrect handling of RRC packets leads to a Denial of Service. 2026-01-05 not yet calculated CVE-2025-43706 https://semiconductor.samsung.com/support/quality-support/product-security-updates/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-43706/
 
n/a--shiori v1.7.4 A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack. 2026-01-09 not yet calculated CVE-2025-60538 https://github.com/go-shiori/shiori
https://github.com/go-shiori/shiori/issues/1138
 
n/a--sonirico mcp-shell v0.3.1 A command injection vulnerability in the shell_exec function of sonirico mcp-shell v0.3.1 allows attackers to execute arbitrary commands via supplying a crafted command string. 2026-01-07 not yet calculated CVE-2025-61489 https://github.com/sonirico/mcp-shell
https://github.com/sonirico/mcp-shell/issues/4
 
n/a--Technitium DNS Server v.13.5 An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-limiting component 2026-01-08 not yet calculated CVE-2025-50334 https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md
http://technitium.com
https://github.com/TechnitiumSoftware/DnsServer/blob/v13.3/DnsServerCore/Dns/DnsServer.cs
https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-50334
https://github.com/TechnitiumSoftware/DnsServer/commit/7229b217238213cc6275eea68a7e17d73df1603e
 
n/a--terminal-controller-mcp 0.1.7 A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input. 2026-01-07 not yet calculated CVE-2025-61492 https://github.com/cfdude/super-shell-mcp/issues/19
https://github.com/GongRzhe/terminal-controller-mcp
https://github.com/GongRzhe/terminal-controller-mcp/issues/7
 
n/a--TIM BPM Suite/ TIM FLOW through 9.1.2 In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user. 2026-01-09 not yet calculated CVE-2025-67282 https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes
https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/
 
n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via a crafted HTTP request 2026-01-09 not yet calculated CVE-2025-67278 https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes
https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/
 
n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format 2026-01-09 not yet calculated CVE-2025-67279 https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes
https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/
 
n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user. 2026-01-09 not yet calculated CVE-2025-67280 https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes
https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/
 
n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple SQL injection vulnerabilities exists which allow a low privileged and administrative user to access the database and its content. 2026-01-09 not yet calculated CVE-2025-67281 https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes
https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/
 
n/a--Yonyou YonBIP v3 and before In Yonyou YonBIP v3 and before, the LoginWithV8 interface in the series data application service system is vulnerable to path traversal, allowing unauthorized access to sensitive information within the system 2026-01-09 not yet calculated CVE-2025-66744 https://github.com/iSee857/YonYouBip-path-travel
 
nasa--CryptoLib CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, an out-of-bounds heap read vulnerability in cryptography_encrypt() occurs when parsing JSON metadata from KMC server responses. The flawed strtok iteration pattern uses ptr + strlen(ptr) + 1 which reads one byte past allocated buffer boundaries when processing short or malformed metadata strings. This issue has been patched in version 1.4.3. 2026-01-10 not yet calculated CVE-2026-21900 https://github.com/nasa/CryptoLib/security/advisories/GHSA-4g6v-36fv-qcvw
https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
 
nasa--CryptoLib CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, there is an out-of-bounds heap read vulnerability in cryptography_aead_encrypt(). This issue has been patched in version 1.4.3. 2026-01-10 not yet calculated CVE-2026-22023 https://github.com/nasa/CryptoLib/security/advisories/GHSA-8w3h-q8jm-3chq
https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
 
nasa--CryptoLib CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the cryptography_encrypt() function allocates multiple buffers for HTTP requests and JSON parsing that are never freed on any code path. Each call leaks approximately 400 bytes of memory. Sustained traffic can gradually exhaust available memory. This issue has been patched in version 1.4.3. 2026-01-10 not yet calculated CVE-2026-22024 https://github.com/nasa/CryptoLib/security/advisories/GHSA-r3wg-g8xv-gxvf
https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
 
nasa--CryptoLib CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, when the KMC server returns a non-200 HTTP status code, cryptography_encrypt() and cryptography_decrypt() return immediately without freeing previously allocated buffers. Each failed request leaks approximately 467 bytes. Repeated failures (from a malicious server or network issues) can gradually exhaust memory. This issue has been patched in version 1.4.3. 2026-01-10 not yet calculated CVE-2026-22025 https://github.com/nasa/CryptoLib/security/advisories/GHSA-h74x-vwwr-mm5g
https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
 
nasa--CryptoLib CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the libcurl write_callback function in the KMC crypto service client allows unbounded memory growth by reallocating response buffers without any size limit or overflow check. A malicious KMC server can return arbitrarily large HTTP responses, forcing the client to allocate excessive memory until the process is terminated by the OS. This issue has been patched in version 1.4.3. 2026-01-10 not yet calculated CVE-2026-22026 https://github.com/nasa/CryptoLib/security/advisories/GHSA-w9cm-q69w-34x7
https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
 
nasa--CryptoLib CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the convert_hexstring_to_byte_array() function in the MariaDB SA interface writes decoded bytes into a caller-provided buffer without any capacity check. When importing SA fields from the database (e.g., IV, ARSN, ABM), a malformed or oversized hex string in the database can overflow the destination buffer, corrupting adjacent heap memory. This issue has been patched in version 1.4.3. 2026-01-10 not yet calculated CVE-2026-22027 https://github.com/nasa/CryptoLib/security/advisories/GHSA-3m35-m689-h29x
https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d
https://github.com/nasa/CryptoLib/releases/tag/v1.4.3
 
Nokia--SR Linux Nokia SR Linux is vulnerable to an authentication vulnerability allowing unauthorized access to the JSON-RPC service. When exploited, an invalid validation allows JSON RPC access without providing valid authentication credentials. 2026-01-07 not yet calculated CVE-2025-0980 Nokia Product Security Advisory
 
Noor Alam--Easy Media Download Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11. 2026-01-08 not yet calculated CVE-2025-69169 https://vdp.patchstack.com/database/Wordpress/Plugin/easy-media-download/vulnerability/wordpress-easy-media-download-plugin-1-1-11-css-injection-vulnerability?_s_id=cve
 
Open Microscopy Environment--Bio-Formats Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing. 2026-01-07 not yet calculated CVE-2026-22186 https://seclists.org/fulldisclosure/2026/Jan/6
https://docs.openmicroscopy.org/bio-formats/
https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser
 
Open Microscopy Environment--Bio-Formats Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath. 2026-01-07 not yet calculated CVE-2026-22187 https://seclists.org/fulldisclosure/2026/Jan/7
https://docs.openmicroscopy.org/bio-formats/
https://www.vulncheck.com/advisories/bio-formats-memoizer-unsafe-deserialization-via-bfmemo-cache-files
 
open-metadata--OpenMetadata OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch. 2026-01-08 not yet calculated CVE-2026-22244 https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7
https://github.com/open-metadata/OpenMetadata/commit/bffe7c45807763f9b682021d4211c478d2a08bb3
 
OpenFlagr--Flagr OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data. 2026-01-07 not yet calculated CVE-2026-0650 https://github.com/openflagr/flagr/releases/tag/1.1.19
https://dreyand.rs/code%20review/golang/2026/01/03/0day-speedrun-openflagr-less-1118-authentication-bypass
https://www.vulncheck.com/advisories/openflagr-authentication-bypass-via-prefix-whitelist-path-normalization
 
OpenLDAP Foundation--OpenLDAP OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition. 2026-01-07 not yet calculated CVE-2026-22185 https://seclists.org/fulldisclosure/2026/Jan/5
https://seclists.org/fulldisclosure/2026/Jan/8
https://www.openldap.org/
https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline
https://bugs.openldap.org/show_bug.cgi?id=10421
 
opf--openproject OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2. 2026-01-10 not yet calculated CVE-2026-22601 https://github.com/opf/openproject/security/advisories/GHSA-9vrv-7h26-c7jc
https://github.com/opf/openproject/releases/tag/v16.6.2
 
opf--openproject OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject's unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker who can guess or enumerate user IDs can send unlimited password-change requests for a given account without triggering lockout or other rate-limiting controls. This allows automated password-guessing (e.g., with wordlists of common passwords) against valid accounts. Successful guessing results in full account compromise for the targeted user and, depending on that user's role, can lead to further privilege escalation inside the application. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually. 2026-01-10 not yet calculated CVE-2026-22603 https://github.com/opf/openproject/security/advisories/GHSA-93x5-prx9-x239
https://github.com/opf/openproject/pull/21272
https://github.com/opf/openproject/commit/2b394b9ba5af1e5d96a64d7d452d4d44598a4c7f
https://github.com/opf/openproject/releases/tag/v16.6.2
 
opf--openproject OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance. This issue has been patched in version 16.6.2. 2026-01-10 not yet calculated CVE-2026-22604 https://github.com/opf/openproject/security/advisories/GHSA-q7qp-p3vw-j2fh
https://github.com/opf/openproject/pull/3451
https://github.com/opf/openproject/commit/2cff5e98649e32a197a62659a23dd4b864b7855b
https://github.com/opf/openproject/releases/tag/v16.6.2
 
pallets--werkzeug Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. This issue has been patched in version 3.1.5. 2026-01-08 not yet calculated CVE-2026-21860 https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7
https://github.com/pallets/werkzeug/commit/7ae1d254e04a0c33e241ac1cca4783ce6c875ca3
 
Panda3D--Panda3D Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a large number of command-line arguments can exhaust stack space and propagate uninitialized stack memory into Python interpreter initialization, resulting in a reliable crash and undefined behavior. 2026-01-07 not yet calculated CVE-2026-22188 https://seclists.org/fulldisclosure/2026/Jan/9
https://www.panda3d.org/
https://github.com/panda3d/panda3d
https://www.vulncheck.com/advisories/panda3d-deploy-stub-stack-exhaustion-via-unbounded-alloca
 
Panda3D--Panda3D Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution. 2026-01-07 not yet calculated CVE-2026-22189 https://seclists.org/fulldisclosure/2026/Jan/10
https://www.panda3d.org/
https://github.com/panda3d/panda3d
https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow
 
Panda3D--Panda3D Panda3D versions up to and including 1.10.16 egg-mkfont contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values. 2026-01-07 not yet calculated CVE-2026-22190 https://seclists.org/fulldisclosure/2026/Jan/11
https://www.panda3d.org/
https://github.com/panda3d/panda3d
https://www.vulncheck.com/advisories/panda3d-egg-mkfont-format-string-information-disclosure
 
parallax--jsPDF jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF. 2026-01-05 not yet calculated CVE-2025-68428 https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2
https://github.com/parallax/jsPDF/commit/a688c8f479929b24a6543b1fa2d6364abb03066d
https://github.com/parallax/jsPDF/releases/tag/v4.0.0
 
Pinpoll--Pinpoll Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pinpoll Pinpoll pinpoll allows Reflected XSS.This issue affects Pinpoll: from n/a through <= 4.0.0. 2026-01-08 not yet calculated CVE-2025-68889 https://vdp.patchstack.com/database/Wordpress/Plugin/pinpoll/vulnerability/wordpress-pinpoll-plugin-3-0-22-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
PIONEER CORPORATION--USB DAC Amplifier APS-DA101JS The installers for multiple products provided by PIONEER CORPORATION contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privileges of the running installer. 2026-01-08 not yet calculated CVE-2026-21427 https://jpn.pioneer/ja/support/software/stellanova/dac_driver/
https://jvn.jp/en/jp/JVN17956874/
 
Plat'Home Co.,Ltd.--OpenBlocks IoT DX1 (FW5.0.x) Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password. 2026-01-06 not yet calculated CVE-2026-21411 https://www.plathome.co.jp/support/software/fw5/dx1-v5-0-8/
https://jvn.jp/en/vu/JVNVU97172240/
 
POSIMYTH--UiChemy Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH UiChemy uichemy allows Stored XSS.This issue affects UiChemy: from n/a through <= 4.4.2. 2026-01-06 not yet calculated CVE-2025-69362 https://vdp.patchstack.com/database/Wordpress/Plugin/uichemy/vulnerability/wordpress-uichemy-plugin-4-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
preactjs--preact Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP). 2026-01-08 not yet calculated CVE-2026-22028 https://github.com/preactjs/preact/security/advisories/GHSA-36hm-qxxp-pg3m
 
Proxy & VPN Blocker--Proxy & VPN Blocker Missing Authorization vulnerability in Proxy &amp; VPN Blocker Proxy &amp; VPN Blocker proxy-vpn-blocker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Proxy &amp; VPN Blocker: from n/a through <= 3.5.3. 2026-01-06 not yet calculated CVE-2025-69353 https://vdp.patchstack.com/database/Wordpress/Plugin/proxy-vpn-blocker/vulnerability/wordpress-proxy-vpn-blocker-plugin-3-5-3-broken-access-control-vulnerability?_s_id=cve
 
pterodactyl--panel Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0. 2026-01-06 not yet calculated CVE-2025-68954 https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c
https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5
https://github.com/pterodactyl/panel/releases/tag/v1.12.0
 
PublishPress--Post Expirator Missing Authorization vulnerability in PublishPress Post Expirator post-expirator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Expirator: from n/a through <= 4.9.3. 2026-01-06 not yet calculated CVE-2025-69361 https://vdp.patchstack.com/database/Wordpress/Plugin/post-expirator/vulnerability/wordpress-post-expirator-plugin-4-9-3-broken-access-control-vulnerability?_s_id=cve
 
purethemes--Listeo Core Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through < 2.0.19. 2026-01-08 not yet calculated CVE-2025-67932 https://vdp.patchstack.com/database/Wordpress/Plugin/listeo-core/vulnerability/wordpress-listeo-core-plugin-2-0-19-cross-site-scripting-xss-vulnerability?_s_id=cve
 
py-pdf--pypdf pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0. 2026-01-10 not yet calculated CVE-2026-22690 https://github.com/py-pdf/pypdf/security/advisories/GHSA-4xc4-762w-m6cg
https://github.com/py-pdf/pypdf/pull/3594
https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45
https://github.com/py-pdf/pypdf/releases/tag/6.6.0
 
py-pdf--pypdf pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0. 2026-01-10 not yet calculated CVE-2026-22691 https://github.com/py-pdf/pypdf/security/advisories/GHSA-4f6g-68pf-7vhv
https://github.com/py-pdf/pypdf/pull/3594
https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45
https://github.com/py-pdf/pypdf/releases/tag/6.6.0
 
QantumThemes--Typify Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Typify typify allows PHP Local File Inclusion.This issue affects Typify: from n/a through <= 3.0.2. 2026-01-08 not yet calculated CVE-2025-22712 https://vdp.patchstack.com/database/Wordpress/Theme/typify/vulnerability/wordpress-typify-theme-3-0-2-local-file-inclusion-vulnerability?_s_id=cve
 
redaxo--redaxo REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue. 2026-01-07 not yet calculated CVE-2026-21857 https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv
https://github.com/redaxo/redaxo/releases/tag/5.20.2
 
rezmoss--axios4go axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue. 2026-01-07 not yet calculated CVE-2026-21697 https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47
https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842
https://github.com/rezmoss/axios4go/releases/tag/v0.6.4
 
RiceTheme--Felan Framework Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3. 2026-01-08 not yet calculated CVE-2025-23504 https://vdp.patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-account-takeover-vulnerability?_s_id=cve
 
RiceTheme--Felan Framework Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RiceTheme Felan Framework felan-framework allows SQL Injection.This issue affects Felan Framework: from n/a through <= 1.1.3. 2026-01-08 not yet calculated CVE-2025-23993 https://vdp.patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-sql-injection-vulnerability?_s_id=cve
 
Ricoh Company, Ltd.--RICOH Streamline NX Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (OpenID Connect) tokens may be retrieved. 2026-01-09 not yet calculated CVE-2026-21409 https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000011
https://jvn.jp/en/jp/JVN12770174/
 
RUCKUS Networks--vRIoT IOT Controller The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise. 2026-01-09 not yet calculated CVE-2025-69426 https://support.ruckuswireless.com/security_bulletins/336
https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-ssh-credentials-rce
 
RUCKUS Networks--vRIoT IoT Controller The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise. 2026-01-09 not yet calculated CVE-2025-69425 https://support.ruckuswireless.com/security_bulletins/336
https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-tokens-rce
 
RustCrypto--elliptic-curves RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778. 2026-01-10 not yet calculated CVE-2026-22698 https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-w3g8-fp6j-wvqw
https://github.com/RustCrypto/elliptic-curves/pull/1600
https://github.com/RustCrypto/elliptic-curves/commit/4781762f23ff22ab34763410f648128055c93731
https://github.com/RustCrypto/elliptic-curves/commit/e4f77788130d065d760e57fb109370827110a525
https://crates.io/crates/sm2/0.14.0-pre.0
https://crates.io/crates/sm2/0.14.0-rc.0
 
RustCrypto--RSA The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue. 2026-01-08 not yet calculated CVE-2026-21895 https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26
https://github.com/RustCrypto/RSA/commit/2926c91bef7cb14a7ccd42220a698cf4b1b692f7
 
rustfs--rustfs RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal vulnerability in the /rustfs/rpc/read_file_stream endpoint. This issue has been patched in version 1.0.0-alpha.79. 2026-01-07 not yet calculated CVE-2025-68705 https://github.com/rustfs/rustfs/security/advisories/GHSA-pq29-69jg-9mxc
https://github.com/rustfs/rustfs/commit/ab752458ce431c6397175d167beee2ea00507d3e
 
rustfs--rustfs RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. This issue has been patched in version 1.0.0-alpha.78. 2026-01-07 not yet calculated CVE-2025-69255 https://github.com/rustfs/rustfs/security/advisories/GHSA-gw2x-q739-qhcr
https://github.com/rustfs/rustfs/commit/eb33e82b56ed11fd12bb39416359d8d60737dc7a
 
rustfs--rustfs RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue. 2026-01-08 not yet calculated CVE-2026-22042 https://github.com/rustfs/rustfs/security/advisories/GHSA-vcwh-pff9-64cc
 
rustfs--rustfs RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent's full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue. 2026-01-08 not yet calculated CVE-2026-22043 https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9
 
Ryan Sutana--WP App Bar Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Sutana WP App Bar wp-app-bar allows Reflected XSS.This issue affects WP App Bar: from n/a through <= 1.5. 2026-01-08 not yet calculated CVE-2025-68891 https://vdp.patchstack.com/database/Wordpress/Plugin/wp-app-bar/vulnerability/wordpress-wp-app-bar-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Salesforce--Uni2TS Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0. 2026-01-09 not yet calculated CVE-2026-22584 https://help.salesforce.com/s/articleView?id=005239354&type=1
 
Samsung Mobile--Galaxy Store Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script. 2026-01-09 not yet calculated CVE-2026-20976 https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=01
 
Samsung Mobile--Samsung Cloud Improper handling of insufficient permission in Samsung Cloud prior to version 5.6.11 allows local attackers to access specific files in arbitrary path. 2026-01-09 not yet calculated CVE-2026-20975 https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=01
 
Samsung Mobile--Samsung Mobile Devices Use after free in DualDAR prior to SMR Jan-2026 Release 1 allows local privileged attackers to execute arbitrary code. 2026-01-09 not yet calculated CVE-2026-20968 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01
 
Samsung Mobile--Samsung Mobile Devices Improper input validation in SecSettings prior to SMR Jan-2026 Release 1 allows local attacker to access file with system privilege. User interaction is required for triggering this vulnerability. 2026-01-09 not yet calculated CVE-2026-20969 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01
 
Samsung Mobile--Samsung Mobile Devices Improper access control in SLocation prior to SMR Jan-2026 Release 1 allows local attackers to execute the privileged APIs. 2026-01-09 not yet calculated CVE-2026-20970 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01
 
Samsung Mobile--Samsung Mobile Devices Use After Free in PROCA driver prior to SMR Jan-2026 Release 1 allows local attackers to potentially execute arbitrary code. 2026-01-09 not yet calculated CVE-2026-20971 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01
 
Samsung Mobile--Samsung Mobile Devices Improper Export of Android Application Components in UwbTest prior to SMR Jan-2026 Release 1 allows local attackers to enable UWB. 2026-01-09 not yet calculated CVE-2026-20972 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01
 
Samsung Mobile--Samsung Mobile Devices Improper input validation in data related to network restrictions prior to SMR Jan-2026 Release 1 allows physical attackers to bypass Carrier Relock. 2026-01-09 not yet calculated CVE-2026-20974 https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01
 
Shahjada--Visitor Stats Widget Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Visitor Stats Widget visitor-stats-widget allows Reflected XSS.This issue affects Visitor Stats Widget: from n/a through <= 1.5.0. 2026-01-08 not yet calculated CVE-2025-68874 https://vdp.patchstack.com/database/Wordpress/Plugin/visitor-stats-widget/vulnerability/wordpress-visitor-stats-widget-plugin-1-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Shahjahan Jewel--Fluent Support Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through <= 1.10.4. 2026-01-08 not yet calculated CVE-2025-67926 https://vdp.patchstack.com/database/Wordpress/Plugin/fluent-support/vulnerability/wordpress-fluent-support-plugin-1-10-4-broken-access-control-vulnerability?_s_id=cve
 
Shahjahan Jewel--Ninja Tables Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4. 2026-01-06 not yet calculated CVE-2025-69351 https://vdp.patchstack.com/database/Wordpress/Plugin/ninja-tables/vulnerability/wordpress-ninja-tables-plugin-5-2-4-sql-injection-vulnerability?_s_id=cve
 
shinetheme--Traveler Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through <= 3.2.6. 2026-01-08 not yet calculated CVE-2025-67917 https://vdp.patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-broken-access-control-vulnerability-2?_s_id=cve
 
silabs.com--Z-Wave Protocol Controller An integer underflow vulnerability in the Silicon Labs Z-Wave Protocol Controller can lead to out of bounds memory reads. 2026-01-05 not yet calculated CVE-2025-10933 https://community.silabs.com/068Vm00000a4nNI
 
sizam--REHub Framework Missing Authorization vulnerability in sizam REHub Framework rehub-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects REHub Framework: from n/a through <= 19.9.5. 2026-01-08 not yet calculated CVE-2025-14358 https://vdp.patchstack.com/database/Wordpress/Plugin/rehub-framework/vulnerability/wordpress-rehub-framework-plugin-19-9-5-broken-access-control-vulnerability?_s_id=cve
 
Spencer Haws--Link Whisper Free Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.8.8. 2026-01-08 not yet calculated CVE-2025-67927 https://vdp.patchstack.com/database/Wordpress/Plugin/link-whisper/vulnerability/wordpress-link-whisper-free-plugin-0-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve
 
StellarWP--The Events Calendar Missing Authorization vulnerability in StellarWP The Events Calendar the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through <= 6.15.12.2. 2026-01-06 not yet calculated CVE-2025-69352 https://vdp.patchstack.com/database/Wordpress/Plugin/the-events-calendar/vulnerability/wordpress-the-events-calendar-plugin-6-15-12-2-broken-access-control-vulnerability?_s_id=cve
 
taskbuilder--Taskbuilder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in taskbuilder Taskbuilder taskbuilder allows Reflected XSS.This issue affects Taskbuilder: from n/a through <= 4.0.9. 2026-01-08 not yet calculated CVE-2025-67933 https://vdp.patchstack.com/database/Wordpress/Plugin/taskbuilder/vulnerability/wordpress-taskbuilder-plugin-4-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
TECNO Mobile--com.afmobi.boomplayer Insufficient Verification of Data Authenticity vulnerability in TECNO Mobile com.Afmobi.Boomplayer allows Authentication Bypass.This issue affects com.Afmobi.Boomplayer: 7.4.63. 2026-01-06 not yet calculated CVE-2025-15385 https://security.tecno.com/SRC/securityUpdates
 
Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device. 2026-01-09 not yet calculated CVE-2026-22079 https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004
 
Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device. 2026-01-09 not yet calculated CVE-2026-22080 https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004
 
Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device. 2026-01-09 not yet calculated CVE-2026-22081 https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004
 
Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission. Successful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device. 2026-01-09 not yet calculated CVE-2026-22082 https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004
 
The Wikimedia Foundation--Mediawiki - ApprovedRevs Extension Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39. 2026-01-09 not yet calculated CVE-2026-22712 https://phabricator.wikimedia.org/T412068
https://gerrit.wikimedia.org/r/q/Iee1bf1cbc8a519899e7f9dde508856bd4e5a5d2a
 
The Wikimedia Foundation--Mediawiki - GrowthExperiments Extension Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39. 2026-01-09 not yet calculated CVE-2026-22713 https://phabricator.wikimedia.org/T411144
https://gerrit.wikimedia.org/r/q/Iff01940a163ed87ec52f3a64ba6b2dbfa2759df3
 
The Wikimedia Foundation--Mediawiki - Monaco Skin Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39. 2026-01-08 not yet calculated CVE-2026-22714 https://phabricator.wikimedia.org/T411126
https://gerrit.wikimedia.org/r/q/I00b2e369fa189803380ca7409022a11b670d2500
 
The Wikimedia Foundation--Mediawiki - Wikibase Extension Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39. 2026-01-08 not yet calculated CVE-2026-22710 https://phabricator.wikimedia.org/T409737
https://gerrit.wikimedia.org/r/q/I39d0074b2ad022b6efe6ab3dd8c8ec0f86c6c466
 
ThemeGoods--Grand Restaurant Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9. 2026-01-08 not yet calculated CVE-2025-67922 https://vdp.patchstack.com/database/Wordpress/Theme/grandrestaurant/vulnerability/wordpress-grand-restaurant-theme-7-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
THEMELOGI--Navian Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in THEMELOGI Navian navian allows PHP Local File Inclusion.This issue affects Navian: from n/a through <= 1.5.4. 2026-01-08 not yet calculated CVE-2025-14431 https://vdp.patchstack.com/database/Wordpress/Theme/navian/vulnerability/wordpress-navian-theme-1-5-4-local-file-inclusion-vulnerability?_s_id=cve
 
ThemeMove--AeroLand Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove AeroLand aeroland allows PHP Local File Inclusion.This issue affects AeroLand: from n/a through <= 1.6.6. 2026-01-08 not yet calculated CVE-2025-14429 https://vdp.patchstack.com/database/Wordpress/Theme/aeroland/vulnerability/wordpress-aeroland-theme-1-6-6-local-file-inclusion-vulnerability?_s_id=cve
 
ThemeMove--Brook - Agency Business Creative Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook - Agency Business Creative brook allows PHP Local File Inclusion.This issue affects Brook - Agency Business Creative: from n/a through <= 2.8.9. 2026-01-08 not yet calculated CVE-2025-14430 https://vdp.patchstack.com/database/Wordpress/Theme/brook/vulnerability/wordpress-brook-agency-business-creative-theme-2-8-9-local-file-inclusion-vulnerability?_s_id=cve
 
ThemeMove--Mitech Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Mitech mitech allows PHP Local File Inclusion.This issue affects Mitech: from n/a through <= 2.3.4. 2026-01-08 not yet calculated CVE-2025-22708 https://vdp.patchstack.com/database/Wordpress/Theme/mitech/vulnerability/wordpress-mitech-theme-2-3-4-local-file-inclusion-vulnerability?_s_id=cve
 
ThemeMove--Moody Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Moody tm-moody allows PHP Local File Inclusion.This issue affects Moody: from n/a through <= 2.7.3. 2026-01-08 not yet calculated CVE-2025-22707 https://vdp.patchstack.com/database/Wordpress/Theme/tm-moody/vulnerability/wordpress-moody-theme-2-7-3-local-file-inclusion-vulnerability?_s_id=cve
 
Themepoints--Accordion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Accordion accordions-wp allows Stored XSS.This issue affects Accordion: from n/a through <= 3.0.3. 2026-01-06 not yet calculated CVE-2025-69350 https://vdp.patchstack.com/database/Wordpress/Plugin/accordions-wp/vulnerability/wordpress-accordion-plugin-3-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Themepoints--Team Showcase Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.This issue affects Team Showcase: from n/a through <= 2.9. 2026-01-06 not yet calculated CVE-2025-69335 https://vdp.patchstack.com/database/Wordpress/Plugin/team-showcase/vulnerability/wordpress-team-showcase-plugin-2-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
themesuite--Automotive Listings Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6. 2026-01-08 not yet calculated CVE-2025-67928 https://vdp.patchstack.com/database/Wordpress/Plugin/automotive/vulnerability/wordpress-automotive-listings-plugin-18-6-sql-injection-vulnerability?_s_id=cve
 
Tickera--Tickera Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.4. 2026-01-06 not yet calculated CVE-2025-69355 https://vdp.patchstack.com/database/Wordpress/Plugin/tickera-event-ticketing-system/vulnerability/wordpress-tickera-plugin-3-5-6-4-broken-access-control-vulnerability?_s_id=cve
 
TMRW-studio--Atlas Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TMRW-studio Atlas atlas allows PHP Local File Inclusion.This issue affects Atlas: from n/a through <= 2.1.0. 2026-01-08 not yet calculated CVE-2025-22509 https://vdp.patchstack.com/database/Wordpress/Theme/atlas/vulnerability/wordpress-atlas-theme-2-1-0-local-file-inclusion-vulnerability?_s_id=cve
 
TP-Link Systems Inc.--Archer AXE75 v1.6 Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functionality.This issue affects Archer AXE75 v1.6: ≤ build 20250107. 2026-01-09 not yet calculated CVE-2025-15035 https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/tree/master/2025/PANW-2025-0004
https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware
https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware
https://www.tp-link.com/jp/support/download/archer-axe75/v1/#Firmware
https://www.tp-link.com/phppage/preview.php?url=https://www.tp-link.com/en/support/faq/4881/
 
TP-Link Systems Inc.--Archer BE400 A NULL Pointer Dereference vulnerability in TP-Link Archer BE400 V1(802.11 modules) allows  an adjacent attacker to cause a denial-of-service (DoS) by triggering a device reboot. This issue affects Archer BE400: xi 1.1.0 Build 20250710 rel.14914. 2026-01-07 not yet calculated CVE-2025-14631 https://www.tp-link.com/en/support/download/archer-be400/v1/#Firmware
https://www.tp-link.com/us/support/download/archer-be400/#Firmware
https://www.tp-link.com/us/support/faq/4871/
 
trailofbits--fickling Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7. 2026-01-10 not yet calculated CVE-2026-22606 https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj
https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66
https://github.com/trailofbits/fickling/releases/tag/v0.1.7
 
trailofbits--fickling Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7. 2026-01-10 not yet calculated CVE-2026-22607 https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9
https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43
https://github.com/trailofbits/fickling/releases/tag/v0.1.7
 
trailofbits--fickling Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE. This issue has been patched in version 0.1.7. 2026-01-10 not yet calculated CVE-2026-22608 https://github.com/trailofbits/fickling/security/advisories/GHSA-5hvc-6wx8-mvv4
https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1
https://github.com/trailofbits/fickling/releases/tag/v0.1.7
 
trailofbits--fickling Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. This issue has been patched in version 0.1.7. 2026-01-10 not yet calculated CVE-2026-22609 https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x
https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91
https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66
https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1
https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9
https://github.com/trailofbits/fickling/releases/tag/v0.1.7
 
trailofbits--fickling Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, Fickling is vulnerable to detection bypass due to "builtins" blindness. This issue has been patched in version 0.1.7. 2026-01-10 not yet calculated CVE-2026-22612 https://github.com/trailofbits/fickling/security/advisories/GHSA-h4rm-mm56-xf63
https://github.com/trailofbits/fickling/commit/9f309ab834797f280cb5143a2f6f987579fa7cdf
https://github.com/trailofbits/fickling/releases/tag/v0.1.7
 
Tribulant Software--Newsletters Deserialization of Untrusted Data vulnerability in Tribulant Software Newsletters newsletters-lite allows Object Injection.This issue affects Newsletters: from n/a through <= 4.11. 2026-01-08 not yet calculated CVE-2025-67911 https://vdp.patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-11-php-object-injection-vulnerability?_s_id=cve
 
TryGhost--Ghost Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0. 2026-01-10 not yet calculated CVE-2026-22597 https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r
https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9
https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51
 
Ubiquiti Inc--airMAX AC A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: airMAX AC (Version 8.7.20 and earlier) airMAX M (Version 6.3.22 and earlier) airFiber AF60-XG (Version 1.2.2 and earlier) airFiber AF60 (Version 2.6.7 and earlier) Mitigation: Update your airMAX AC to Version 8.7.21 or later. Update your airMAX M to Version 6.3.24 or later. Update your airFiber AF60-XG to Version 1.2.3 or later. Update your airFiber AF60 to Version 2.6.8 or later. 2026-01-08 not yet calculated CVE-2026-21639 https://community.ui.com/releases/Security-Advisory-Bulletin-061-061/1e4fe5f8-29c7-4a7d-a518-01b1537983ba
 
Unknown--FlexTable The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). 2026-01-05 not yet calculated CVE-2025-9543 https://wpscan.com/vulnerability/6cc212f4-aa61-409a-b257-9c920956a401/
 
Unknown--Frontend File Manager Plugin The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server 2026-01-07 not yet calculated CVE-2025-14804 https://wpscan.com/vulnerability/c572c0ad-1b36-49ce-b254-2181e53abb46/
 
Unknown--NEX-Forms The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting. 2026-01-09 not yet calculated CVE-2025-14803 https://wpscan.com/vulnerability/219af0e7-3d8b-4405-8005-b8969a370b0b/
 
Unknown--Relevanssi The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks 2026-01-07 not yet calculated CVE-2025-14719 https://wpscan.com/vulnerability/bd8e27c7-8f97-4313-b16e-50ac6f0676f5/
 
Unknown--Team The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. 2026-01-05 not yet calculated CVE-2025-14124 https://wpscan.com/vulnerability/fdd19027-b70e-45a4-882b-77ab1819af91/
 
urllib3--urllib3 urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source. 2026-01-07 not yet calculated CVE-2026-21441 https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
 
vaadin--vaadin Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility. In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist. Vaadin 14 is not affected as Spreadsheet component was not supported. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 7.0.0 - 7.7.49 Vaadin 8.0.0 - 8.29.1 Vaadin 23.1.0 - 23.6.5 Vaadin 24.0.0 - 24.8.13 Vaadin 24.9.0 - 24.9.6 Mitigation Upgrade to 7.7.50 Upgrade to 8.30.0 Upgrade to 23.6.6 Upgrade to 24.8.14 or 24.9.7 Upgrade to 25.0.0 or newer Artifacts     Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server 7.0.0 - 7.7.49 ≥7.7.50 com.vaadin:vaadin-server 8.0.0 - 8.29.1 ≥8.30.0 com.vaadin:vaadin 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin24.9.0 - 24.9.6 ≥24.9.7 com.vaadin:vaadin-spreadsheet-flow 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin-spreadsheet-flow 24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin-spreadsheet-flow 24.9.0 - 24.9.6 ≥24.9.7 2026-01-05 not yet calculated CVE-2025-15022 https://vaadin.com/security/cve-2025-15022
https://github.com/vaadin/flow-components/pull/8285
 
VanKarWai--Calafate Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Calafate calafate allows PHP Local File Inclusion.This issue affects Calafate: from n/a through <= 1.7.7. 2026-01-06 not yet calculated CVE-2025-69342 https://vdp.patchstack.com/database/Wordpress/Theme/calafate/vulnerability/wordpress-calafate-theme-1-7-7-local-file-inclusion-vulnerability?_s_id=cve
 
VanKarWai--Lobo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6. 2026-01-08 not yet calculated CVE-2025-67921 https://vdp.patchstack.com/database/Wordpress/Theme/lobo/vulnerability/wordpress-lobo-theme-2-8-6-sql-injection-vulnerability?_s_id=cve
 
vanquish--WooCommerce Orders & Customers Exporter Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows SQL Injection.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4. 2026-01-08 not yet calculated CVE-2025-22713 https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-orders-ei/vulnerability/wordpress-woocommerce-orders-customers-exporter-plugin-5-4-sql-injection-vulnerability?_s_id=cve
 
Vernon Systems Limited--eHive Search Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vernon Systems Limited eHive Search ehive-search allows Reflected XSS.This issue affects eHive Search: from n/a through <= 2.5.0. 2026-01-08 not yet calculated CVE-2025-67930 https://vdp.patchstack.com/database/Wordpress/Plugin/ehive-search/vulnerability/wordpress-ehive-search-plugin-2-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Vivotek--IP7137 Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, potentially compromising user privacy and security.  The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. 2026-01-09 not yet calculated CVE-2025-66049 https://cert.pl/posts/2026/01/CVE-2025-66049
 
Vivotek--IP7137 Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. 2026-01-09 not yet calculated CVE-2025-66050 https://cert.pl/posts/2026/01/CVE-2025-66049
 
Vivotek--IP7137 Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. Due to CVE-2025-66050, a password for administration panel is not set by default. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. 2026-01-09 not yet calculated CVE-2025-66051 https://cert.pl/posts/2026/01/CVE-2025-66049
 
Vivotek--IP7137 Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050, administrative access is not protected by default,  The vendor has not replied to the CNA Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. 2026-01-09 not yet calculated CVE-2025-66052 https://cert.pl/posts/2026/01/CVE-2025-66049
 
Wikimedia Foundation--MediaWiki - CampaignEvents extension Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39. 2026-01-09 not yet calculated CVE-2026-0817 https://phabricator.wikimedia.org/T410560
https://gerrit.wikimedia.org/r/q/I7ed0049691258c8bd2555e599b9b88490fbe3358
 
Wikimedia Foundation--MediaWiki - CSS extension Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wikimedia Foundation MediaWiki - CSS extension allows Path Traversal.This issue affects MediaWiki - CSS extension: 1.44, 1.43, 1.39. 2026-01-07 not yet calculated CVE-2026-0669 https://phabricator.wikimedia.org/T401526
https://gerrit.wikimedia.org/r/q/Ia15bf3f2e5a341868568492a736ac3dbf706c22e
 
Wikimedia Foundation--MediaWiki - ProofreadPage Extension Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - ProofreadPage Extension: 1.45, 1.44, 1.43, 1.39. 2026-01-07 not yet calculated CVE-2026-0670 https://phabricator.wikimedia.org/T409423
https://gerrit.wikimedia.org/r/q/I7c028db5ed81843aacd596b0ee4dc2980f5b6e3c
 
Wikimedia Foundation--MediaWiki - UploadWizard extension Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39. 2026-01-08 not yet calculated CVE-2026-0671 https://phabricator.wikimedia.org/T407157
https://gerrit.wikimedia.org/r/q/I16de2211594ea9a686868ad7789f9879bf981fa1
 
Wikimedia Foundation--MediaWiki - VisualData Extension Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45. 2026-01-07 not yet calculated CVE-2026-0668 https://phabricator.wikimedia.org/T387008
https://gerrit.wikimedia.org/r/q/Ie08d9a8ceb2c9a22a635cfc27964353f14072dbf
https://gerrit.wikimedia.org/r/q/Ifbf9c2ade621226e14fe852f3217293772bf8bb8
https://gerrit.wikimedia.org/r/q/I893a9fca694a2613e29e149dea2d76d7f06063e5
https://gerrit.wikimedia.org/r/q/I4ff2737c9f0ba805267d1fc8296e7cff61241ee3
 
WofficeIO--Woffice Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through <= 5.4.30. 2026-01-08 not yet calculated CVE-2025-67918 https://vdp.patchstack.com/database/Wordpress/Theme/woffice/vulnerability/wordpress-woffice-theme-5-4-30-cross-site-scripting-xss-vulnerability?_s_id=cve
 
WofficeIO--Woffice Core Authorization Bypass Through User-Controlled Key vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woffice Core: from n/a through <= 5.4.30. 2026-01-08 not yet calculated CVE-2025-67919 https://vdp.patchstack.com/database/Wordpress/Plugin/woffice-core/vulnerability/wordpress-woffice-core-plugin-5-4-30-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
wolfSSL--wolfSSH wolfSSH's key exchange state machine can be manipulated to leak the client's password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it's recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren't any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report. 2026-01-06 not yet calculated CVE-2025-14942 https://github.com/wolfSSL/wolfssh/pull/855
 
wolfSSL--wolfSSH A heap buffer over-read vulnerability exists in the wolfSSH_CleanPath() function in wolfSSH. An authenticated remote attacker can trigger the issue via crafted SCP path input containing '/./' sequences, resulting in a heap over read by 1 byte. 2026-01-06 not yet calculated CVE-2025-15382 https://github.com/wolfSSL/wolfssh/pull/859
 
wolfSSL--wolfSSL-py A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.  Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided.  This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake.  The issue affects versions up to and including 5.8.2. 2026-01-07 not yet calculated CVE-2025-15346 https://github.com/wolfSSL/wolfssl-py/pull/62
https://github.com/wolfSSL/wolfssl-py/commit/b4517dece79f682a8f453abce5cfc0b81bae769d
https://github.com/wolfSSL/wolfssl-py/releases/tag/v5.8.4-stable
 
WPCenter--AffiliateX Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AffiliateX: from n/a through <= 1.3.9.3. 2026-01-06 not yet calculated CVE-2025-69346 https://vdp.patchstack.com/database/Wordpress/Plugin/affiliatex/vulnerability/wordpress-affiliatex-plugin-1-3-9-3-broken-access-control-vulnerability?_s_id=cve
 
WPFactory--Wishlist for WooCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Wishlist for WooCommerce wish-list-for-woocommerce allows Stored XSS.This issue affects Wishlist for WooCommerce: from n/a through <= 3.3.0. 2026-01-06 not yet calculated CVE-2025-69334 https://vdp.patchstack.com/database/Wordpress/Plugin/wish-list-for-woocommerce/vulnerability/wordpress-wishlist-for-woocommerce-plugin-3-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
WPFunnels--Creator LMS Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12. 2026-01-06 not yet calculated CVE-2025-69359 https://vdp.patchstack.com/database/Wordpress/Plugin/creatorlms/vulnerability/wordpress-creator-lms-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve
 
yintibao--Fun Print Mobile Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. 2026-01-08 not yet calculated CVE-2025-15464 https://korelogic.com/Resources/Advisories/KL-001-2026-001.txt
 
zlib software--zlib zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation. 2026-01-07 not yet calculated CVE-2026-22184 https://seclists.org/fulldisclosure/2026/Jan/3
https://zlib.net/
https://github.com/madler/zlib
https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname
 
zozothemes--Corpkit Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0. 2026-01-08 not yet calculated CVE-2025-67924 https://vdp.patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-arbitrary-file-upload-vulnerability?_s_id=cve
 
zozothemes--Corpkit Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion.This issue affects Corpkit: from n/a through <= 2.0. 2026-01-08 not yet calculated CVE-2025-67925 https://vdp.patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-local-file-inclusion-vulnerability?_s_id=cve
 

Back to top

Vulnerability Summary for the Week of December 29, 2025
Posted on Monday January 05, 2026

High Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
SmarterTools--SmarterMail Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. 2025-12-29 10 CVE-2025-52691 https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/
 
MiniDVBLinux--MiniDVBLinux MiniDVBLinux 5.4 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands as root through the 'command' GET parameter. Attackers can exploit the /tpl/commands.sh endpoint by sending malicious command values to gain root-level system access. 2025-12-30 9.8 CVE-2022-50691 Zero Science Lab Disclosure (ZSL-2022-5718)
Packet Storm Security Exploit Entry
VulnCheck Advisory: MiniDVBLinux 5.4 Remote Root Command Execution via commands.sh
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains a network vulnerability that allows unauthenticated attackers to send ICMP signals to arbitrary hosts through network command scripts. Attackers can abuse ping.php, traceroute.php, and dns.php to generate network flooding attacks targeting external hosts. 2025-12-30 9.8 CVE-2022-50695 Zero Science Lab Disclosure (ZSL-2022-5728)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x ICMP Flood Attack via Network Commands
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated vulnerability that allows remote attackers to access live radio stream information through webplay or ffmpeg scripts. Attackers can exploit the vulnerability by calling specific web scripts to disclose radio stream details without requiring authentication. 2025-12-30 9.8 CVE-2022-50790 Zero Science Lab Disclosure (ZSL-2022-5734)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Radio Stream Disclosure
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive system files. Attackers can exploit the vulnerability by manipulating the 'file' GET parameter to disclose arbitrary files on the affected device. 2025-12-30 9.8 CVE-2022-50792 Zero Science Lab Disclosure (ZSL-2022-5736)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated File Disclosure Vulnerability
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated command injection vulnerability in the username parameter. Attackers can exploit index.php and login.php scripts by injecting arbitrary shell commands through the HTTP POST 'username' parameter to execute system commands. 2025-12-30 9.8 CVE-2022-50794 Zero Science Lab Disclosure (ZSL-2022-5739)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Command Injection via Username
 
JM-DATA ONU--JF511-TV JM-DATA ONU JF511-TV version 1.0.67 uses default credentials that allow attackers to gain unauthorized access to the device with administrative privileges. 2025-12-30 9.8 CVE-2022-50803 Zero Science Lab Disclosure (ZSL-2022-5708)
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange Entry
JM-DATA Vendor Homepage
VulnCheck Advisory: JM-DATA ONU JF511-TV 1.0.67 Default Credentials Vulnerability
 
The Akuvox Company--Akuvox Smart Doorphone Akuvox Smart Intercom S539 contains an unauthenticated vulnerability that allows remote attackers to access live video streams by requesting the video.cgi endpoint on port 8080. Attackers can retrieve video stream data without authentication by directly accessing the specified endpoint on affected Akuvox doorphone and intercom devices. 2025-12-30 9.8 CVE-2024-58336 Zero Science Lab Disclosure (ZSL-2024-5826)
Packet Storm Security Exploit Entry
VulnCheck Advisory: Akuvox Smart Intercom S539 Unauthenticated Video Stream Disclosure
 
Ateme--Flamingo XL Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attackers can exploit the traceroute command to inject shell commands and gain full root access to the device by bypassing the restricted login environment. 2025-12-30 9.8 CVE-2024-58338 ExploitDB-51516
Ateme Vendor Homepage
Zero Science Lab Disclosure (ZSL-2023-5780)
VulnCheck Advisory: Anevia Flamingo XL 3.2.9 Remote Root Jailbreak via Traceroute Command
 
wpmudev--Branda White Label & Branding, Free Login Page Customizer The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. 2026-01-02 9.8 CVE-2025-14998 https://www.wordfence.com/threat-intel/vulnerabilities/id/ae46be82-570f-4172-9c3f-746b894b84b9?source=cve
https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.24/inc/modules/login-screen/signup-password.php#L24
https://plugins.trac.wordpress.org/changeset/3429115/branda-white-labeling#file1749
 
Delta Electronics--DVP-12SE11T DVP-12SE11T - Password Protection Bypass 2025-12-30 9.1 CVE-2025-15102 https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf
 
Ksenia Security S.p.A.--Ksenia Security Lares 4.0 Home Automation Ksenia Security Lares 4.0 Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication. 2025-12-30 9.8 CVE-2025-15114 Zero Science Lab Disclosure (ZSL-2025-5929)
VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 PIN Exposure Vulnerability
 
D-Link--DIR-600 A vulnerability was found in D-Link DIR-600 up to 2.15WWb02. Affected by this vulnerability is an unknown functionality of the file hedwig.cgi of the component HTTP Header Handler. The manipulation of the argument Cookie results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. 2025-12-29 9.8 CVE-2025-15194 VDB-338581 | D-Link DIR-600 HTTP Header hedwig.cgi stack-based overflow
VDB-338581 | CTI Indicators (IOB, IOC, IOA)
Submit #724404 | D-Link DIR-600 v2.15WWb02 and possibly earlier versions Stack-based Buffer Overflow
https://github.com/LonTan0/CVE/blob/main/Stack-Based%20Buffer%20Overflow%20Vulnerability%20in%20hedwig.cgi%20of%20D-Link%20DIR-600.md
https://github.com/LonTan0/CVE/blob/main/Stack-Based%20Buffer%20Overflow%20Vulnerability%20in%20hedwig.cgi%20of%20D-Link%20DIR-600.md#poc
https://www.dlink.com/
 
Sunnet--WMPro WMPro developed by Sunnet has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. 2025-12-29 9.8 CVE-2025-15226 https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html
https://www.twcert.org.tw/en/cp-139-10603-67149-2.html
 
WELLTEND TECHNOLOGY--BPMFlowWebkit BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. 2025-12-29 9.8 CVE-2025-15228 https://www.twcert.org.tw/tw/cp-132-10604-c65aa-1.html
https://www.twcert.org.tw/en/cp-139-10605-426b6-2.html
 
Tenda--W6-S A vulnerability was determined in Tenda W6-S 1.0.0.4(510). This impacts an unknown function of the file /bin/httpd of the component R7websSsecurityHandler. Executing manipulation of the argument Cookie can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. 2025-12-30 9.8 CVE-2025-15255 VDB-338645 | Tenda W6-S R7websSsecurityHandler httpd stack-based overflow
VDB-338645 | CTI Indicators (IOB, IOC, IOA)
Submit #725500 | Tenda W6-S V1.0.0.4(510) Stack-based Buffer Overflow
https://github.com/dwBruijn/CVEs/blob/main/Tenda/R7WebsSecurityHandler.md
https://www.tenda.com.cn/
 
Delta Electronics--DVP-12SE11T DVP-12SE11T - Out-of-bound memory write Vulnerability 2025-12-30 9.1 CVE-2025-15359 https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf
 
ConoHa by GMO--WING WordPress Migrator Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator allows Upload a Web Shell to a Web Server.This issue affects WING WordPress Migrator: from n/a through 1.1.9. 2025-12-30 9.6 CVE-2025-52835 https://vdp.patchstack.com/database/wordpress/plugin/wing-migrator/vulnerability/wordpress-wing-wordpress-migrator-plugin-1-1-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
SignalK--signalk-server Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability. 2026-01-01 9.7 CVE-2025-66398 https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9
https://github.com/SignalK/signalk-server/releases/tag/v2.19.0
 
RomanCode--MapSVG Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3. 2025-12-29 9.9 CVE-2025-68562 https://vdp.patchstack.com/database/wordpress/plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability?_s_id=cve
 
SignalK--signalk-server Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. The first is Unauthenticated WebSocket Request Enumeration: When a WebSocket client connects to the SignalK stream endpoint with the `serverevents=all` query parameter, the server sends all cached server events including `ACCESS_REQUEST` events that contain details about pending access requests. The `startServerEvents` function iterates over `app.lastServerEvents` and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when `allow_readonly` is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses. The second is Unauthenticated Token Polling: The access request status endpoint at `/signalk/v1/access/requests/:id` returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The `queryRequest` function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access. An attacker has two paths to exploit these vulnerabilities. Either the attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token; or the attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials. Both paths require zero authentication and enable complete authentication bypass. Version 2.19.0 fixes the underlying issues. 2026-01-01 9.1 CVE-2025-68620 https://github.com/SignalK/signalk-server/security/advisories/GHSA-fq56-hvg6-wvm5
https://github.com/SignalK/signalk-server/releases/tag/v2.19.0
 
Mobile Builder--Mobile builder Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through 1.4.2. 2025-12-29 9.8 CVE-2025-68860 https://vdp.patchstack.com/database/wordpress/plugin/mobile-builder/vulnerability/wordpress-mobile-builder-plugin-1-4-2-broken-authentication-vulnerability?_s_id=cve
 
Mohammad I. Okfie--IF AS Shortcode Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through 1.2. 2025-12-29 9.9 CVE-2025-68897 https://vdp.patchstack.com/database/wordpress/plugin/if-as-shortcode/vulnerability/wordpress-if-as-shortcode-plugin-1-2-remote-code-execution-rce-vulnerability?_s_id=cve
 
rustfs--rustfs RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.77, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.77 contains a fix for the issue. 2025-12-30 9.8 CVE-2025-68926 https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj
 
frappe--frappe Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available. 2025-12-29 9.1 CVE-2025-68929 https://github.com/frappe/frappe/security/advisories/GHSA-qq98-vfv9-xmxh
https://github.com/frappe/frappe/releases/tag/v14.99.6
https://github.com/frappe/frappe/releases/tag/v15.88.1
 
kromitgmbh--titra Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue. 2025-12-31 9.1 CVE-2025-69288 https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr
https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e
https://github.com/kromitgmbh/titra/releases/tag/0.99.49
 
Selea--Selea CarPlateServer (CPS) Selea CarPlateServer 4.0.1.6 contains an unquoted service path vulnerability in the Windows service configuration that allows local users to potentially execute code with elevated privileges. Attackers can exploit the service's unquoted binary path by inserting malicious code in the system root path that could execute with LocalSystem privileges during application startup or reboot. 2025-12-31 8.4 CVE-2020-36903 ExploitDB-49453
Vendor Homepage
Zero Science Lab Disclosure (ZSL-2021-5621)
VulnCheck Advisory: Selea CarPlateServer 4.0.1.6 Local Privilege Escalation via Unquoted Service Path
 
Epic Games Inc.--Epic Games Psyonix Rocket League Epic Games Psyonix Rocket League <=1.95 contains an insecure permissions vulnerability that allows authenticated users to modify executable files with full access permissions. Attackers can leverage the 'F' (Full) flag for the 'Authenticated Users' group to change executable files and potentially escalate system privileges. 2025-12-31 8.8 CVE-2021-47742 Zero Science Lab Disclosure (ZSL-2021-5650)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange Entry
Rocket League Product Homepage
VulnCheck Advisory: Epic Games Psyonix Rocket League <=1.95 Elevation of Privileges via Insecure Permissions
 
Cypress--200 Cypress Solutions CTM-200 2.7.1 contains an authenticated command injection vulnerability in the firmware upgrade script that allows remote attackers to execute shell commands. Attackers can exploit the 'fw_url' parameter in the ctm-config-upgrade.sh script to inject and execute arbitrary commands with root privileges. 2025-12-31 8.8 CVE-2021-47745 ExploitDB-50408
Cypress Solutions Product Homepage
Zero Science Lab Disclosure (ZSL-2021-5687)
VulnCheck Advisory: Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection via Firmware Upgrade
 
Metern--meterN meterN 1.2.3 contains an authenticated remote code execution vulnerability in admin_meter2.php and admin_indicator2.php scripts. Attackers can exploit the 'COMMANDx' and 'LIVECOMMANDx' POST parameters to execute arbitrary system commands with administrative privileges. 2025-12-31 8.8 CVE-2021-47747 ExploitDB-50596
Archived Vendor Homepage
Zero Science Lab Disclosure (ZSL-2021-5690)
VulnCheck Advisory: meterN 1.2.3 Authenticated Remote Code Execution via Admin Scripts
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an SQL injection vulnerability in the 'username' POST parameter of index.php that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through the username parameter to bypass authentication and potentially access unauthorized database information. 2025-12-30 8.2 CVE-2022-50694 Zero Science Lab Disclosure (ZSL-2022-5727)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x SQL Injection via Username Parameter
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory with .dns.pid extension. Unauthenticated attackers can execute the malicious commands by making a single HTTP POST request to the vulnerable dns.php script, which triggers command execution and then deletes the file. 2025-12-30 8.4 CVE-2022-50789 Zero Science Lab Disclosure (ZSL-2022-5733)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via dns.php
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the vulnerable ping.php script, which triggers the malicious file and then deletes it. 2025-12-30 8.4 CVE-2022-50791 Zero Science Lab Disclosure (ZSL-2022-5735)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via ping.php
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an authenticated command injection vulnerability in the www-data-handler.php script that allows attackers to inject system commands through the 'services' POST parameter. Attackers can exploit this vulnerability by crafting malicious 'services' parameter values to execute arbitrary system commands with www-data user privileges. 2025-12-30 8.8 CVE-2022-50793 Zero Science Lab Disclosure (ZSL-2022-5737)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Authenticated Command Injection via www-data-handler.php
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the traceroute.php script, which triggers the malicious file and then deletes it after execution. 2025-12-30 8.4 CVE-2022-50795 Zero Science Lab Disclosure (ZSL-2022-5740)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via traceroute.php
 
NLB Banka AD Skopje--NLB mKlik Makedonija NLB mKlik Macedonia 3.3.12 contains a SQL injection vulnerability in international transfer parameters that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through unsanitized input to potentially disclose sensitive information from the mobile banking application. 2025-12-30 8.2 CVE-2023-54163 Zero Science Lab Disclosure (ZSL-2023-5797)
Google Play Store App Listing
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
VulnCheck Advisory: NLB mKlik Macedonia 3.3.12 SQL Injection via International Transfer Parameters
 
Tosibox Oy--Tosibox Key Service Tosibox Key Service 3.3.0 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the service startup process by inserting malicious code in the system root path, enabling unauthorized code execution during application startup or system reboot. 2025-12-30 8.4 CVE-2024-58315 Zero Science Lab Disclosure (ZSL-2024-5812)
Packet Storm Security Exploit Entry
Vendor Homepage
VulnCheck Advisory: Tosibox Key Service 3.3.0 Local Privilege Escalation via Unquoted Service Path
 
Delta Electronics--DVP-12SE11T DVP-12SE11T - Authentication Bypass via Partial Password Disclosure 2025-12-30 8.1 CVE-2025-15103 https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf
 
Ksenia Security S.p.A.--Ksenia Security Lares 4.0 Home Automation Ksenia Security Lares 4.0 version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain. 2025-12-30 8 CVE-2025-15112 Zero Science Lab Disclosure (ZSL-2025-5928)
Packet Storm Security Exploit Entry
Ksenia Security Vendor Homepage
VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 URL Redirection Vulnerability
 
D-Link--DWR-M920 A vulnerability was identified in D-Link DWR-M920 up to 1.1.50. This issue affects the function sub_464794 of the file /boafrm/formDefRoute. The manipulation of the argument submit-url leads to buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. 2025-12-29 8.8 CVE-2025-15189 VDB-338574 | D-Link DWR-M920 formDefRoute sub_464794 buffer overflow
VDB-338574 | CTI Indicators (IOB, IOC, IOA)
Submit #723552 | D-Link DWR-M920 VV1.1.50 Buffer Overflow
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formDefRoute.md
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formDefRoute.md#poc
https://www.dlink.com/
 
D-Link--DWR-M920 A security flaw has been discovered in D-Link DWR-M920 up to 1.1.50. Impacted is the function sub_42261C of the file /boafrm/formFilter. The manipulation of the argument ip6addr results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited. 2025-12-29 8.8 CVE-2025-15190 VDB-338575 | D-Link DWR-M920 formFilter sub_42261C stack-based overflow
VDB-338575 | CTI Indicators (IOB, IOC, IOA)
Submit #723553 | D-Link DWR-M920 V1.1.50 Buffer Overflow
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md#poc
https://www.dlink.com/
 
D-Link--DWR-M920 A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. This affects the function sub_423848 of the file /boafrm/formParentControl. Performing manipulation of the argument submit-url results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. 2025-12-29 8.8 CVE-2025-15193 VDB-338578 | D-Link DWR-M920 formParentControl sub_423848 buffer overflow
VDB-338578 | CTI Indicators (IOB, IOC, IOA)
Submit #723556 | D-Link DWR-M920 V1.1.50 Buffer Overflow
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formParentControl.md
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formParentControl.md#poc
https://www.dlink.com/
 
Tenda--AC10U A vulnerability was determined in Tenda AC10U 15.03.06.48/15.03.06.49. This affects the function formSetPPTPUserList of the file /goform/setPptpUserList of the component HTTP POST Request Handler. This manipulation of the argument list causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. 2025-12-30 8.8 CVE-2025-15215 VDB-338600 | Tenda AC10U HTTP POST Request setPptpUserList formSetPPTPUserList buffer overflow
VDB-338600 | CTI Indicators (IOB, IOC, IOA)
Submit #725365 | Tenda AC10U AC10U v1.0 Firmware V15.03.06.48、AC10U v1.0 Firmware V15.03.06.49 Buffer Overflow
https://www.notion.so/Tenda-AC10U-setPptpUserList-2d753a41781f80e8ba6bc37ba6100343?pvs=73
https://www.tenda.com.cn/
 
Tenda--AC23 A vulnerability was identified in Tenda AC23 16.03.07.52. This impacts the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument bindnum leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. 2025-12-30 8.8 CVE-2025-15216 VDB-338601 | Tenda AC23 SetIpMacBind fromSetIpMacBind stack-based overflow
VDB-338601 | CTI Indicators (IOB, IOC, IOA)
Submit #725447 | Tenda AC23 AC23 V16.03.07.52 Buffer Overflow
https://lavender-bicycle-a5a.notion.site/Tenda-AC23-SetIpMacBind-2d753a41781f8026a001f16e85226a21?source=copy_link
https://www.tenda.com.cn/
 
Tenda--AC23 A security flaw has been discovered in Tenda AC23 16.03.07.52. Affected is the function formSetPPTPUserList of the component HTTP POST Request Handler. Performing manipulation of the argument list results in buffer overflow. The attack can be initiated remotely. 2025-12-30 8.8 CVE-2025-15217 VDB-338602 | Tenda AC23 HTTP POST Request formSetPPTPUserList buffer overflow
VDB-338602 | CTI Indicators (IOB, IOC, IOA)
Submit #725448 | Tenda AC23 AC23 V16.03.07.52 Buffer Overflow
https://lavender-bicycle-a5a.notion.site/Tenda-AC23-formSetPPTPUserList-2d753a41781f8091b772cf9e66a687f1?source=copy_link
https://www.tenda.com.cn/
 
Tenda--AC10U A weakness has been identified in Tenda AC10U 15.03.06.48/15.03.06.49. Affected by this vulnerability is the function fromadvsetlanip of the file /goform/AdvSetLanip of the component POST Request Parameter Handler. Executing manipulation of the argument lanMask can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. 2025-12-30 8.8 CVE-2025-15218 VDB-338603 | Tenda AC10U POST Request Parameter AdvSetLanip fromadvsetlanip buffer overflow
VDB-338603 | CTI Indicators (IOB, IOC, IOA)
Submit #725461 | Tenda AC10U AC10U v1.0 Firmware V15.03.06.48、AC10U v1.0 Firmware V15.03.06.49 Buffer Overflow
https://lavender-bicycle-a5a.notion.site/Tenda-AC10U-fromadvsetlanip-2d753a41781f800c86c8d388a38e8101?source=copy_link
https://www.tenda.com.cn/
 
Tenda--M3 A vulnerability was found in Tenda M3 1.0.0.13(4903). Affected by this issue is the function formSetVlanPolicy of the file /goform/setVlanPolicyData. Performing manipulation of the argument qvlan_truck_port results in heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. 2025-12-30 8.8 CVE-2025-15230 VDB-338626 | Tenda M3 setVlanPolicyData formSetVlanPolicy heap-based overflow
VDB-338626 | CTI Indicators (IOB, IOC, IOA)
Submit #725490 | Tenda M3 V1.0.0.13(4903) Heap-based Buffer Overflow
https://github.com/dwBruijn/CVEs/blob/main/Tenda/setVlanPolicy.md
https://www.tenda.com.cn/
 
Tenda--M3 A vulnerability was determined in Tenda M3 1.0.0.13(4903). This affects the function formSetRemoteVlanInfo of the file /goform/setVlanInfo. Executing manipulation of the argument ID/vlan/port can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. 2025-12-30 8.8 CVE-2025-15231 VDB-338627 | Tenda M3 setVlanInfo formSetRemoteVlanInfo stack-based overflow
VDB-338627 | CTI Indicators (IOB, IOC, IOA)
Submit #725493 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow
https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteVlanInfo.md
https://www.tenda.com.cn/
 
Tenda--M3 A vulnerability was identified in Tenda M3 1.0.0.13(4903). This vulnerability affects the function formSetAdPushInfo of the file /goform/setAdPushInfo. The manipulation of the argument mac/terminal leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. 2025-12-30 8.8 CVE-2025-15232 VDB-338628 | Tenda M3 setAdPushInfo formSetAdPushInfo stack-based overflow
VDB-338628 | CTI Indicators (IOB, IOC, IOA)
Submit #725494 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow
https://github.com/dwBruijn/CVEs/blob/main/Tenda/setAdPushInfo.md
https://www.tenda.com.cn/
 
Tenda--M3 A security flaw has been discovered in Tenda M3 1.0.0.13(4903). This issue affects the function formSetAdInfoDetails of the file /goform/setAdInfoDetail. The manipulation of the argument adName/smsPassword/smsAccount/weixinAccount/weixinName/smsSignature/adRedirectUrl/adCopyRight/smsContent/adItemUID results in heap-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. 2025-12-30 8.8 CVE-2025-15233 VDB-338629 | Tenda M3 setAdInfoDetail formSetAdInfoDetails heap-based overflow
VDB-338629 | CTI Indicators (IOB, IOC, IOA)
Submit #725495 | Tenda M3 V1.0.0.13(4903) Heap-based Buffer Overflow
https://github.com/dwBruijn/CVEs/blob/main/Tenda/setAdInfoDetail.md
https://www.tenda.com.cn/
 
Tenda--M3 A weakness has been identified in Tenda M3 1.0.0.13(4903). Impacted is the function formSetRemoteInternetLanInfo of the file /goform/setInternetLanInfo. This manipulation of the argument portIp/portMask/portGateWay/portDns/portSecDns causes heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. 2025-12-30 8.8 CVE-2025-15234 VDB-338630 | Tenda M3 setInternetLanInfo formSetRemoteInternetLanInfo heap-based overflow
VDB-338630 | CTI Indicators (IOB, IOC, IOA)
Submit #725496 | Tenda M3 V1.0.0.13(4903) Heap-based Buffer Overflow
https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteInternetLanInfo.md
https://www.tenda.com.cn/
 
Tenda--M3 A flaw has been found in Tenda M3 1.0.0.13(4903). The affected element is the function formSetRemoteDhcpForAp of the file /goform/setDhcpAP. This manipulation of the argument startip/endip/leasetime/gateway/dns1/dns2 causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been published and may be used. 2025-12-30 8.8 CVE-2025-15252 VDB-338642 | Tenda M3 setDhcpAP formSetRemoteDhcpForAp stack-based overflow
VDB-338642 | CTI Indicators (IOB, IOC, IOA)
Submit #725497 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow
https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteDhcpForAp.md
https://www.tenda.com.cn/
 
Tenda--M3 A vulnerability has been found in Tenda M3 1.0.0.13(4903). The impacted element is an unknown function of the file /goform/exeCommand. Such manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2025-12-30 8.8 CVE-2025-15253 VDB-338643 | Tenda M3 exeCommand stack-based overflow
VDB-338643 | CTI Indicators (IOB, IOC, IOA)
Submit #725498 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow
https://github.com/dwBruijn/CVEs/blob/main/Tenda/execCommand.md
https://www.tenda.com.cn/
 
Tenda--AC20 A vulnerability has been found in Tenda AC20 up to 16.03.08.12. The impacted element is the function sscanf of the file /goform/PowerSaveSet. The manipulation of the argument powerSavingEn/time/powerSaveDelay/ledCloseType leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-12-30 8.8 CVE-2025-15356 VDB-338742 | Tenda AC20 PowerSaveSet sscanf buffer overflow
VDB-338742 | CTI Indicators (IOB, IOC, IOA)
Submit #726360 | Tenda Tenda AC20 V16.03.08.12 Buffer Overflow
https://github.com/xyh4ck/iot_poc/tree/main/Tenda%20AC20_Buffer_Overflow
https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC20_Buffer_Overflow/Tenda%20AC20_Buffer_Overflow.md#poc
https://www.tenda.com.cn/
 
QNO Technology--VPN Firewall VPN Firewall developed by QNO Technology has a Insufficient Entropy vulnerability, allowing unauthenticated remote attackers to obtain any logged-in user session through brute-force attacks and subsequently log into the system. 2025-12-31 8.8 CVE-2025-15387 https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html
https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html
 
QNO Technology--VPN Firewall VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. 2025-12-31 8.8 CVE-2025-15388 https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html
https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html
 
QNO Technology--VPN Firewall VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. 2025-12-31 8.8 CVE-2025-15389 https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html
https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html
 
UTT-- 512W A weakness has been identified in UTT 进取 512W 1.7.7-171114. Affected is the function strcpy of the file /goform/formRemoteControl. This manipulation of the argument Profile causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 8.8 CVE-2025-15428 VDB-339350 | UTT 进取 512W formRemoteControl strcpy buffer overflow
VDB-339350 | CTI Indicators (IOB, IOC, IOA)
Submit #721875 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow
https://github.com/Lena-lyy/cve/blob/main/1223/18.md
https://github.com/Lena-lyy/cve/blob/main/1223/18.md#poc
 
UTT-- 512W A security vulnerability has been detected in UTT 进取 512W 1.7.7-171114. Affected by this vulnerability is the function strcpy of the file /goform/formConfigCliForEngineerOnly. Such manipulation of the argument addCommand leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 8.8 CVE-2025-15429 VDB-339351 | UTT 进取 512W formConfigCliForEngineerOnly strcpy buffer overflow
VDB-339351 | CTI Indicators (IOB, IOC, IOA)
Submit #721876 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow
https://github.com/Lena-lyy/cve/blob/main/1223/19.md
https://github.com/Lena-lyy/cve/blob/main/1223/19.md#poc
 
UTT-- 512W A vulnerability was detected in UTT 进取 512W 1.7.7-171114. Affected by this issue is the function strcpy of the file /goform/formFtpServerShareDirSelcet. Performing manipulation of the argument oldfilename results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 8.8 CVE-2025-15430 VDB-339352 | UTT 进取 512W formFtpServerShareDirSelcet strcpy buffer overflow
VDB-339352 | CTI Indicators (IOB, IOC, IOA)
Submit #721888 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow
https://github.com/GUOTINGTING2297/cve/blob/main/1234/20.md
https://github.com/GUOTINGTING2297/cve/blob/main/1234/20.md#poc
 
UTT-- 512W A flaw has been found in UTT 进取 512W 1.7.7-171114. This affects the function strcpy of the file /goform/formFtpServerDirConfig. Executing manipulation of the argument filename can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 8.8 CVE-2025-15431 VDB-339353 | UTT 进取 512W formFtpServerDirConfig strcpy buffer overflow
VDB-339353 | CTI Indicators (IOB, IOC, IOA)
Submit #721889 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow
https://github.com/GUOTINGTING2297/cve/blob/main/1234/21.md
https://github.com/GUOTINGTING2297/cve/blob/main/1234/21.md#poc
 
Codedraft--Mediabay - WordPress Media Library Folders Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Codedraft Mediabay - WordPress Media Library Folders allows Blind SQL Injection.This issue affects Mediabay - WordPress Media Library Folders: from n/a through 1.4. 2025-12-31 8.5 CVE-2025-28949 https://vdp.patchstack.com/database/wordpress/plugin/mediabay/vulnerability/wordpress-mediabay-wordpress-media-library-folders-1-4-sql-injection-vulnerability?_s_id=cve
 
AA-Team--Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. 2025-12-31 8.5 CVE-2025-30628 https://vdp.patchstack.com/database/wordpress/plugin/azon-addon-js-composer/vulnerability/wordpress-amazon-affiliates-addon-for-wpbakery-page-builder-formerly-visual-composer-1-2-sql-injection-vulnerability?_s_id=cve
 
Priority--Web CWE-434 Unrestricted Upload of File with Dangerous Type 2025-12-29 8.8 CVE-2025-55061 https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0
 
Plex--Media Server Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token. 2026-01-02 8.5 CVE-2025-69414 https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md
 
Selea--Selea CarPlateServer (CPS) Selea CarPlateServer 4.0.1.6 contains a remote program execution vulnerability that allows attackers to execute arbitrary Windows binaries by manipulating the NO_LIST_EXE_PATH configuration parameter. Attackers can bypass authentication through the /cps/ endpoint and modify server configuration, including changing admin passwords and executing system commands. 2025-12-31 7.5 CVE-2020-36904 ExploitDB-49452
Vendor Homepage
Zero Science Lab Disclosure (ZSL-2021-5622)
VulnCheck Advisory: Selea CarPlateServer 4.0.1.6 Remote Program Execution via Configuration Endpoint
 
Nucom--NuCom 11N Wireless Router NuCom 11N Wireless Router 5.07.90 contains a privilege escalation vulnerability that allows non-privileged users to access administrative credentials through the configuration backup endpoint. Attackers can send a crafted HTTP GET request to the backup configuration page with a specific cookie to retrieve and decode the admin password in Base64 format. 2025-12-31 7.5 CVE-2021-47726 ExploitDB-49634
NuCom Vendor Homepage
Zero Science Lab Disclosure (ZSL-2021-5629)
VulnCheck Advisory: NuCom 11N Wireless Router 5.07.90 Privilege Escalation via Configuration Backup
 
KZ Broadband Technologies, Ltd.--JT3500V KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access and potentially compromise device authentication mechanisms. 2025-12-31 7.5 CVE-2021-47740 Zero Science Lab Disclosure (ZSL-2021-5646)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange Entry
KZ TECH Vendor Homepage
JATON TEC Homepage
Neotel Vendor Homepage
VulnCheck Advisory: KZTech JT3500V 4G LTE CPE 2.0.1 Insufficient Session Expiration Vulnerability
 
Zblchina--ZBL EPON ONU Broadband Router ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclose the super user password and gain additional privileged functionalities. 2025-12-31 7.5 CVE-2021-47741 ExploitDB-49737
ZBL China Vendor Homepage
Archived W&D Thailand Vendor Homepage
Zero Science Lab Disclosure (ZSL-2021-5647)
VulnCheck Advisory: ZBL EPON ONU Broadband Router V100R001 Privilege Escalation via Configuration Endpoint
 
Cypress--ONE Cypress Solutions CTM-200/CTM-ONE 1.3.6 contains hard-coded credentials vulnerability in Linux distribution that exposes root access. Attackers can exploit the static 'Chameleon' password to gain remote root access via Telnet or SSH on affected devices. 2025-12-31 7.5 CVE-2021-47744 ExploitDB-50407
Cypress Solutions Official Homepage
Zero Science Lab Disclosure (ZSL-2021-5686)
VulnCheck Advisory: Cypress Solutions CTM-200/CTM-ONE 1.3.6 Hard-coded Credentials Remote Root
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an insufficient session expiration vulnerability that allows attackers to reuse old session credentials. Attackers can exploit weak session management to potentially hijack active user sessions and gain unauthorized access to the application. 2025-12-30 7.5 CVE-2022-50692 Zero Science Lab Disclosure (ZSL-2022-5724)
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Insufficient Session Expiration Vulnerability
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains an unauthenticated stored cross-site scripting vulnerability in the username parameter that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated username input to execute arbitrary HTML and JavaScript code in victim browser sessions without authentication. 2025-12-30 7.2 CVE-2022-50787 Zero Science Lab Disclosure (ZSL-2022-5731)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Stored Cross-Site Scripting
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive log files. Attackers can directly browse the /log directory to retrieve system and sensitive information without authentication. 2025-12-30 7.5 CVE-2022-50788 Zero Science Lab Disclosure (ZSL-2022-5732)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Information Disclosure via Log Directory
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an unauthenticated remote code execution vulnerability in the firmware upload functionality with path traversal flaw. Attackers can exploit the upload.cgi script to write malicious files to the system with www-data permissions, enabling unauthorized access and code execution. 2025-12-30 7.5 CVE-2022-50796 Zero Science Lab Disclosure (ZSL-2022-5741)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Remote Code Execution via upload.cgi
 
Chris Bagwell--SoX SoX 14.4.2 contains a division by zero vulnerability when handling WAV files that can cause program crashes. Attackers can trigger a floating point exception by providing a specially crafted WAV file that causes arithmetic errors during sound file processing. 2025-12-30 7.5 CVE-2022-50798 ExploitDB-51034
SoX Official SourceForge Page
SoX Wikipedia Entry
Zero Science Lab Disclosure (ZSL-2022-5712)
VulnCheck Advisory: SoX 14.4.2 Denial of Service Vulnerability via WAV File Processing
 
Fetch Softworks--Fetch Softworks Fetch FTP Client Fetch FTP Client 5.8.2 contains a denial of service vulnerability that allows attackers to trigger 100% CPU consumption by sending long server responses. Attackers can send specially crafted FTP server responses exceeding 2K bytes to cause excessive resource utilization and potentially crash the application. 2025-12-30 7.5 CVE-2022-50799 ExploitDB-50696
Fetch Softworks Product Homepage
Zero Science Lab Disclosure (ZSL-2022-5696)
VulnCheck Advisory: Fetch Softworks Fetch FTP Client 5.8.2 Remote CPU Consumption Denial of Service
 
Hangzhou H3C Technologies--H3C SSL VPN H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between existing and non-existing accounts. 2025-12-30 7.5 CVE-2022-50800 ExploitDB-50742
H3C Official Product Homepage
Zero Science Lab Disclosure (ZSL-2022-5697)
VulnCheck Advisory: H3C SSL VPN n/a Username Enumeration via Login Script Credential Verification
 
Ateme--Anevia Flamingo XL/XS Anevia Flamingo XL/XS 3.6.20 contains a critical vulnerability with weak default administrative credentials that can be easily guessed. Attackers can leverage these hard-coded credentials to gain full remote system control without complex authentication mechanisms. 2025-12-30 7.5 CVE-2023-53983 Zero Science Lab Disclosure (ZSL-2023-5777)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
CXSecurity Vulnerability Listing
Ateme Vendor Homepage
VulnCheck Advisory: Anevia Flamingo XL/XS 3.6.20 Default Credentials Authentication Bypass
 
Tinycontrol--LAN Controller Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially crafted authentication parameter to disable access controls and modify administrative credentials. 2025-12-30 7.5 CVE-2023-54327 ExploitDB-51732
Tinycontrol Official Product Homepage
Zero Science Lab Disclosure (ZSL-2023-5787)
VulnCheck Advisory: Tinycontrol LAN Controller 1.58a Authentication Bypass via Admin Password Change
 
The Akuvox Company--Akuvox Smart Doorphone Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities. 2025-12-30 7.5 CVE-2024-58337 Zero Science Lab Disclosure (ZSL-2024-5862)
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
VulnCheck Advisory: Akuvox Smart Intercom S539 Improper Access Control via ServicesHTTPAPI
 
monetizemore--Advanced Ads  Ad Manager & AdSense The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server. 2025-12-29 7.2 CVE-2025-13592 https://www.wordfence.com/threat-intel/vulnerabilities/id/f9e83561-aa71-4984-8a26-207e208d70e8?source=cve
https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.14/includes/ads/class-ad-plain.php#L36
https://plugins.trac.wordpress.org/changeset/3427297/advanced-ads#file9
 
villatheme--Lucky Wheel for WooCommerce Spin a Sale The Lucky Wheel for WooCommerce - Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments. 2025-12-30 7.2 CVE-2025-14509 https://www.wordfence.com/threat-intel/vulnerabilities/id/9a41bc0e-0ab9-4cee-b3ca-d730c828782c?source=cve
https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/trunk/frontend/frontend.php#L127
https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/tags/1.1.13/frontend/frontend.php#L127
https://plugins.trac.wordpress.org/changeset/3428063/
 
Innorix--Innorix WP Unrestricted Upload of File with Dangerous Type vulnerability in Innorix Innorix WP allows Upload a Web Shell to a Web Server.This issue affects Innorix WP from All versions If the "exam" directory exists under the directory where the product is installed (ex: innorix/exam) 2025-12-29 7.7 CVE-2025-15067 https://www.innorix.com/
https://www.gnit.co.kr/software/innorix_product.html
 
Gmission--Web Fax Missing Authorization vulnerability in Gmission Web Fax allows Privilege Abuse, Session Credential Falsification through Manipulation.This issue affects Web Fax: from 3.0 before 4.0. 2025-12-29 7.7 CVE-2025-15068 https://www.gmission.co.kr/fax1
 
Gmission--Web Fax Improper Authentication vulnerability in Gmission Web Fax allows Privilege Escalation.This issue affects Web Fax: from 3.0 before 4.0. 2025-12-29 7.1 CVE-2025-15069 https://www.gmission.co.kr/fax1
 
Ksenia Security S.p.A.--Ksenia Security Lares 4.0 Home Automation Ksenia Security Lares 4.0 Home Automation version 1.6 contains a default credentials vulnerability that allows unauthorized attackers to gain administrative access. Attackers can exploit the weak default administrative credentials to obtain full control of the home automation system. 2025-12-30 7.5 CVE-2025-15111 Zero Science Lab Disclosure (ZSL-2025-5927)
Packet Storm Security Exploit Entry
Ksenia Security Vendor Homepage
VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 Default Credentials Vulnerability
 
Ksenia Security S.p.A.--Ksenia Security Lares 4.0 Home Automation Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server. 2025-12-30 7.8 CVE-2025-15113 Zero Science Lab Disclosure (ZSL-2025-5930)
Ksenia Security Vendor Homepage
Packet Storm Security Exploit
VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 Remote Code Execution via MPFS Upload
 
Tenda--WH450 A vulnerability was identified in Tenda WH450 1.0.0.18. Affected by this issue is some unknown functionality of the file /goform/SafeEmailFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. 2025-12-29 7.2 CVE-2025-15163 VDB-338538 | Tenda WH450 SafeEmailFilter stack-based overflow
VDB-338538 | CTI Indicators (IOB, IOC, IOA)
Submit #721214 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeEmailFilter/SafeEmailFilter.md
https://www.tenda.com.cn/
 
Tenda--WH450 A security flaw has been discovered in Tenda WH450 1.0.0.18. This affects an unknown part of the file /goform/SafeMacFilter. The manipulation of the argument page results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. 2025-12-29 7.2 CVE-2025-15164 VDB-338539 | Tenda WH450 SafeMacFilter stack-based overflow
VDB-338539 | CTI Indicators (IOB, IOC, IOA)
Submit #721215 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeMacFilter/SafeMacFilter.md
https://www.tenda.com.cn/
 
itsourcecode--Online Cake Ordering System A vulnerability has been found in itsourcecode Online Cake Ordering System 1.0. The impacted element is an unknown function of the file /updatecustomer.php?action=edit. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-12-29 7.3 CVE-2025-15165 VDB-338544 | itsourcecode Online Cake Ordering System updatecustomer.php sql injection
VDB-338544 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721106 | itsourcecode Online Cake Ordering System V1.0 SQL Injection
https://github.com/LaneyYu/cve/issues/4
https://itsourcecode.com/
 
itsourcecode--Online Cake Ordering System A vulnerability was found in itsourcecode Online Cake Ordering System 1.0. This affects an unknown function of the file /updatesupplier.php?action=edit. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. 2025-12-29 7.3 CVE-2025-15166 VDB-338545 | itsourcecode Online Cake Ordering System updatesupplier.php sql injection
VDB-338545 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721108 | itsourcecode Online Cake Ordering System V1.0 SQL Injection
https://github.com/LaneyYu/cve/issues/5
https://itsourcecode.com/
 
itsourcecode--Online Cake Ordering System A vulnerability was determined in itsourcecode Online Cake Ordering System 1.0. This impacts an unknown function of the file /detailtransac.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. 2025-12-29 7.3 CVE-2025-15167 VDB-338546 | itsourcecode Online Cake Ordering System detailtransac.php sql injection
VDB-338546 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721109 | itsourcecode Online Cake Ordering System V1.0 SQL Injection
https://github.com/LaneyYu/cve/issues/6
https://itsourcecode.com/
 
itsourcecode--Student Management System A vulnerability was identified in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /statistical.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. 2025-12-29 7.3 CVE-2025-15168 VDB-338547 | itsourcecode Student Management System statistical.php sql injection
VDB-338547 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721155 | itsourcecode Student Management System V1.0 SQL Injection
https://github.com/Susen2/cve/issues/1
https://itsourcecode.com/
 
Tenda--WH450 A vulnerability has been found in Tenda WH450 1.0.0.18. This vulnerability affects unknown code of the file /goform/SetIpBind of the component HTTP Request Handler. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-12-29 7.2 CVE-2025-15177 VDB-338562 | Tenda WH450 HTTP Request SetIpBind stack-based overflow
VDB-338562 | CTI Indicators (IOB, IOC, IOA)
Submit #721216 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SetIpBind/SetIpBind.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SetIpBind/SetIpBind.md#reproduce
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability was found in Tenda WH450 1.0.0.18. This issue affects some unknown processing of the file /goform/VirtualSer of the component HTTP Request Handler. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used. 2025-12-29 7.2 CVE-2025-15178 VDB-338563 | Tenda WH450 HTTP Request VirtualSer stack-based overflow
VDB-338563 | CTI Indicators (IOB, IOC, IOA)
Submit #721217 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/VirtualSer/VirtualSer.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/VirtualSer/VirtualSer.md#reproduce
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability was determined in Tenda WH450 1.0.0.18. Impacted is an unknown function of the file /goform/qossetting. This manipulation of the argument page causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. 2025-12-29 7.2 CVE-2025-15179 VDB-338564 | Tenda WH450 qossetting stack-based overflow
VDB-338564 | CTI Indicators (IOB, IOC, IOA)
Submit #721218 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/qossetting/qossetting.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/qossetting/qossetting.md#reproduce
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability was identified in Tenda WH450 1.0.0.18. The affected element is an unknown function of the file /goform/webExcptypemanFilte of the component HTTP Request Handler. Such manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit is publicly available and might be used. 2025-12-29 7.2 CVE-2025-15180 VDB-338565 | Tenda WH450 HTTP Request webExcptypemanFilte stack-based overflow
VDB-338565 | CTI Indicators (IOB, IOC, IOA)
Submit #721219 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/webExcptypemanFilter/webExcptypemanFilter.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/webExcptypemanFilter/webExcptypemanFilter.md#reproduce
https://www.tenda.com.cn/
 
code-projects--Refugee Food Management System A security flaw has been discovered in code-projects Refugee Food Management System 1.0. The impacted element is an unknown function of the file /home/pagenateRefugeesList.php. Performing manipulation of the argument rfid results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. 2025-12-29 7.3 CVE-2025-15181 VDB-338566 | code-projects Refugee Food Management System pagenateRefugeesList.php sql injection
VDB-338566 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721270 | Code-projects Refugee Food Management System v1.0 SQL Injection
Submit #722805 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate)
https://github.com/ctg503/CVE/issues/1
https://code-projects.org/
 
code-projects--Refugee Food Management System A weakness has been identified in code-projects Refugee Food Management System 1.0. This affects an unknown function of the file /home/served.php. Executing manipulation of the argument refNo can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. 2025-12-29 7.3 CVE-2025-15182 VDB-338567 | code-projects Refugee Food Management System served.php sql injection
VDB-338567 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721272 | Code-projects Refugee Food Management System v1.0 SQL Injection
https://github.com/ctg503/CVE/issues/2
https://code-projects.org/
 
code-projects--Refugee Food Management System A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This impacts an unknown function of the file /home/viewtakenfd.php. The manipulation of the argument tfid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. 2025-12-29 7.3 CVE-2025-15183 VDB-338568 | code-projects Refugee Food Management System viewtakenfd.php sql injection
VDB-338568 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721273 | Code-projects Refugee Food Management System v1.0 SQL Injection
Submit #722808 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate)
Submit #722809 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate)
Submit #722810 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate)
https://github.com/ctg503/CVE/issues/3
https://code-projects.org/
 
code-projects--Refugee Food Management System A vulnerability was detected in code-projects Refugee Food Management System 1.0. Affected is an unknown function of the file /home/refugeesreport2.php. The manipulation of the argument a results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. 2025-12-29 7.3 CVE-2025-15184 VDB-338569 | code-projects Refugee Food Management System refugeesreport2.php sql injection
VDB-338569 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721274 | Code-projects Refugee Food Management System v1.0 SQL Injection
https://github.com/ctg503/CVE/issues/4
https://code-projects.org/
 
code-projects--Refugee Food Management System A flaw has been found in code-projects Refugee Food Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /home/refugeesreport.php. This manipulation of the argument a causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. 2025-12-29 7.3 CVE-2025-15185 VDB-338570 | code-projects Refugee Food Management System refugeesreport.php sql injection
VDB-338570 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721275 | Code-projects Refugee Food Management System v1.0 SQL Injection
https://github.com/ctg503/CVE/issues/5
https://code-projects.org/
 
code-projects--Refugee Food Management System A vulnerability has been found in code-projects Refugee Food Management System 1.0. Affected by this issue is some unknown functionality of the file /home/addusers.php. Such manipulation of the argument a leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2025-12-29 7.3 CVE-2025-15186 VDB-338571 | code-projects Refugee Food Management System addusers.php sql injection
VDB-338571 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721277 | Code-projects Refugee Food Management System v1.0 SQL Injection
Submit #722802 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate)
https://github.com/ctg503/CVE/issues/6
https://code-projects.org/
 
code-projects--Assessment Management A vulnerability was determined in code-projects Assessment Management 1.0. Affected by this issue is some unknown functionality of the file /admin/add-module.php. This manipulation of the argument linked[] causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. 2025-12-29 7.3 CVE-2025-15195 VDB-338582 | code-projects Assessment Management add-module.php sql injection
VDB-338582 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #724717 | Code-projects Assessment Management v1.0 SQL injection
https://github.com/Limingqian123/CVE/issues/3
https://code-projects.org/
 
code-projects--Assessment Management A vulnerability was identified in code-projects Assessment Management 1.0. This affects an unknown part of the file login.php. Such manipulation of the argument userid leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. 2025-12-29 7.3 CVE-2025-15196 VDB-338583 | code-projects Assessment Management login.php sql injection
VDB-338583 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #724718 | Code-projects Assessment Management v1.0 SQL injection
https://github.com/Limingqian123/CVE/issues/4
https://code-projects.org/
 
code-projects--College Notes Uploading System A weakness has been identified in code-projects College Notes Uploading System 1.0. This issue affects some unknown processing of the file /login.php. Executing manipulation of the argument User can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. 2025-12-29 7.3 CVE-2025-15198 VDB-338585 | code-projects College Notes Uploading System login.php sql injection
VDB-338585 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #724724 | Code-projects College Notes Uploading System v1.0 SQL injection
https://github.com/Limingqian123/CVE/issues/10
https://code-projects.org/
 
Campcodes--Supplier Management System A flaw has been found in Campcodes Supplier Management System 1.0. This impacts an unknown function of the file /admin/add_area.php. Executing manipulation of the argument txtAreaCode can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. 2025-12-29 7.3 CVE-2025-15206 VDB-338579 | Campcodes Supplier Management System add_area.php sql injection
VDB-338579 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #723951 | Campcodes Supplier Management System V1.0 SQL Injection
https://github.com/IMZGforever/CVEs/issues/5
https://www.campcodes.com/
 
Campcodes--Supplier Management System A vulnerability has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/view_products.php. The manipulation of the argument chkId[] leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 2025-12-29 7.3 CVE-2025-15207 VDB-338580 | Campcodes Supplier Management System view_products.php sql injection
VDB-338580 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #723953 | Campcodes Supplier Management System 1.0 SQL Injection
https://github.com/IMZGforever/CVEs/issues/6
https://www.campcodes.com/
 
code-projects--Refugee Food Management System A security flaw has been discovered in code-projects Refugee Food Management System 1.0. Affected by this issue is some unknown functionality of the file /home/editrefugee.php. The manipulation of the argument rfid results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. 2025-12-29 7.3 CVE-2025-15208 VDB-338593 | code-projects Refugee Food Management System editrefugee.php sql injection
VDB-338593 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721753 | Code-projects Refugee Food Management System v1.0 SQL Injection
https://github.com/11alert/CVE/issues/1
https://code-projects.org/
 
Sunnet--WMPro WMPro developed by Sunnet has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to read arbitrary system files. 2025-12-29 7.5 CVE-2025-15225 https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html
https://www.twcert.org.tw/en/cp-139-10603-67149-2.html
 
WELLTEND TECHNOLOGY--BPMFlowWebkit BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. 2025-12-29 7.5 CVE-2025-15227 https://www.twcert.org.tw/tw/cp-132-10604-c65aa-1.html
https://www.twcert.org.tw/en/cp-139-10605-426b6-2.html
 
code-projects--Simple Stock System A flaw has been found in code-projects Simple Stock System 1.0. This affects an unknown function of the file /market/login.php. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. 2025-12-30 7.3 CVE-2025-15243 VDB-338633 | code-projects Simple Stock System login.php sql injection
VDB-338633 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725689 | Code-Projects Simple Stock System V1.0 SQL Injection
https://github.com/c13641462064-lgtm/sql_injection/issues/1
https://code-projects.org/
 
gmg137--snap7-rs A vulnerability was identified in gmg137 snap7-rs up to 153d3e8c16decd7271e2a5b2e3da4d6f68589424. Affected by this issue is the function snap7_rs::client::S7Client::download of the file client.rs. Such manipulation leads to heap-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-30 7.3 CVE-2025-15247 VDB-338637 | gmg137 snap7-rs client.rs download heap-based overflow
VDB-338637 | CTI Indicators (IOB, IOC, IOA)
https://gitee.com/gmg137/snap7-rs/issues/ID2H7V
 
Edimax--BR-6208AC A vulnerability was identified in Edimax BR-6208AC 1.02/1.03. Affected is the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component Web-based Configuration Interface. The manipulation of the argument rootAPmac leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer. 2025-12-30 7.3 CVE-2025-15256 VDB-338646 | Edimax BR-6208AC Web-based Configuration formStaDrvSetup command injection
VDB-338646 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #722014 | Edimax BR-6208AC V2_1.02 Command Injection
https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-formStaDrvSetup-handler-2d2b5c52018a803ebd91c200b3e2925b?source=copy_link
 
Edimax--BR-6208AC A security flaw has been discovered in Edimax BR-6208AC 1.02/1.03. Affected by this vulnerability is the function formRoute of the file /gogorm/formRoute of the component Web-based Configuration Interface. The manipulation of the argument strIp/strMask/strGateway results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer. 2025-12-30 7.3 CVE-2025-15257 VDB-338647 | Edimax BR-6208AC Web-based Configuration formRoute command injection
VDB-338647 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #722426 | Edimax BR-6208AC V2_1.02 Command Injection
https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-formRoute-handler-2d3b5c52018a805983d3cf0780b28407?source=copy_link
 
BiggiDroid--Simple PHP CMS A weakness has been identified in BiggiDroid Simple PHP CMS 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. Executing manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. 2025-12-30 7.3 CVE-2025-15263 VDB-338657 | BiggiDroid Simple PHP CMS Admin Login login.php sql injection
VDB-338657 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725820 | BiggiDroid Simple-PHP-Blog 1.0 SQL Injection
https://gitee.com/devilrunsun/mywork/issues/IDGMME
 
n/a--FeehiCMS A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-30 7.3 CVE-2025-15264 VDB-338663 | FeehiCMS TimThumb timthumb.php server-side request forgery
VDB-338663 | CTI Indicators (IOB, IOC, IOA)
Submit #718278 | FeehiCMS https://github.com/liufee/cms v2.1.1 Server-Side Request Forgery
 
HTTP--DOS Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable. DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoCTest 1 - Basic bypass: npm install qs const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Test 2 - DoS demonstration: const qs = require('qs'); const attack = 'a[]=' + Array(10000).fill('x').join('&a[]='); const result = qs.parse(attack, { arrayLimit: 100 }); console.log(result.a.length); // Output: 10000 (should be max 100) Configuration: * arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2) * Use bracket notation: a[]=value (not indexed a[0]=value) ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection. Attack scenario: * Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times) * Application parses with qs.parse(query, { arrayLimit: 100 }) * qs ignores limit, parses all 100,000 elements into array * Server memory exhausted → application crashes or becomes unresponsive * Service unavailable for all users Real-world impact: * Single malicious request can crash server * No authentication required * Easy to automate and scale * Affects any endpoint parsing query strings with bracket notation 2025-12-29 7.5 CVE-2025-15284 https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p
https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9
 
itsourcecode--Society Management System A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is the function edit_admin_query of the file /admin/edit_admin_query.php. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. 2025-12-30 7.3 CVE-2025-15353 VDB-338740 | itsourcecode Society Management System edit_admin_query.php edit_admin_query sql injection
VDB-338740 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #726280 | itsourcecode Society Management System V1.0 SQL injection
https://github.com/BUPT2025201/CVE/issues/4
https://itsourcecode.com/
 
itsourcecode--Society Management System A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/add_admin.php. Executing manipulation of the argument Username can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. 2025-12-30 7.3 CVE-2025-15354 VDB-338741 | itsourcecode Society Management System add_admin.php sql injection
VDB-338741 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #726282 | itsourcecode Society Management System V1.0 SQL injection
https://github.com/BUPT2025201/CVE/issues/2
https://itsourcecode.com/
 
Delta Electronics--DVP-12SE11T DVP-12SE11T - Denial of Service Vulnerability 2025-12-30 7.5 CVE-2025-15358 https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf
 
Tenda--i24 A vulnerability has been found in Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F up to 65.10.15.6. Affected is an unknown function of the component Shadow File. Such manipulation with the input Fireitup leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. 2025-12-31 7.8 CVE-2025-15371 VDB-339075 | Tenda i24 Shadow File hard-coded credentials
VDB-339075 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #727155 | Tenda Tenda i24v3.0 V3.0.0.8(4008) V3.0.0.8(4008) Hard-coded Credentials
Submit #727283 | Tenda 4G03ProV1.0re V04.03.01.49 Hard-coded Credentials (Duplicate)
Submit #727284 | Tenda 4G05V1.0re V04.05.01.15 Hard-coded Credentials (Duplicate)
Submit #727285 | Tenda 4G08V1.0re V04.08.01.28 Hard-coded Credentials (Duplicate)
Submit #727302 | Tenda G0-8G-PoEV2.0si V16.01.8.5 Hard-coded Credentials (Duplicate)
Submit #727305 | Tenda MW5GV1.0re V1.0.0.35 Hard-coded Credentials (Duplicate)
Submit #727306 | Tenda TEG5328FV1.0ma V65.10.15.6 Hard-coded Credentials (Duplicate)
https://github.com/vuln-1/vuln/blob/main/Tenda/i24v3.0_V3.0.0.8/report-1.md
https://www.tenda.com.cn/
 
code-projects--Online Guitar Store A vulnerability has been found in code-projects Online Guitar Store 1.0. This impacts an unknown function of the file /admin/Create_category.php. Such manipulation of the argument dre_Ctitle leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. 2026-01-01 7.3 CVE-2025-15407 VDB-339327 | code-projects Online Guitar Store Create_category.php sql injection
VDB-339327 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #728391 | Code-projects Online Guitar Store v1.0 SQL Injection
https://github.com/jjjjj-zr/jjjjjzr19/issues/1
https://code-projects.org/
 
code-projects--Online Guitar Store A vulnerability was found in code-projects Online Guitar Store 1.0. Affected is an unknown function of the file /admin/Create_product.php. Performing manipulation of the argument dre_title results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. 2026-01-01 7.3 CVE-2025-15408 VDB-339328 | code-projects Online Guitar Store Create_product.php sql injection
VDB-339328 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #728392 | Code-projects Online Guitar Store v1.0 SQL Injection
https://github.com/jjjjj-zr/jjjjjzr19/issues/2
https://code-projects.org/
 
code-projects--Online Guitar Store A vulnerability was determined in code-projects Online Guitar Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/Delete_product.php. Executing manipulation of the argument del_pro can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. 2026-01-01 7.3 CVE-2025-15409 VDB-339329 | code-projects Online Guitar Store Delete_product.php sql injection
VDB-339329 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #728393 | Code-projects Online Guitar Store v1.0 SQL Injection
https://github.com/jjjjj-zr/jjjjjzr19/issues/3
https://code-projects.org/
 
code-projects--Online Guitar Store A vulnerability was identified in code-projects Online Guitar Store 1.0. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument L_email leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. 2026-01-01 7.3 CVE-2025-15410 VDB-339330 | code-projects Online Guitar Store login.php sql injection
VDB-339330 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #728394 | Code-projects Online Guitar Store v1.0 SQL Injection
https://github.com/jjjjj-zr/jjjjjzr19/issues/4
https://code-projects.org/
 
Yonyou--KSOA A security vulnerability has been detected in Yonyou KSOA 9.0. This affects an unknown part of the file /worksheet/agent_work_report.jsp. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 7.3 CVE-2025-15420 VDB-339342 | Yonyou KSOA agent_work_report.jsp sql injection
VDB-339342 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721099 | Yonyou KSOA V9.0 SQL Injection
Submit #721531 | Yonyou KSOA V9.0 SQL Injection (Duplicate)
https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_work_report.jsp%20SQL%20injection.md
 
Yonyou--KSOA A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/agent_worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 7.3 CVE-2025-15421 VDB-339343 | Yonyou KSOA HTTP GET Parameter agent_worksadd.jsp sql injection
VDB-339343 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721324 | Yonyou KSOA V9.0 SQL Injection
Submit #721527 | Yonyou KSOA V9.0 SQL Injection (Duplicate)
https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_worksadd.jsp%20SQL%20injection.md
 
Yonyou--KSOA A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /worksheet/agent_worksdel.jsp of the component HTTP GET Parameter Handler. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 7.3 CVE-2025-15424 VDB-339346 | Yonyou KSOA HTTP GET Parameter agent_worksdel.jsp sql injection
VDB-339346 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721348 | Yonyou KSOA V9.0 SQL Injection
Submit #721526 | Yonyou KSOA V9.0 SQL Injection (Duplicate)
https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_worksdel.jsp%20SQL%20injection.md
https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_worksdel.jsp%20SQL%20injection.md#vulnerability-details-and-poc
 
Yonyou--KSOA A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_user.jsp of the component HTTP GET Parameter Handler. Executing manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 7.3 CVE-2025-15425 VDB-339347 | Yonyou KSOA HTTP GET Parameter del_user.jsp sql injection
VDB-339347 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721352 | Yonyou KSOA V9.0 SQL Injection
https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platform%20worksheet%20del_user.jsp%20SQL%20injection.md
https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platform%20worksheet%20del_user.jsp%20SQL%20injection.md#vulnerability-details-and-poc
 
jackying--H-ui.admin A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 7.3 CVE-2025-15426 VDB-339348 | jackying H-ui.admin preview.php unrestricted upload
VDB-339348 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721457 | https://www.h-ui.net/ H-ui.admin v3.1 RCE
https://github.com/TiKi-r/CVE-Report/blob/main/H-ui.admin%20RCE.md
https://github.com/TiKi-r/CVE-Report/blob/main/H-ui.admin%20RCE.md#4-proof-of-concept-poc
 
Seeyon--Zhiyuan OA Web Application System A security flaw has been discovered in Seeyon Zhiyuan OA Web Application System up to 20251222. This impacts an unknown function of the file /carManager/carUseDetailList.j%73p. The manipulation of the argument CAR_BRAND_NO results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 7.3 CVE-2025-15427 VDB-339349 | Seeyon Zhiyuan OA Web Application System carUseDetailList.j%73p sql injection
VDB-339349 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721493 | Seeyou Collaborative Platform V1.0 SQL Injection
https://github.com/cly-yuxiu/CVE/issues/2
 
Yonyou--KSOA A vulnerability was detected in Yonyou KSOA 9.0. Affected is an unknown function of the file /kp/PrintZPYG.jsp. The manipulation of the argument zpjhid results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 7.3 CVE-2025-15434 VDB-339361 | Yonyou KSOA PrintZPYG.jsp sql injection
VDB-339361 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721490 | Yonyou KSOA V1.0 SQL Injection
https://github.com/cly-yuxiu/CVE/issues/1
 
Yonyou--KSOA A flaw has been found in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_update.jsp. This manipulation of the argument Report causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 7.3 CVE-2025-15435 VDB-339362 | Yonyou KSOA work_update.jsp sql injection
VDB-339362 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721918 | Yonyou KSOA V1.0 SQL Injection
https://github.com/xiaozipang/CVE/issues/1
 
Yonyou--KSOA A vulnerability has been found in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /worksheet/work_edit.jsp. Such manipulation of the argument Report leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 7.3 CVE-2025-15436 VDB-339363 | Yonyou KSOA work_edit.jsp sql injection
VDB-339363 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721925 | Yonyou KSOA V1.0 SQL Injection
https://github.com/xinshou-test/CVE/issues/2
 
Seeyon--Zhiyuan OA Web Application System A flaw has been found in Seeyon Zhiyuan OA Web Application System up to 20251223. The impacted element is an unknown function of the file /assetsGroupReport/fixedAssetsList.j%73p. Executing a manipulation of the argument unitCode can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-04 7.3 CVE-2025-15446 VDB-339479 | Seeyon Zhiyuan OA Web Application System fixedAssetsList.j%73p sql injection
VDB-339479 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721917 | Seeyou Collaborative Platform V1.0 SQL Injection
https://github.com/xiaozipang/CVE/issues/2
 
Seeyon--Zhiyuan OA Web Application System A vulnerability has been found in Seeyon Zhiyuan OA Web Application System up to 20251223. This affects an unknown function of the file /assetsGroupReport/assetsService.j%73p. The manipulation of the argument unitCode leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-04 7.3 CVE-2025-15447 VDB-339480 | Seeyon Zhiyuan OA Web Application System assetsService.j%73p sql injection
VDB-339480 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721926 | Seeyou Collaborative Platform V1.0 SQL Injection
https://github.com/xinshou-test/CVE/issues/1
 
Rakessh--Ads24 Lite Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rakessh Ads24 Lite allows Reflected XSS.This issue affects Ads24 Lite: from n/a through 1.0. 2025-12-29 7.1 CVE-2025-23458 https://vdp.patchstack.com/database/wordpress/plugin/wp-ad-management/vulnerability/wordpress-ads24-lite-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Sleekplan--Sleekplan Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sleekplan allows Reflected XSS.This issue affects Sleekplan: from n/a through 0.2.0. 2025-12-29 7.1 CVE-2025-23469 https://vdp.patchstack.com/database/wordpress/plugin/sleekplan/vulnerability/wordpress-sleekplan-plugin-0-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Kemal YAZICI--Product Puller Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kemal YAZICI Product Puller allows Reflected XSS.This issue affects Product Puller: from n/a through 1.5.1. 2025-12-29 7.1 CVE-2025-23550 https://vdp.patchstack.com/database/wordpress/plugin/product-puller/vulnerability/wordpress-product-puller-plugin-1-5-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Jakub Glos--Off Page SEO Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jakub Glos Off Page SEO allows Reflected XSS.This issue affects Off Page SEO: from n/a through 3.0.3. 2025-12-29 7.1 CVE-2025-23554 https://vdp.patchstack.com/database/wordpress/plugin/off-page-seo/vulnerability/wordpress-off-page-seo-plugin-3-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Omar Mohamed Mohamoud--LIVE TV Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Omar Mohamed Mohamoud LIVE TV allows Reflected XSS.This issue affects LIVE TV: from n/a through 1.2. 2025-12-31 7.1 CVE-2025-23608 https://vdp.patchstack.com/database/wordpress/plugin/live-tv/vulnerability/wordpress-live-tv-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Christopher Churchill--custom-post-edit Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Christopher Churchill allows Reflected XSS.This issue affects custom-post-edit: from n/a through 1.0.4. 2025-12-31 7.1 CVE-2025-23667 https://vdp.patchstack.com/database/wordpress/plugin/front-end-post-edit/vulnerability/wordpress-custom-post-edit-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Terry Zielke--Zielke Design Project Gallery Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry Zielke Zielke Design Project Gallery allows Reflected XSS.This issue affects Zielke Design Project Gallery: from n/a through 2.5.0. 2025-12-31 7.1 CVE-2025-23705 https://vdp.patchstack.com/database/wordpress/plugin/zielke-design-project-gallery/vulnerability/wordpress-zielke-design-project-gallery-plugin-2-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Matamko--En Masse Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse allows Reflected XSS.This issue affects En Masse: from n/a through 1.0. 2025-12-31 7.1 CVE-2025-23707 https://vdp.patchstack.com/database/wordpress/plugin/en-masse-wp/vulnerability/wordpress-en-masse-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
zckevin--ZhinaTwitterWidget Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zckevin ZhinaTwitterWidget allows Reflected XSS.This issue affects ZhinaTwitterWidget: from n/a through 1.0. 2025-12-31 7.1 CVE-2025-23719 https://vdp.patchstack.com/database/wordpress/plugin/zhina-twitter-widget/vulnerability/wordpress-zhinatwitterwidget-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Proloy Chakroborty--ZD Scribd iPaper Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proloy Chakroborty ZD Scribd iPaper allows Reflected XSS.This issue affects ZD Scribd iPaper: from n/a through 1.0. 2025-12-31 7.1 CVE-2025-23757 https://vdp.patchstack.com/database/wordpress/plugin/zd-scribd-ipaper/vulnerability/wordpress-zd-scribd-ipaper-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Themefy--Bloggie Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8. 2025-12-31 7.1 CVE-2025-31054 https://vdp.patchstack.com/database/wordpress/theme/bloggie/vulnerability/wordpress-bloggie-2-0-8-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Petlibrio--Smart Pet Feeder Platform Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authorization bypass vulnerability that allows unauthorized users to add users as shared owners to any device by exploiting missing permission checks. Attackers can send requests to the device share API to gain unauthorized access to devices and view owner information without proper authorization validation. 2026-01-03 7.3 CVE-2025-3646 Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks
VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Authorization Bypass via Device Share API
 
Petlibrio--Smart Pet Feeder Platform Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device control APIs to change feeding schedules, trigger manual feeds, access camera feeds, and modify device settings without authorization checks. 2026-01-03 7.3 CVE-2025-3653 Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks
VulnCheck Advisory: Petlibro Smart Pet Feeder through 1.7.31 Platform Improper Access Control via API endpoint
 
ZoomSounds--ZoomSounds Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomSounds allows Reflected XSS.This issue affects ZoomSounds: from n/a through 6.91. 2025-12-31 7.1 CVE-2025-47566 https://vdp.patchstack.com/database/wordpress/plugin/dzs-zoomsounds/vulnerability/wordpress-zoomsounds-plugin-6-91-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Zoho Mail--Zoho ZeptoMail Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail allows Stored XSS.This issue affects Zoho ZeptoMail: from n/a through 3.3.1. 2025-12-31 7.1 CVE-2025-49028 https://vdp.patchstack.com/database/wordpress/plugin/transmail/vulnerability/wordpress-zoho-zeptomail-plugin-3-3-1-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve
 
Wolfgang Hfelinger--Custom Style Cross-Site Request Forgery (CSRF) vulnerability in Wolfgang Häfelinger Custom Style allows Stored XSS.This issue affects Custom Style: from n/a through 1.0. 2025-12-31 7.1 CVE-2025-49342 https://vdp.patchstack.com/database/wordpress/plugin/custom-style/vulnerability/wordpress-custom-style-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Socialprofilr--Social Profilr Cross-Site Request Forgery (CSRF) vulnerability in Socialprofilr Social Profilr allows Stored XSS.This issue affects Social Profilr: from n/a through 1.0. 2025-12-31 7.1 CVE-2025-49343 https://vdp.patchstack.com/database/wordpress/plugin/social-profilr-display-social-network-profile/vulnerability/wordpress-social-profilr-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Rene Ade--SensitiveTagCloud Cross-Site Request Forgery (CSRF) vulnerability in Rene Ade SensitiveTagCloud allows Stored XSS.This issue affects SensitiveTagCloud: from n/a through 1.4.1. 2025-12-31 7.1 CVE-2025-49344 https://vdp.patchstack.com/database/wordpress/plugin/sensitive-tag-cloud/vulnerability/wordpress-sensitivetagcloud-plugin-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
mg12--WP-EasyArchives Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through 3.1.2. 2025-12-31 7.1 CVE-2025-49345 https://vdp.patchstack.com/database/wordpress/plugin/wp-easyarchives/vulnerability/wordpress-wp-easyarchives-plugin-3-1-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Peter Sterling--Simple Archive Generator Cross-Site Request Forgery (CSRF) vulnerability in Peter Sterling Simple Archive Generator allows Stored XSS.This issue affects Simple Archive Generator: from n/a through 5.2. 2025-12-31 7.1 CVE-2025-49346 https://vdp.patchstack.com/database/wordpress/plugin/simple-archive-generator/vulnerability/wordpress-simple-archive-generator-plugin-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Marcin Kijak--Noindex by Path Cross-Site Request Forgery (CSRF) vulnerability in Marcin Kijak Noindex by Path allows Stored XSS.This issue affects Noindex by Path: from n/a through 1.0. 2025-12-31 7.1 CVE-2025-49353 https://vdp.patchstack.com/database/wordpress/plugin/noindex-by-path/vulnerability/wordpress-noindex-by-path-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Mindstien Technologies--Recent Posts From Each Category Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category allows Stored XSS.This issue affects Recent Posts From Each Category: from n/a through 1.4. 2025-12-31 7.1 CVE-2025-49354 https://vdp.patchstack.com/database/wordpress/plugin/recent-posts-from-each-category/vulnerability/wordpress-recent-posts-from-each-category-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
nebelhorn--Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nebelhorn Blappsta Mobile App Plugin & Your native, mobile iPhone App and Android App allows Reflected XSS.This issue affects Blappsta Mobile App Plugin &#8211; Your native, mobile iPhone App and Android App: from n/a through 0.8.8.8. 2025-12-31 7.1 CVE-2025-50053 https://vdp.patchstack.com/database/wordpress/plugin/yournewsapp/vulnerability/wordpress-blappsta-mobile-app-plugin-your-native-mobile-iphone-app-and-android-app-plugin-0-8-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve
 
uxper--Sala Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Sala allows Reflected XSS.This issue affects Sala: from n/a through 1.1.3. 2025-12-31 7.1 CVE-2025-52739 https://vdp.patchstack.com/database/wordpress/theme/sala/vulnerability/wordpress-sala-theme-1-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
osuthorpe--Easy Social Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osuthorpe Easy Social allows Reflected XSS.This issue affects Easy Social: from n/a through 1.3. 2025-12-31 7.1 CVE-2025-53235 https://vdp.patchstack.com/database/wordpress/plugin/easy-social-media/vulnerability/wordpress-easy-social-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Kopek Reem--ReKord client CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 2026-01-01 7.5 CVE-2025-55065 https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0
 
Appointify--Appointify Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Appointify allows Blind SQL Injection.This issue affects Appointify: from n/a through 1.0.8. 2025-12-30 7.6 CVE-2025-59129 https://vdp.patchstack.com/database/wordpress/plugin/appointify/vulnerability/wordpress-appointify-plugin-1-0-8-sql-injection-vulnerability?_s_id=cve
 
Hoernerfranz--WP-CalDav2ICS Cross-Site Request Forgery (CSRF) vulnerability in Hoernerfranz WP-CalDav2ICS allows Stored XSS.This issue affects WP-CalDav2ICS: from n/a through 1.3.4. 2025-12-30 7.1 CVE-2025-59131 https://vdp.patchstack.com/database/wordpress/plugin/wp-caldav2ics/vulnerability/wordpress-wp-caldav2ics-plugin-1-3-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
eLEOPARD--Behance Portfolio Manager Cross-Site Request Forgery (CSRF) vulnerability in eLEOPARD Behance Portfolio Manager allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through 1.7.5. 2025-12-31 7.1 CVE-2025-59137 https://vdp.patchstack.com/database/wordpress/plugin/portfolio-manager-powered-by-behance/vulnerability/wordpress-behance-portfolio-manager-plugin-1-7-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
MadrasThemes--MAS Videos Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MadrasThemes MAS Videos allows PHP Local File Inclusion.This issue affects MAS Videos: from n/a through 1.3.2. 2025-12-30 7.5 CVE-2025-62753 https://vdp.patchstack.com/database/wordpress/plugin/masvideos/vulnerability/wordpress-mas-videos-plugin-1-3-2-local-file-inclusion-vulnerability?_s_id=cve
 
Emraan Cheema--CubeWP Missing Authorization vulnerability in Emraan Cheema CubeWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CubeWP: from n/a through 1.1.27. 2025-12-29 7.5 CVE-2025-68036 https://vdp.patchstack.com/database/wordpress/plugin/cubewp-framework/vulnerability/wordpress-cubewp-plugin-1-1-27-broken-access-control-vulnerability?_s_id=cve
 
SignalK--signalk-server Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Version 2.19.0 fixes the issue. 2026-01-01 7.5 CVE-2025-68272 https://github.com/SignalK/signalk-server/security/advisories/GHSA-7rqc-ff8m-7j23
https://github.com/SignalK/signalk-server/releases/tag/v2.19.0
 
Plugin Optimizer--Plugin Optimizer Missing Authorization vulnerability in Plugin Optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin Optimizer: from n/a through 1.3.7. 2025-12-29 7.1 CVE-2025-68861 https://vdp.patchstack.com/database/wordpress/plugin/plugin-optimizer/vulnerability/wordpress-plugin-optimizer-plugin-1-3-7-broken-access-control-vulnerability?_s_id=cve
 
reDim GmbH--CookieHint WP Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in reDim GmbH CookieHint WP allows PHP Local File Inclusion.This issue affects CookieHint WP: from n/a through 1.0.0. 2025-12-29 7.5 CVE-2025-68870 https://vdp.patchstack.com/database/wordpress/plugin/cookiehint-wp/vulnerability/wordpress-cookiehint-wp-plugin-1-0-0-local-file-inclusion-vulnerability?_s_id=cve
 
INVELITY--Invelity SPS connect Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in INVELITY Invelity SPS connect allows Reflected XSS.This issue affects Invelity SPS connect: from n/a through 1.0.8. 2025-12-29 7.1 CVE-2025-68876 https://vdp.patchstack.com/database/wordpress/plugin/invelity-sps-connect/vulnerability/wordpress-invelity-sps-connect-plugin-1-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
CedCommerce--CedCommerce Integration for Good Market Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CedCommerce CedCommerce Integration for Good Market allows PHP Local File Inclusion.This issue affects CedCommerce Integration for Good Market: from n/a through 1.0.6. 2025-12-29 7.5 CVE-2025-68877 https://vdp.patchstack.com/database/wordpress/plugin/ced-good-market-integration/vulnerability/wordpress-cedcommerce-integration-for-good-market-plugin-1-0-6-local-file-inclusion-vulnerability?_s_id=cve
 
Prasadkirpekar--Advanced Custom CSS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Prasadkirpekar Advanced Custom CSS allows Reflected XSS.This issue affects Advanced Custom CSS: from n/a through 1.1.0. 2025-12-29 7.1 CVE-2025-68878 https://vdp.patchstack.com/database/wordpress/plugin/advanced-custom-css/vulnerability/wordpress-advanced-custom-css-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Councilsoft--Content Grid Slider Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Councilsoft Content Grid Slider allows Reflected XSS.This issue affects Content Grid Slider: from n/a through 1.5. 2025-12-29 7.1 CVE-2025-68879 https://vdp.patchstack.com/database/wordpress/plugin/content-grid-slider/vulnerability/wordpress-content-grid-slider-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Page Carbajal--Custom Post Status Cross-Site Request Forgery (CSRF) vulnerability in Page Carbajal Custom Post Status allows Stored XSS.This issue affects Custom Post Status: from n/a through 1.1.0. 2025-12-31 7.1 CVE-2025-68885 https://vdp.patchstack.com/database/wordpress/plugin/custom-post-status/vulnerability/wordpress-custom-post-status-plugin-1-1-0-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve
 
thorsten--phpMyFAQ phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue. 2025-12-29 7.5 CVE-2025-69200 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9cg9-4h4f-j6fg
https://github.com/thorsten/phpMyFAQ/commit/b0e99ee3695152115841cb546d8dce64ceb8c29a
 
coturn--coturn coturn is a free open source implementation of TURN and STUN Server. Versions 4.6.2r5 through 4.7.0-r4 have a bad random number generator for nonces and port randomization after refactoring. Additionally, random numbers aren't generated with openssl's RAND_bytes but libc's random() (if it's not running on Windows). When fetching about 50 sequential nonces (i.e., through sending 50 unauthenticated allocations requests) it is possible to completely reconstruct the current state of the random number generator, thereby predicting the next nonce. This allows authentication while spoofing IPs. An attacker can send authenticated messages without ever receiving the responses, including the nonce (requires knowledge of the credentials, which is e.g., often the case in IoT settings). Since the port randomization is deterministic given the pseudorandom seed, an attacker can exactly reconstruct the ports and, hence predict the randomization of the ports. If an attacker allocates a relay port, they know the current port, and they are able to predict the next relay port (at least if it is not used before). Commit 11fc465f4bba70bb0ad8aae17d6c4a63a29917d9 contains a fix. 2025-12-30 7.7 CVE-2025-69217 https://github.com/coturn/coturn/security/advisories/GHSA-fvj6-9jhg-9j84
https://github.com/coturn/coturn/commit/11fc465f4bba70bb0ad8aae17d6c4a63a29917d9
https://github.com/coturn/coturn/commit/88ced471385869d7e7fbbc4766e78ef521b36af6
 
serverless--serverless The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). Version 4.29.3 fixes the issue. 2025-12-30 7.5 CVE-2025-69256 https://github.com/serverless/serverless/security/advisories/GHSA-rwc2-f344-q6w6
https://github.com/serverless/serverless/commit/681ca039550c7169369f98780c6301a00f2dc4c4
https://github.com/serverless/serverless/blob/6213453da7df375aaf12fb3522ab8870488fc59a/packages/mcp/src/tools/list-projects.js#L68
https://github.com/serverless/serverless/releases/tag/sf-core%404.29.3
 
Plex--Media Server In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account. 2026-01-02 7.1 CVE-2025-69415 https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md
 
itsourcecode--School Management System A security flaw has been discovered in itsourcecode School Management System 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. 2026-01-01 7.3 CVE-2026-0544 VDB-339331 | itsourcecode School Management System index.php sql injection
VDB-339331 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #728909 | itsourcecode School Management System V1.0 SQL Injection
https://github.com/ltranquility/CVE/issues/31
https://itsourcecode.com/
 
code-projects--Content Management System A vulnerability was determined in code-projects Content Management System 1.0. This impacts an unknown function of the file search.php. This manipulation of the argument Value causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. 2026-01-02 7.3 CVE-2026-0546 VDB-339338 | code-projects Content Management System search.php sql injection
VDB-339338 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #728924 | Code-projects Content Management System v1.0 SQL Injection
https://github.com/gtxy114514/CVE/issues/1
https://code-projects.org/
 
code-projects--Content Management System A weakness has been identified in code-projects Content Management System 1.0. This issue affects some unknown processing of the file /admin/delete.php. Executing manipulation of the argument del can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. 2026-01-02 7.3 CVE-2026-0565 VDB-339377 | code-projects Content Management System delete.php sql injection
VDB-339377 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #729227 | Code-projects Content Management System v1.0 SQL Injection
https://github.com/Limingqian123/CVE/issues/12
https://code-projects.org/
 
code-projects--Content Management System A vulnerability was detected in code-projects Content Management System 1.0. The affected element is an unknown function of the file /pages.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. 2026-01-02 7.3 CVE-2026-0567 VDB-339379 | code-projects Content Management System pages.php sql injection
VDB-339379 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #729229 | Code-projects Content Management System v1.0 SQL injection
https://github.com/Limingqian123/CVE/issues/14
https://code-projects.org/
 
code-projects--Online Music Site A flaw has been found in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Frontend/ViewSongs.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. 2026-01-02 7.3 CVE-2026-0568 VDB-339380 | code-projects Online Music Site ViewSongs.php sql injection
VDB-339380 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #729251 | Code-projects ONLINE MUSIC SITE v1.0 SQL Injection
https://github.com/Limingqian123/CVE/issues/15
https://code-projects.org/
 
code-projects--Online Music Site A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown function of the file /Frontend/AlbumByCategory.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2026-01-02 7.3 CVE-2026-0569 VDB-339381 | code-projects Online Music Site AlbumByCategory.php sql injection
VDB-339381 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #729252 | Code-projects ONLINE MUSIC SITE v1.0 SQL Injection
https://github.com/Limingqian123/CVE/issues/16
https://code-projects.org/
 
code-projects--Online Music Site A vulnerability was found in code-projects Online Music Site 1.0. This impacts an unknown function of the file /Frontend/Feedback.php. Performing manipulation of the argument fname results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. 2026-01-02 7.3 CVE-2026-0570 VDB-339382 | code-projects Online Music Site Feedback.php sql injection
VDB-339382 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #729253 | Code-projects ONLINE MUSIC SITE v1.0 SQL Injection
https://github.com/Limingqian123/CVE/issues/18
https://code-projects.org/
 
code-projects--Online Product Reservation System A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. This impacts an unknown function of the file /handgunner-administrator/adminlogin.php of the component Administrator Login. Such manipulation of the argument emailadd/pass leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. 2026-01-04 7.3 CVE-2026-0575 VDB-339459 | code-projects Online Product Reservation System Administrator Login adminlogin.php sql injection
VDB-339459 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731011 | code-projects Online Product Reservation System V1.0 SQL Injection
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_login.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_login.md#poc
https://code-projects.org/
 
code-projects--Online Product Reservation System A vulnerability was detected in code-projects Online Product Reservation System 1.0. Affected is an unknown function of the file /handgunner-administrator/prod.php of the component Parameter Handler. Performing manipulation of the argument cat/price/name/model/serial results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. 2026-01-04 7.3 CVE-2026-0576 VDB-339460 | code-projects Online Product Reservation System Parameter prod.php sql injection
VDB-339460 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731012 | code-projects Online Product Reservation system V1.0 SQL Injection
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md#poc
https://code-projects.org/
 
code-projects--Online Product Reservation System A vulnerability has been found in code-projects Online Product Reservation System 1.0. Affected by this issue is some unknown functionality of the file /handgunner-administrator/delete.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2026-01-04 7.3 CVE-2026-0578 VDB-339462 | code-projects Online Product Reservation System delete.php sql injection
VDB-339462 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731075 | code-projects Online Product Reservation system in PHP with source code V1.0 SQL Injection
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_delete.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_delete.php.md#poc
https://code-projects.org/
 
code-projects--Online Product Reservation System A vulnerability was found in code-projects Online Product Reservation System 1.0. This affects an unknown part of the file /handgunner-administrator/edit.php of the component POST Parameter Handler. The manipulation of the argument prod_id/name/price/model/serial results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. 2026-01-04 7.3 CVE-2026-0579 VDB-339463 | code-projects Online Product Reservation System POST Parameter edit.php sql injection
VDB-339463 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731091 | code-projects Online Product Reservation system V1.0 SQL Injection
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_edit.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_edit.php.md#poc
https://code-projects.org/
 
emlog--emlog Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available. 2026-01-02 7.7 CVE-2026-21433 https://github.com/emlog/emlog/security/advisories/GHSA-6rwr-c8hc-mjj4
 
bagisto--bagisto Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue. 2026-01-02 7.1 CVE-2026-21447 https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm
https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3
 
msgpack--msgpack-java MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems. Version 0.9.11 fixes the vulnerability. 2026-01-02 7.5 CVE-2026-21452 https://github.com/msgpack/msgpack-java/security/advisories/GHSA-cw39-r4h6-8j3x
https://github.com/msgpack/msgpack-java/commit/daa2ea6b2f11f500e22c70a22f689f7a9debdeae
https://github.com/msgpack/msgpack-java/releases/tag/v0.9.11
 

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
COMMAX Co., Ltd.--COMMAX Biometric Access Control System COMMAX Biometric Access Control System 1.0.0 contains an unauthenticated reflected cross-site scripting vulnerability in cookie parameters 'CMX_ADMIN_NM' and 'CMX_COMPLEX_NM'. Attackers can inject malicious HTML and JavaScript code into these cookie values to execute arbitrary scripts in a victim's browser session. 2025-12-31 6.1 CVE-2021-47743 Zero Science Lab Disclosure (ZSL-2021-5660)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
CXSecurity Vulnerability Database Entry
Vendor Homepage
VulnCheck Advisory: COMMAX Biometric Access Control System 1.0.0 Reflected XSS via Cookie Parameters
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain hardcoded credentials embedded in server binaries that cannot be modified through normal device operations. Attackers can leverage these static credentials to gain unauthorized access to the device across Linux and Windows distributions without requiring user interaction. 2025-12-30 6.5 CVE-2022-50696 Zero Science Lab Disclosure (ZSL-2022-5729)
Packet Storm Security Exploit Details
IBM X-Force Vulnerability Exchange Entry
SOUND4 Product Homepage
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Hardcoded Credentials Authentication Bypass
 
ETAP Lighting International NV--ETAP Safety Manager ETAP Safety Manager 1.0.0.32 contains a cross-site scripting vulnerability in the 'action' GET parameter that allows unauthenticated attackers to inject malicious HTML and JavaScript. Attackers can craft specially formed requests to execute arbitrary scripts in victim browser sessions, potentially stealing credentials or performing unauthorized actions. 2025-12-30 6.1 CVE-2022-50802 Zero Science Lab Disclosure (ZSL-2022-5711)
Packet Storm Security Exploit Entry
IBM X-Force Vulnerability Exchange
CXSecurity Vulnerability Database
ETAP Vendor Homepage
VulnCheck Advisory: ETAP Safety Manager 1.0.0.32 Unauthenticated Reflected Cross-Site Scripting via Action Parameter
 
JM-DATA ONU--JF511-TV JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to cross-site request forgery (CSRF) attacks, allowing attackers to perform administrative actions on behalf of authenticated users without their knowledge or consent. 2025-12-30 6.5 CVE-2022-50804 Zero Science Lab Disclosure (ZSL-2022-5708)
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange Entry
JM-DATA Vendor Homepage
VulnCheck Advisory: JM-DATA ONU JF511-TV 1.0.67 Cross-Site Request Forgery (CSRF) Vulnerability
 
smackcoders--WP Import Ultimate CSV XML Importer for WordPress The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data. 2026-01-01 6.4 CVE-2025-14627 https://www.wordfence.com/threat-intel/vulnerabilities/id/87040f2b-4de0-4a8d-ae30-b340638a6df2?source=cve
https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L73
https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L290
https://plugins.trac.wordpress.org/changeset/3421699/wp-ultimate-csv-importer/trunk/uploadModules/UrlUpload.php
 
Rapid7--Velociraptor Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." AS "%2E". Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files. 2025-12-29 6.8 CVE-2025-14728 https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/
 
Kings Information & Network Co.--KESS Enterprise Exposure of Sensitive Information to an Unauthorized Actor, Missing Encryption of Sensitive Data, Files or Directories Accessible to External Parties vulnerability in Kings Information & Network Co. KESS Enterprise on Windows allows Privilege Escalation, Modify Existing Service, Modify Shared File.This issue affects KESS Enterprise: before *.25.9.19.exe 2025-12-29 6.3 CVE-2025-15065 https://www.kings.co.kr/solution/01/KESS.jsp?O=10.64&B=Chrome
 
Innorix--Innorix WP Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Missing Authorization vulnerability in Innorix WP allows Path Traversal.This issue affects Innorix WP from All versions If the "exam" directory exists under the directory where the product is installed (ex: innorix/exam) 2025-12-29 6.2 CVE-2025-15066 https://www.innorix.com/
https://www.gnit.co.kr/software/innorix_product.html
 
Petlibrio--Smart Pet Feeder Platform Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. Attackers can send requests to /member/auth/thirdLogin with arbitrary Google IDs and phoneBrand parameters to obtain full session tokens and account access without proper OAuth verification. 2026-01-03 6.5 CVE-2025-15115 Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks
VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Authentication Bypass via API endpoint
 
D-Link--DWR-M920 A weakness has been identified in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_4155B4 of the file /boafrm/formLtefotaUpgradeFibocom. This manipulation of the argument fota_url causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. 2025-12-29 6.3 CVE-2025-15191 VDB-338576 | D-Link DWR-M920 formLtefotaUpgradeFibocom sub_4155B4 command injection
VDB-338576 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #723554 | D-Link DWR-M920 V1.1.50 Command Injection
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeFibocom.md
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeFibocom.md#poc
https://www.dlink.com/
 
D-Link--DWR-M920 A security vulnerability has been detected in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_415328 of the file /boafrm/formLtefotaUpgradeQuectel. Such manipulation of the argument fota_url leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. 2025-12-29 6.3 CVE-2025-15192 VDB-338577 | D-Link DWR-M920 formLtefotaUpgradeQuectel sub_415328 command injection
VDB-338577 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #723555 | D-Link DWR-M920 V1.1.50 Command Injection
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeQuectel.md
https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeQuectel.md#poc
https://www.dlink.com/
 
code-projects--College Notes Uploading System A security vulnerability has been detected in code-projects College Notes Uploading System 1.0. Impacted is an unknown function of the file /dashboard/userprofile.php. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. 2025-12-29 6.3 CVE-2025-15199 VDB-338586 | code-projects College Notes Uploading System userprofile.php unrestricted upload
VDB-338586 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #724794 | Code-projects College Notes Uploading System v1.0 Arbitrary file upload vulnerability
https://github.com/jjjjj-zr/jjjjjzr18/issues/1
https://code-projects.org/
 
code-projects--Student File Management System A vulnerability was identified in code-projects Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /download.php. The manipulation of the argument istore_id leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. 2025-12-29 6.3 CVE-2025-15205 VDB-338592 | code-projects Student File Management System download.php sql injection
VDB-338592 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #724818 | Code-Projects Student File Management System V1.0 SQL Injection Vulnerability
https://github.com/Bai-public/CVE/issues/4
https://code-projects.org/
 
code-projects--Refugee Food Management System A weakness has been identified in code-projects Refugee Food Management System 1.0. This affects an unknown part of the file /home/editfood.php. This manipulation of the argument a/b/c/d causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. 2025-12-29 6.3 CVE-2025-15209 VDB-338594 | code-projects Refugee Food Management System editfood.php sql injection
VDB-338594 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #722803 | code-projects Refugee Food Management System 1.0 SQL Injection
Submit #724713 | Code-projects Refugee Food Management System v1.0 SQL injection (Duplicate)
https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_editfood.php.md
https://code-projects.org/
 
code-projects--Refugee Food Management System A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This vulnerability affects unknown code of the file /home/editrefugee.php. Such manipulation of the argument a/b/c/sex/d/e/nationality_nid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. 2025-12-29 6.3 CVE-2025-15210 VDB-338595 | code-projects Refugee Food Management System editrefugee.php sql injection
VDB-338595 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #722804 | code-projects Refugee Food Management System 1.0 SQL Injection
https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_editrefugee.php.md
https://code-projects.org/
 
code-projects--Refugee Food Management System A flaw has been found in code-projects Refugee Food Management System 1.0. Impacted is an unknown function of the file /home/refugee.php. Executing manipulation of the argument refNo/Fname/Lname/sex/age/contact/nationality_nid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. 2025-12-30 6.3 CVE-2025-15211 VDB-338597 | code-projects Refugee Food Management System refugee.php sql injection
VDB-338597 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #722806 | code-projects Refugee Food Management System 1.0 SQL Injection
https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_refugee.php.md
https://code-projects.org/
 
code-projects--Refugee Food Management System A vulnerability was detected in code-projects Refugee Food Management System 1.0. This issue affects some unknown processing of the file /home/regfood.php. Performing manipulation of the argument a results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. 2025-12-30 6.3 CVE-2025-15212 VDB-338596 | code-projects Refugee Food Management System regfood.php sql injection
VDB-338596 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #722807 | code-projects Refugee Food Management System 1.0 SQL Injection
Submit #724712 | Code-projects Refugee Food Management System v1.0 SQL injection (Duplicate)
https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_regfood.php.md
https://code-projects.org/
 
aizuda--snail-job A vulnerability was determined in aizuda snail-job up to 1.7.0 on macOS. Affected by this vulnerability is the function FurySerializer.deserialize of the component API. This manipulation of the argument argsStr causes deserialization. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. 2025-12-30 6.3 CVE-2025-15246 VDB-338636 | aizuda snail-job API FurySerializer.deserialize deserialization
VDB-338636 | CTI Indicators (IOB, IOC, IOA)
https://gitee.com/aizuda/snail-job/issues/ICQV61
 
Tenda--W6-S A vulnerability was found in Tenda W6-S 1.0.0.4(510). This affects the function TendaAte of the file /goform/ate of the component ATE Service. Performing manipulation results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. 2025-12-30 6.3 CVE-2025-15254 VDB-338644 | Tenda W6-S ATE Service ate TendaAte os command injection
VDB-338644 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725499 | Tenda W6-S V1.0.0.4(510) OS Command Injection
https://github.com/dwBruijn/CVEs/blob/main/Tenda/ate.md
https://www.tenda.com.cn/
 
NetVision Information--ISOinsight ISOinsight developed by NetVision Information has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. 2025-12-30 6.1 CVE-2025-15355 https://www.twcert.org.tw/tw/cp-132-10609-0221b-1.html
https://www.twcert.org.tw/en/cp-139-10610-b98b4-2.html
 
D-Link--DI-7400G+ A vulnerability was found in D-Link DI-7400G+ 19.12.25A1. This affects an unknown function of the file /msp_info.htm?flag=cmd. The manipulation of the argument cmd results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. 2025-12-30 6.3 CVE-2025-15357 VDB-338743 | D-Link DI-7400G+ msp_info.htm command injection
VDB-338743 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #726376 | D-Link D-Link DI_7400G+ V19.12.25A1 Command Injection
https://github.com/xyh4ck/iot_poc/tree/main/D-Link_DI_7400G%2B_Command_Injection
https://www.dlink.com/
 
n/a--EyouCMS A security vulnerability has been detected in EyouCMS up to 1.7.7. Impacted is the function saveRemote of the file application/function.php. Such manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8". 2025-12-31 6.3 CVE-2025-15373 VDB-339081 | EyouCMS function.php saveRemote server-side request forgery
VDB-339081 | CTI Indicators (IOB, IOC, IOA)
Submit #718465 | Eyoucms 1.7.7 SSRF Vulnerability
https://note-hxlab.wetolink.com/share/DeUFyoSjsPPK
https://note-hxlab.wetolink.com/share/DeUFyoSjsPPK#-span--strong-proof-of-concept---strong---span-
 
n/a--EyouCMS A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. The exploit has been published and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8". 2025-12-31 6.3 CVE-2025-15375 VDB-339083 | EyouCMS arcpagelist Ajax.php unserialize deserialization
VDB-339083 | CTI Indicators (IOB, IOC, IOA)
Submit #718481 | EyouCMS 1.7.7 Deserialization
https://note-hxlab.wetolink.com/share/2wLgcbKe9Toh
https://note-hxlab.wetolink.com/share/2wLgcbKe9Toh#-span--strong-proof-of-concept---strong---span-
 
PHPGurukul--Small CRM A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. 2025-12-31 6.3 CVE-2025-15390 VDB-339151 | PHPGurukul Small CRM edit-user.php authorization
VDB-339151 | CTI Indicators (IOB, IOC, IOA)
Submit #727430 | PHPGurukul PHPGurukul Small Customer Relationship Management v4.0 Missing Authorization
https://github.com/rsecroot/Small-Customer-Relationship-Management-CRM-in-PHP/blob/main/Broken%20Access%20Control.md
https://phpgurukul.com/
 
D-Link--DIR-806A A weakness has been identified in D-Link DIR-806A 100CNb11. Affected is the function ssdpcgi_main of the component SSDP Request Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer. 2025-12-31 6.3 CVE-2025-15391 VDB-339152 | D-Link DIR-806A SSDP Request ssdpcgi_main command injection
VDB-339152 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #727637 | D-Link DIR-806A DIR806A1_FW100CNb11.bin Command Injection
https://github.com/ccc-iotsec/cve-/blob/D-Link/D-Link%20DIR-806A%E6%9C%AA%E6%8E%88%E6%9D%83RCE.md
https://www.dlink.com/
 
Kohana--KodiCMS A weakness has been identified in Kohana KodiCMS up to 13.82.135. This affects the function like of the file cms/modules/pages/classes/kodicms/model/page.php of the component Search API Endpoint. Executing manipulation of the argument keyword can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-31 6.3 CVE-2025-15392 VDB-339161 | Kohana KodiCMS Search API Endpoint page.php like sql injection
VDB-339161 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #718289 | KodiCMS https://github.com/KodiCMS-Kohana/cms 13.82.135 SQL Injection
 
Kohana--KodiCMS A security vulnerability has been detected in Kohana KodiCMS up to 13.82.135. This impacts the function Save of the file cms/modules/kodicms/classes/kodicms/model/file.php of the component Layout API Endpoint. The manipulation of the argument content leads to code injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-31 6.3 CVE-2025-15393 VDB-339162 | Kohana KodiCMS Layout API Endpoint file.php save code injection
VDB-339162 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #718290 | KodiCMS https://github.com/KodiCMS-Kohana/cms 13.82.135 Code Injection
 
campcodes--School File Management System A security vulnerability has been detected in campcodes School File Management System 1.0. The affected element is an unknown function of the file /save_file.php. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. 2026-01-01 6.3 CVE-2025-15404 VDB-339324 | campcodes School File Management System save_file.php unrestricted upload
VDB-339324 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #728102 | campcodes School File Management System V1.0 Unrestricted Upload
https://github.com/LaneyYu/cve/issues/7
https://www.campcodes.com/
 
PHPGurukul--Online Course Registration A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. This manipulation causes missing authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. 2026-01-01 6.3 CVE-2025-15406 VDB-339326 | PHPGurukul Online Course Registration authorization
VDB-339326 | CTI Indicators (IOB, IOC)
Submit #728354 | PHPGurukul Online Course Registration v3.1 Missing Authorization
https://github.com/rsecroot/Online-Course-Registration/blob/main/Broken%20Access%20Control.md
https://phpgurukul.com/
 
EmpireSoft--EmpireCMS A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 6.3 CVE-2025-15423 VDB-339345 | EmpireSoft EmpireCMS connect.php CheckSaveTranFiletype unrestricted upload
VDB-339345 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721346 | EmpireSoft EmpireCMS <= 8.0 Unrestricted Upload
https://note-hxlab.wetolink.com/share/28QXRLje7Uz1
https://note-hxlab.wetolink.com/share/28QXRLje7Uz1#-span--strong-proof-of-concept---strong---span-
 
n/a--Daptin A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 6.3 CVE-2025-15439 VDB-339384 | Daptin Aggregate API resource_aggregate.go goqu.L sql injection
VDB-339384 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #719742 | Daptin https://github.com/daptin/daptin 0.10.3 SQL Injection
https://note-hxlab.wetolink.com/share/yMZ8oEgMTAur
https://note-hxlab.wetolink.com/share/yMZ8oEgMTAur#-span--strong-proof-of-concept---strong---span-
 
AA-Team--Pro Bulk Watermark Plugin for WordPress Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through 2.0. 2025-12-31 6.5 CVE-2025-28973 https://vdp.patchstack.com/database/wordpress/theme/pro-watermark/vulnerability/wordpress-pro-bulk-watermark-plugin-for-wordpress-2-0-path-traversal-vulnerability?_s_id=cve
 
Petlibrio--Smart Pet Feeder Platform Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains a broken access control vulnerability that allows authenticated users to access other users' pet data by exploiting missing ownership verification. Attackers can send requests to /member/pet/detailV2 with arbitrary pet IDs to retrieve sensitive information including pet details, member IDs, and avatar URLs without proper authorization checks. 2026-01-03 6.5 CVE-2025-3660 Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks
VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Broken Access Control via API endpoint
 
Audiomack--Audiomack Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Audiomack allows Stored XSS.This issue affects Audiomack: from n/a through 1.4.8. 2025-12-31 6.5 CVE-2025-49357 https://vdp.patchstack.com/database/wordpress/plugin/audiomack/vulnerability/wordpress-audiomack-plugin-1-4-8-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Ruhul Amin--Content Fetcher Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ruhul Amin Content Fetcher allows DOM-Based XSS.This issue affects Content Fetcher: from n/a through 1.1. 2025-12-31 6.5 CVE-2025-49358 https://vdp.patchstack.com/database/wordpress/plugin/content-fetcher/vulnerability/wordpress-content-fetcher-plugin-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Priority--Web CWE-601 URL Redirection to Untrusted Site ('Open Redirect') 2025-12-29 6.1 CVE-2025-55060 https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0
 
Neilgee--Bootstrap Modals Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Neilgee Bootstrap Modals allows Stored XSS.This issue affects Bootstrap Modals: from n/a through 1.3.2. 2025-12-31 6.5 CVE-2025-62095 https://vdp.patchstack.com/database/wordpress/plugin/bootstrap-modals/vulnerability/wordpress-bootstrap-modals-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
WPFactory--Maximum Products per User for WooCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Maximum Products per User for WooCommerce allows Stored XSS.This issue affects Maximum Products per User for WooCommerce: from n/a through 4.4.2. 2025-12-31 6.5 CVE-2025-62096 https://vdp.patchstack.com/database/wordpress/plugin/maximum-products-per-user-for-woocommerce/vulnerability/wordpress-maximum-products-per-user-for-woocommerce-plugin-4-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
SEOthemes--SEO Slider Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SEOthemes SEO Slider allows DOM-Based XSS.This issue affects SEO Slider: from n/a through 1.1.1. 2025-12-31 6.5 CVE-2025-62097 https://vdp.patchstack.com/database/wordpress/plugin/seo-slider/vulnerability/wordpress-seo-slider-plugin-1-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Webvitaly--Extra Shortcodes Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webvitaly Extra Shortcodes allows Stored XSS.This issue affects Extra Shortcodes: from n/a through 2.2. 2025-12-31 6.5 CVE-2025-62111 https://vdp.patchstack.com/database/wordpress/plugin/extra-shortcodes/vulnerability/wordpress-extra-shortcodes-plugin-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
kcseopro--AdWords Conversion Tracking Code Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kcseopro AdWords Conversion Tracking Code allows Stored XSS.This issue affects AdWords Conversion Tracking Code: from n/a through 1.0. 2025-12-31 6.5 CVE-2025-62118 https://vdp.patchstack.com/database/wordpress/plugin/adwords-conversion-tracking-code/vulnerability/wordpress-adwords-conversion-tracking-code-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Anshul Gangrade--Custom Background Changer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshul Gangrade Custom Background Changer custom-background-changer allows Stored XSS.This issue affects Custom Background Changer: from n/a through 3.0. 2025-12-31 6.5 CVE-2025-62125 https://vdp.patchstack.com/database/wordpress/plugin/custom-background-changer/vulnerability/wordpress-custom-background-changer-plugin-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
landwire--Responsive Block Control Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in landwire Responsive Block Control allows DOM-Based XSS.This issue affects Responsive Block Control: from n/a through 1.2.9. 2025-12-31 6.5 CVE-2025-62135 https://vdp.patchstack.com/database/wordpress/plugin/responsive-block-control/vulnerability/wordpress-responsive-block-control-plugin-1-2-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThinkUpThemes--Melos Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThinkUpThemes Melos allows Stored XSS.This issue affects Melos: from n/a through 1.6.0. 2025-12-31 6.5 CVE-2025-62136 https://vdp.patchstack.com/database/wordpress/theme/melos/vulnerability/wordpress-melos-theme-1-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Shuttlethemes--Shuttle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shuttlethemes Shuttle allows Stored XSS.This issue affects Shuttle: from n/a through 1.5.0. 2025-12-31 6.5 CVE-2025-62137 https://vdp.patchstack.com/database/wordpress/theme/shuttle/vulnerability/wordpress-shuttle-theme-1-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Maksym Marko--MX Time Zone Clocks Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maksym Marko MX Time Zone Clocks allows Stored XSS.This issue affects MX Time Zone Clocks: from n/a through 5.1.1. 2025-12-31 6.5 CVE-2025-62146 https://vdp.patchstack.com/database/wordpress/plugin/mx-time-zone-clocks/vulnerability/wordpress-mx-time-zone-clocks-plugin-5-1-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve
 
Curator.io--Curator.io Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Curator.Io allows Stored XSS.This issue affects Curator.Io: from n/a through 1.9.5. 2025-12-31 6.5 CVE-2025-62742 https://vdp.patchstack.com/database/wordpress/plugin/curatorio/vulnerability/wordpress-curator-io-plugin-1-9-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
zookatron--MyBookTable Bookstore Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through 3.5.5. 2025-12-31 6.5 CVE-2025-62743 https://vdp.patchstack.com/database/wordpress/plugin/mybooktable/vulnerability/wordpress-mybooktable-bookstore-plugin-3-5-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Chris Steman--Page Title Splitter Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Steman Page Title Splitter allows Stored XSS.This issue affects Page Title Splitter: from n/a through 2.5.9. 2025-12-31 6.5 CVE-2025-62744 https://vdp.patchstack.com/database/wordpress/plugin/page-title-splitter/vulnerability/wordpress-page-title-splitter-plugin-2-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
CodeFlavors--Featured Video for WordPress & VideographyWP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeFlavors Featured Video for WordPress & VideographyWP allows Stored XSS.This issue affects Featured Video for WordPress & VideographyWP: from n/a through 1.0.18. 2025-12-30 6.5 CVE-2025-62746 https://vdp.patchstack.com/database/wordpress/plugin/videographywp/vulnerability/wordpress-featured-video-for-wordpress-videographywp-plugin-1-0-18-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Genetech Products--Web and WooCommerce Addons for WPBakery Builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Genetech Products Web and WooCommerce Addons for WPBakery Builder allows DOM-Based XSS.This issue affects Web and WooCommerce Addons for WPBakery Builder: from n/a through 1.5. 2025-12-31 6.5 CVE-2025-62748 https://vdp.patchstack.com/database/wordpress/plugin/vc-addons-by-bit14/vulnerability/wordpress-web-and-woocommerce-addons-for-wpbakery-builder-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Bainternet--User Specific Content Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bainternet User Specific Content allows DOM-Based XSS.This issue affects User Specific Content: from n/a through 1.0.6. 2025-12-31 6.5 CVE-2025-62749 https://vdp.patchstack.com/database/wordpress/plugin/user-specific-content/vulnerability/wordpress-user-specific-content-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve
 
kalender.digital--Calendar.online / Kalender.digital Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kalender.Digital Calendar.Online / Kalender.Digital allows DOM-Based XSS.This issue affects Calendar.Online / Kalender.Digital: from n/a through 1.0.11. 2025-12-31 6.5 CVE-2025-62752 https://vdp.patchstack.com/database/wordpress/plugin/kalender-digital/vulnerability/wordpress-calendar-online-kalender-digital-plugin-1-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve
 
lvaudore--The Moneytizer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lvaudore The Moneytizer allows DOM-Based XSS.This issue affects The Moneytizer: from n/a through 10.0.6. 2025-12-31 6.5 CVE-2025-62756 https://vdp.patchstack.com/database/wordpress/plugin/the-moneytizer/vulnerability/wordpress-the-moneytizer-plugin-10-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve
 
WebMan Design | Oliver Juhas--WebMan Amplifier Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebMan Design | Oliver Juhas WebMan Amplifier allows DOM-Based XSS.This issue affects WebMan Amplifier: from n/a through 1.5.12. 2025-12-31 6.5 CVE-2025-62757 https://vdp.patchstack.com/database/wordpress/plugin/webman-amplifier/vulnerability/wordpress-webman-amplifier-plugin-1-5-12-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Funnelforms--Funnelforms Free Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Funnelforms Funnelforms Free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through 3.8. 2025-12-31 6.5 CVE-2025-62758 https://vdp.patchstack.com/database/wordpress/plugin/funnelforms-free/vulnerability/wordpress-funnelforms-free-plugin-3-8-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Justin Tadlock--Series Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Tadlock Series allows Stored XSS.This issue affects Series: from n/a through 2.0.1. 2025-12-31 6.5 CVE-2025-62759 https://vdp.patchstack.com/database/wordpress/plugin/series/vulnerability/wordpress-series-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
BuddyDev--BuddyPress Activity Shortcode Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Activity Shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through 1.1.8. 2025-12-31 6.5 CVE-2025-62760 https://vdp.patchstack.com/database/wordpress/plugin/bp-activity-shortcode/vulnerability/wordpress-buddypress-activity-shortcode-plugin-1-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve
 
BasePress--Knowledge Base documentation & wiki plugin BasePress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BasePress Knowledge Base documentation & wiki plugin - BasePress allows Stored XSS.This issue affects Knowledge Base documentation & wiki plugin - BasePress: from n/a through 2.17.0.1. 2025-12-31 6.5 CVE-2025-62761 https://vdp.patchstack.com/database/wordpress/plugin/basepress/vulnerability/wordpress-knowledge-base-documentation-wiki-plugin-basepress-plugin-2-17-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Livemesh--Livemesh Addons for Beaver Builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Beaver Builder addons-for-beaver-builder allows Stored XSS.This issue affects Livemesh Addons for Beaver Builder: from n/a through 3.9.2. 2025-12-31 6.5 CVE-2025-62990 https://vdp.patchstack.com/database/wordpress/plugin/addons-for-beaver-builder/vulnerability/wordpress-livemesh-addons-for-beaver-builder-plugin-3-9-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThinkUpThemes--Minamaze Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThinkUpThemes Minamaze allows Stored XSS.This issue affects Minamaze: from n/a through 1.10.1. 2025-12-31 6.5 CVE-2025-62991 https://vdp.patchstack.com/database/wordpress/theme/minamaze/vulnerability/wordpress-minamaze-theme-1-10-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Everest themes--Everest Backup Cross-Site Request Forgery (CSRF) vulnerability in Everest themes Everest Backup allows Path Traversal.This issue affects Everest Backup: from n/a through 2.3.9. 2025-12-31 6.5 CVE-2025-62992 https://vdp.patchstack.com/database/wordpress/plugin/everest-backup/vulnerability/wordpress-everest-backup-plugin-2-3-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
WP for church--Sermon Manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP for church Sermon Manager allows Stored XSS.This issue affects Sermon Manager: from n/a through 2.30.0. 2025-12-31 6.5 CVE-2025-63000 https://vdp.patchstack.com/database/wordpress/plugin/sermon-manager-for-wordpress/vulnerability/wordpress-sermon-manager-plugin-2-30-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Tomas--WordPress Tooltips Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tomas WordPress Tooltips allows Stored XSS.This issue affects WordPress Tooltips: from n/a through 10.7.9. 2025-12-31 6.5 CVE-2025-63005 https://vdp.patchstack.com/database/wordpress/plugin/wordpress-tooltips/vulnerability/wordpress-wordpress-tooltips-plugin-10-7-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Wayne Allen--Postie Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wayne Allen Postie postie allows Stored XSS.This issue affects Postie: from n/a through 1.9.73. 2025-12-31 6.5 CVE-2025-63020 https://vdp.patchstack.com/database/wordpress/plugin/postie/vulnerability/wordpress-postie-plugin-1-9-73-cross-site-scripting-xss-vulnerability?_s_id=cve
 
codetipi--Valenti Engine Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codetipi Valenti Engine allows DOM-Based XSS.This issue affects Valenti Engine: from n/a through 1.0.3. 2025-12-31 6.5 CVE-2025-63021 https://vdp.patchstack.com/database/wordpress/plugin/valenti-engine/vulnerability/wordpress-valenti-engine-plugin-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Webcreations907--WBC907 Core Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webcreations907 WBC907 Core allows Stored XSS.This issue affects WBC907 Core: from n/a through 3.4.1. 2025-12-30 6.5 CVE-2025-63027 https://vdp.patchstack.com/database/wordpress/plugin/wbc907-core/vulnerability/wordpress-wbc907-core-plugin-3-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
ThinkUpThemes--Consulting Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThinkUpThemes Consulting allows Stored XSS.This issue affects Consulting: from n/a through 1.5.0. 2025-12-31 6.5 CVE-2025-63032 https://vdp.patchstack.com/database/wordpress/theme/consulting/vulnerability/wordpress-consulting-theme-1-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
8theme.com--XStore Core Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme.Com XStore Core allows DOM-Based XSS.This issue affects XStore Core: from n/a before 5.6. 2025-12-30 6.5 CVE-2025-64190 https://vdp.patchstack.com/database/wordpress/plugin/et-core-plugin/vulnerability/wordpress-xstore-core-plugin-5-6-cross-site-scripting-xss-vulnerability-2?_s_id=cve
 
dmccan--Yada Wiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yada Wiki yada-wiki allows Stored XSS.This issue affects Yada Wiki: from n/a through 3.5. 2025-12-30 6.5 CVE-2025-66094 https://vdp.patchstack.com/database/wordpress/plugin/yada-wiki/vulnerability/wordpress-yada-wiki-plugin-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Revmakx--WPCal.io Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Revmakx WPCal.Io allows DOM-Based XSS.This issue affects WPCal.Io: from n/a through 0.9.5.9. 2025-12-30 6.5 CVE-2025-66103 https://vdp.patchstack.com/database/wordpress/plugin/wpcal/vulnerability/wordpress-wpcal-io-plugin-0-9-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Esri--ArcGIS Server There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. 2025-12-31 6.1 CVE-2025-67703 https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
 
Esri--ArcGIS Server There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. 2025-12-31 6.1 CVE-2025-67704 https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
 
Esri--ArcGIS Server There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. 2025-12-31 6.1 CVE-2025-67705 https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
 
Esri--ArcGIS Server There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. 2025-12-31 6.1 CVE-2025-67708 https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
 
Esri--ArcGIS Server There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. 2025-12-31 6.1 CVE-2025-67709 https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
 
Esri--ArcGIS Server There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. 2025-12-31 6.1 CVE-2025-67710 https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
 
Esri--ArcGIS Server There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. 2025-12-31 6.1 CVE-2025-67711 https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
 
weDevs--WP Project Manager Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through 3.0.1. 2025-12-29 6.5 CVE-2025-68040 https://vdp.patchstack.com/database/wordpress/plugin/wedevs-project-manager/vulnerability/wordpress-wp-project-manager-plugin-2-6-29-sensitive-data-exposure-vulnerability?_s_id=cve
 
strukturag--libheif libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes. 2025-12-29 6.5 CVE-2025-68431 https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq
https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
https://github.com/strukturag/libheif/releases/tag/v1.21.0
 
Crocoblock--JetTabs Missing Authorization vulnerability in Crocoblock JetTabs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetTabs: from n/a through 2.2.12. 2025-12-29 6.5 CVE-2025-68498 https://vdp.patchstack.com/database/wordpress/plugin/jet-tabs/vulnerability/wordpress-jettabs-plugin-2-2-12-broken-access-control-vulnerability?_s_id=cve
 
Crocoblock--JetTabs Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through 2.2.12. 2025-12-29 6.5 CVE-2025-68499 https://vdp.patchstack.com/database/wordpress/plugin/jet-tabs/vulnerability/wordpress-jettabs-plugin-2-2-12-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Crocoblock--JetBlog Missing Authorization vulnerability in Crocoblock JetBlog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetBlog: from n/a through 2.4.7. 2025-12-29 6.5 CVE-2025-68503 https://vdp.patchstack.com/database/wordpress/plugin/jet-blog/vulnerability/wordpress-jetblog-plugin-2-4-7-broken-access-control-vulnerability?_s_id=cve
 
Crocoblock--JetSearch Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch allows DOM-Based XSS.This issue affects JetSearch: from n/a through 3.5.16. 2025-12-29 6.5 CVE-2025-68504 https://vdp.patchstack.com/database/wordpress/plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-16-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Hiroaki Miyashita--Custom Field Template Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiroaki Miyashita Custom Field Template allows Stored XSS.This issue affects Custom Field Template: from n/a through 2.7.5. 2025-12-29 6.5 CVE-2025-68607 https://vdp.patchstack.com/database/wordpress/plugin/custom-field-template/vulnerability/wordpress-custom-field-template-plugin-2-7-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Codeaffairs--Wp Text Slider Widget Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codeaffairs Wp Text Slider Widget allows Stored XSS.This issue affects Wp Text Slider Widget: from n/a through 1.0. 2025-12-29 6.5 CVE-2025-68868 https://vdp.patchstack.com/database/wordpress/plugin/wp-text-slider-widget/vulnerability/wordpress-wp-text-slider-widget-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
SignalK--signalk-server Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: `clientId`, `description`, and `permissions`. The SignalK admin UI displays the `description` field prominently to the administrator when showing pending requests, but the actual `permissions` field (which determines the access level granted) is less visible or displayed separately. This allows an attacker to request `admin` permissions while providing a description that suggests readonly access. The access request handler trusts the `X-Forwarded-For` HTTP header without validation to determine the client's IP address. This header is intended to preserve the original client IP when requests pass through reverse proxies, but when trusted unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to administrators in the access request approval interface, potentially making malicious requests appear to originate from trusted internal network addresses. Since device/source names can be enumerated via the information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a highly convincing social engineering scenario that increases the likelihood of administrator approval. Users should upgrade to version 2.19.0 to fix this issue. 2026-01-01 6.3 CVE-2025-69203 https://github.com/SignalK/signalk-server/security/advisories/GHSA-vfrf-vcj7-wvr8
https://github.com/SignalK/signalk-server/releases/tag/v2.19.0
 
olell--uURU Micro Registration Utility (µURU) is a telephone self registration utility based on asterisk. In versions up to and including commit 88db9a953f38a3026bcd6816d51c7f3b93c55893, an attacker can crafts a special federation name and characters treated special by asterisk can be injected into the `Dial( )` application due to improper input validation. This allows an attacker to redirect calls on both of the federating instances. If the attack succeeds, the impact is very high. However, the requires that an admin accept the federation requests. As of time of publication, a known patched version of µURU is not available. 2025-12-29 6.3 CVE-2025-69205 https://github.com/olell/uURU/security/advisories/GHSA-xvrh-pm3f-79v4
https://docs.asterisk.org/Latest_API/API_Documentation/Dialplan_Applications/Dial
 
AsfhtgkDavid--theshit theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations (e.g., `~/.config/theshit/`) without validating ownership or permissions when executed with elevated privileges. If the tool is invoked with `sudo` or otherwise runs with an effective UID of root, it continues to trust configuration files originating from the unprivileged user's environment. This allows a local attacker to inject arbitrary Python code via a malicious rule or configuration file, which is then executed with root privileges. Any system where this tool is executed with elevated privileges is affected. In environments where the tool is permitted to run via `sudo` without a password (`NOPASSWD`), a local unprivileged user can escalate privileges to root without additional interaction. The issue has been fixed in version 0.1.1. The patch introduces strict ownership and permission checks for all configuration files and custom rules. The application now enforces that rules are only loaded if they are owned by the effective user executing the tool. When executed with elevated privileges (`EUID=0`), the application refuses to load any files that are not owned by root or that are writable by non-root users. When executed as a non-root user, it similarly refuses to load rules owned by other users. This prevents both vertical and horizontal privilege escalation via execution of untrusted code. If upgrading is not possible, users should avoid executing the application with `sudo` or as the root user. As a temporary mitigation, ensure that directories containing custom rules and configuration files are owned by root and are not writable by non-root users. Administrators may also audit existing custom rules before running the tool with elevated privileges. 2025-12-30 6.7 CVE-2025-69257 https://github.com/AsfhtgkDavid/theshit/security/advisories/GHSA-95qg-89c2-w5hj
https://github.com/AsfhtgkDavid/theshit/commit/8e0b565e7876a83b0e1cfbacb8af39dadfdcc500
 
PHPGurukul--Online Course Registration A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. 2026-01-02 6.3 CVE-2026-0547 VDB-339355 | PHPGurukul Online Course Registration Student Registration edit-student-profile.php unrestricted upload
VDB-339355 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #728988 | PHPGurukul Online Course Registration v3.1 Cross Site Scripting
https://github.com/rsecroot/Online-Course-Registration/blob/main/Cross%20Site%20Scripting.md
https://phpgurukul.com/
 
yeqifu--warehouse A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function saveUserRole of the file warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component Request Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. 2026-01-04 6.3 CVE-2026-0574 VDB-339458 | yeqifu warehouse Request UserController.java saveUserRole improper authorization
VDB-339458 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #729374 | yeqifu warehouse aaf29962ba407d22d991781de28796ee7b4670e4 vertical privilege escalation
https://github.com/5i1encee/Vul/blob/main/Vertical_privilege_escalation_Vulnerability_in_Project_yeqifu_warehouse.md
https://github.com/5i1encee/Vul/blob/main/Vertical_privilege_escalation_Vulnerability_in_Project_yeqifu_warehouse.md#poc
 
code-projects--Online Product Reservation System A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. 2026-01-04 6.3 CVE-2026-0577 VDB-339461 | code-projects Online Product Reservation System prod.php unrestricted upload
VDB-339461 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #731015 | code-projects Online Product Reservation system in PHP with source code V1.0 Unrestricted Upload
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/file_upload_prod.php.md
https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/file_upload_prod.php.md#poc
https://code-projects.org/
 
STVS SA--STVS ProVision STVS ProVision 5.9.10 contains a cross-site scripting vulnerability in the 'files' POST parameter that allows authenticated attackers to inject arbitrary HTML code. Attackers can exploit the unvalidated input to execute malicious scripts within a user's browser session in the context of the affected site. 2025-12-31 5.4 CVE-2021-47725 Zero Science Lab Disclosure (ZSL-2021-5624)
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange
Vendor Homepage
VulnCheck Advisory: STVS ProVision 5.9.10 Authenticated Reflected Cross-Site Scripting via Files Parameter
 
CodexThemes--TheGem (Elementor) Vulnerability in CodexThemes TheGem (Elementor), CodexThemes TheGem (WPBakery).This issue affects TheGem (Elementor): from n/a before 5.8.1.1; TheGem (WPBakery): from n/a before 5.8.1.1. 2025-12-29 5.4 CVE-2023-32238 https://vdp.patchstack.com/database/wordpress/theme/thegem-elementor/vulnerability/wordpress-thegem-elementor-theme-5-7-2-broken-access-control-vulnerability?_s_id=cve
 
wpdive--Better Elementor Addons Missing Authorization vulnerability in wpdive Better Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Elementor Addons: from n/a through 1.3.7. 2025-12-29 5.4 CVE-2023-41656 https://vdp.patchstack.com/database/wordpress/plugin/better-elementor-addons/vulnerability/wordpress-better-elementor-addons-plugin-1-3-5-broken-access-control-vulnerability?_s_id=cve
 
tareq1988--User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission - WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment. 2026-01-02 5.3 CVE-2025-14047 https://www.wordfence.com/threat-intel/vulnerabilities/id/6e95b16f-a25a-45c7-a875-2d34a1e127ce?source=cve
https://plugins.trac.wordpress.org/changeset/3430352/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax.php#L25
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax.php#L69
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L35
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L55
https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L133
 
pixelyoursite--PixelYourSite Your smart PIXEL (TAG) & API Manager The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1. 2025-12-29 5.3 CVE-2025-14280 https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe77926-8a43-42ce-9d3d-3aac2334dcbd?source=cve
https://plugins.trac.wordpress.org/browser/pixelyoursite/tags/11.1.4.2/includes/logger/class-pys-logger.php#L118
https://plugins.trac.wordpress.org/changeset/3424175/pixelyoursite
https://plugins.trac.wordpress.org/changeset/3416113/pixelyoursite
 
Gmission--Web Fax Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in Gmission Web Fax allows Authentication Abuse.This issue affects Web Fax: from 3.0 before 4.0. 2025-12-29 5.5 CVE-2025-15070 https://www.gmission.co.kr/fax1
 
n/a--Open5GS A flaw has been found in Open5GS up to 2.7.5. This affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. Executing manipulation can lead to reachable assertion. It is possible to launch the attack remotely. The exploit has been published and may be used. This patch is called b72d8349980076e2c033c8324f07747a86eea4f8. Applying a patch is advised to resolve this issue. 2025-12-29 5.3 CVE-2025-15176 VDB-338561 | Open5GS PFCP Session Establishment Request rule-match.c ogs_pfcp_pdr_rule_find_by_packet assertion
VDB-338561 | CTI Indicators (IOB, IOC, IOA)
Submit #719830 | Open5GS v2.7.5 Reachable Assertion
https://github.com/open5gs/open5gs/issues/4180
https://github.com/open5gs/open5gs/issues/4180#issuecomment-3615555671
https://github.com/open5gs/open5gs/issues/4180#issue-3666760066
https://github.com/open5gs/open5gs/commit/b72d8349980076e2c033c8324f07747a86eea4f8
 
Dromara--Sa-Token A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-30 5 CVE-2025-15222 VDB-338607 | Dromara Sa-Token SaSerializerTemplateForJdkUseBase64.java ObjectInputStream.readObject deserialization
VDB-338607 | CTI Indicators (IOB, IOC, IOA)
Submit #717703 | https://github.com/dromara/sa-token Sa-Token <=1.44.0 Deserialization
https://github.com/Yohane-Mashiro/satoken-deserialization
 
Tenda--CH22 A vulnerability has been found in Tenda CH22 up to 1.0.0.1. Affected by this vulnerability is the function fromDhcpListClient of the file /goform/DhcpListClient. Such manipulation of the argument LISTLEN leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2025-12-30 5.3 CVE-2025-15229 VDB-338625 | Tenda CH22 DhcpListClient fromDhcpListClient denial of service
VDB-338625 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725472 | Tenda CH22 V1.0.0.1 Denial of Service
https://github.com/master-abc/cve/issues/7
https://www.tenda.com.cn/
 
beecue--FastBee A vulnerability was detected in beecue FastBee up to 2.1. Impacted is the function getRootElement of the file springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/ReqAbstractHandler.java of the component SIP Message Handler. The manipulation results in xml external entity reference. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The project owner replied to the issue report: "Okay, we'll handle it as soon as possible." 2025-12-30 5.6 CVE-2025-15251 VDB-338641 | beecue FastBee SIP Message ReqAbstractHandler.java getRootElement xml external entity reference
VDB-338641 | CTI Indicators (IOB, IOC, IOA)
https://gitee.com/beecue/fastbee/issues/ID7HNZ
https://gitee.com/beecue/fastbee/issues/ID7HNZ#note_47777408_link
 
WebAssembly--wabt A weakness has been identified in WebAssembly wabt up to 1.0.39. This vulnerability affects the function wabt::AST::InsertNode of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. This manipulation causes memory corruption. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself. 2026-01-01 5.3 CVE-2025-15411 VDB-339332 | WebAssembly wabt wasm-decompile InsertNode memory corruption
VDB-339332 | CTI Indicators (IOB, IOC, IOA)
Submit #719825 | WebAssembly wabt 1.0.39 and master-branch Heap-based Buffer Overflow
https://github.com/WebAssembly/wabt/issues/2679
https://github.com/oneafter/1208/blob/main/af1
 
WebAssembly--wabt A security vulnerability has been detected in WebAssembly wabt up to 1.0.39. This issue affects the function wabt::Decompiler::VarName of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. Such manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself. 2026-01-01 5.3 CVE-2025-15412 VDB-339333 | WebAssembly wabt wasm-decompile VarName out-of-bounds
VDB-339333 | CTI Indicators (IOB, IOC, IOA)
Submit #719826 | WebAssembly wabt 1.0.39 and master-branch Memory Corruption
https://github.com/WebAssembly/wabt/issues/2678
https://github.com/oneafter/1208/blob/main/af1
 
n/a--wasm3 A vulnerability was detected in wasm3 up to 0.5.0. Impacted is the function op_SetSlot_i32/op_CallIndirect of the file m3_exec.h. Performing manipulation results in memory corruption. The attack needs to be approached locally. The exploit is now public and may be used. Unfortunately, the project has no active maintainer at the moment. 2026-01-01 5.3 CVE-2025-15413 VDB-339334 | wasm3 m3_exec.h op_CallIndirect memory corruption
VDB-339334 | CTI Indicators (IOB, IOC, IOA)
Submit #719829 | wasm3 v0.5.0 and master-branch Memory Corruption
Submit #719831 | wasm3 v0.5.0 and master-branch Memory Corruption (Duplicate)
https://github.com/wasm3/wasm3/issues/543
https://github.com/wasm3/wasm3/issues/547
 
EmpireSoft--EmpireCMS A flaw has been found in EmpireSoft EmpireCMS up to 8.0. This issue affects the function egetip of the file e/class/connect.php of the component IP Address Handler. This manipulation causes protection mechanism failure. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-02 5.3 CVE-2025-15422 VDB-339344 | EmpireSoft EmpireCMS IP Address connect.php egetip protection mechanism
VDB-339344 | CTI Indicators (IOB, IOC, IOA)
Submit #721344 | EmpireCMS <=8.0 Privilege Escalation
https://note-hxlab.wetolink.com/share/0x74KEtzecFb
https://note-hxlab.wetolink.com/share/0x74KEtzecFb#-span--strong-proof-of-concept---strong---span-
 
yeqifu--carRental A vulnerability has been found in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. This vulnerability affects the function downloadShowFile of the file /file/downloadShowFile.action of the component com.yeqifu.sys.controller.FileController. The manipulation of the argument path leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. 2026-01-02 5.3 CVE-2025-15432 VDB-339354 | yeqifu carRental com.yeqifu.sys.controller.FileController downloadShowFile.action downloadShowFile path traversal
VDB-339354 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #723220 | https://github.com/yeqifu carRental latest Path Traversal
https://github.com/yeqifu/carRental/issues/46
 
Petlibrio--Smart Pet Feeder Platform Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to /device/deviceAudio/use with arbitrary audio IDs to assign recordings to any device, then retrieve audio URLs to access other users' private recordings. 2026-01-03 5.3 CVE-2025-3652 Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks
VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Audio Information Disclosure via API endpoint
 
Petlibrio--Smart Pet Feeder Platform Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through /device/devicePetRelation/getBoundDevices using pet IDs, enabling full device control without proper authorization checks. 2026-01-03 5.3 CVE-2025-3654 Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks
VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Information Disclosure via API endpoint
 
Eduardo Villo--MyD Delivery Authorization Bypass Through User-Controlled Key vulnerability in Eduardo Villão MyD Delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyD Delivery: from n/a through 1.3.7. 2025-12-31 5.3 CVE-2025-49334 https://vdp.patchstack.com/database/wordpress/plugin/myd-delivery/vulnerability/wordpress-myd-delivery-plugin-1-3-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
janhenckens--Dashboard Beacon Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in janhenckens Dashboard Beacon allows Stored XSS.This issue affects Dashboard Beacon: from n/a through 1.2.0. 2025-12-31 5.9 CVE-2025-49337 https://vdp.patchstack.com/database/wordpress/plugin/wp-dashboard-beacon/vulnerability/wordpress-dashboard-beacon-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Flowbox--Flowbox Missing Authorization vulnerability in Flowbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flowbox: from n/a through 1.1.5. 2025-12-31 5.3 CVE-2025-49338 https://vdp.patchstack.com/database/wordpress/plugin/flowbox/vulnerability/wordpress-flowbox-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve
 
Reuters News Agency--Reuters Direct Missing Authorization vulnerability in Reuters News Agency Reuters Direct allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reuters Direct: from n/a through 3.0.0. 2025-12-31 5.3 CVE-2025-49349 https://vdp.patchstack.com/database/wordpress/plugin/reuters-direct/vulnerability/wordpress-reuters-direct-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve
 
ikaes--Accessibility Press Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ikaes Accessibility Press allows Stored XSS.This issue affects Accessibility Press: from n/a through 1.0.2. 2025-12-31 5.9 CVE-2025-49355 https://vdp.patchstack.com/database/wordpress/plugin/ilogic-accessibility/vulnerability/wordpress-accessibility-press-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
meshtastic--firmware Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue. 2025-12-29 5.3 CVE-2025-53627 https://github.com/meshtastic/firmware/security/advisories/GHSA-377p-prwp-4hwf
 
Inkthemescom--Black Rider Insertion of Sensitive Information Into Sent Data vulnerability in Inkthemescom Black Rider allows Retrieve Embedded Sensitive Data.This issue affects Black Rider: from n/a through 1.2.3. 2025-12-31 5.8 CVE-2025-59003 https://vdp.patchstack.com/database/wordpress/theme/black-rider/vulnerability/wordpress-black-rider-theme-1-2-3-sensitive-data-exposure-vulnerability?_s_id=cve
 
eLEOPARD--Behance Portfolio Manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eLEOPARD Behance Portfolio Manager allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through 1.7.5. 2025-12-31 5.9 CVE-2025-59135 https://vdp.patchstack.com/database/wordpress/plugin/portfolio-manager-powered-by-behance/vulnerability/wordpress-behance-portfolio-manager-plugin-1-7-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Ef Bank--Gerencianet Oficial Insertion of Sensitive Information Into Sent Data vulnerability in Efí Bank Gerencianet Oficial allows Retrieve Embedded Sensitive Data.This issue affects Gerencianet Oficial: from n/a through 3.1.3. 2025-12-31 5.3 CVE-2025-59136 https://vdp.patchstack.com/database/wordpress/plugin/woo-gerencianet-official/vulnerability/wordpress-gerencianet-oficial-plugin-3-1-3-sensitive-data-exposure-vulnerability?_s_id=cve
 
Damian--WP Export Categories & Taxonomies Missing Authorization vulnerability in Damian WP Export Categories & Taxonomies allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Export Categories &amp; Taxonomies: from n/a through 1.0.3. 2025-12-31 5.3 CVE-2025-62079 https://vdp.patchstack.com/database/wordpress/plugin/wp-export-categories-taxonomies/vulnerability/wordpress-wp-export-categories-taxonomies-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve
 
Channelize.io Team--Live Shopping & Shoppable Videos For WooCommerce Missing Authorization vulnerability in Channelize.Io Team Live Shopping & Shoppable Videos For WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live Shopping & Shoppable Videos For WooCommerce: from n/a through 2.2.0. 2025-12-31 5.3 CVE-2025-62081 https://vdp.patchstack.com/database/wordpress/plugin/live-shopping-video-streams/vulnerability/wordpress-live-shopping-shoppable-videos-for-woocommerce-plugin-2-2-0-broken-access-control-vulnerability?_s_id=cve
 
extendons--WordPress & WooCommerce Scraper Plugin, Import Data from Any Site Server-Side Request Forgery (SSRF) vulnerability in extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site allows Server Side Request Forgery.This issue affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site: from n/a through 1.0.7. 2025-12-31 5.4 CVE-2025-62088 https://vdp.patchstack.com/database/wordpress/plugin/wp_scraper/vulnerability/wordpress-wordpress-woocommerce-scraper-plugin-import-data-from-any-site-plugin-1-0-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
Vollstart--Serial Codes Generator and Validator with WooCommerce Support Missing Authorization vulnerability in Vollstart Serial Codes Generator and Validator with WooCommerce Support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Serial Codes Generator and Validator with WooCommerce Support: from n/a through 2.8.2. 2025-12-31 5.4 CVE-2025-62091 https://vdp.patchstack.com/database/wordpress/plugin/serial-codes-generator-and-validator/vulnerability/wordpress-serial-codes-generator-and-validator-with-woocommerce-support-plugin-2-8-2-broken-access-control-vulnerability?_s_id=cve
 
Wiremo--Wiremo Missing Authorization vulnerability in Wiremo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wiremo: from n/a through 1.4.99. 2025-12-31 5.3 CVE-2025-62092 https://vdp.patchstack.com/database/wordpress/plugin/woo-reviews-by-wiremo/vulnerability/wordpress-wiremo-plugin-1-4-99-broken-access-control-vulnerability?_s_id=cve
 
Totalsoft--Portfolio Gallery Missing Authorization vulnerability in Totalsoft Portfolio Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio Gallery: from n/a through 1.4.8. 2025-12-31 5.4 CVE-2025-62098 https://vdp.patchstack.com/database/wordpress/plugin/gallery-portfolio/vulnerability/wordpress-portfolio-gallery-plugin-1-4-8-broken-access-control-vulnerability?_s_id=cve
 
SaifuMak--Add Custom Codes Missing Authorization vulnerability in SaifuMak Add Custom Codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Custom Codes: from n/a through 4.80. 2025-12-31 5.4 CVE-2025-62108 https://vdp.patchstack.com/database/wordpress/plugin/add-custom-codes/vulnerability/wordpress-add-custom-codes-plugin-4-80-broken-access-control-vulnerability?_s_id=cve
 
Marcelo Torres--Download Media Library Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcelo Torres Download Media Library allows Retrieve Embedded Sensitive Data.This issue affects Download Media Library: from n/a through 0.2.1. 2025-12-31 5.3 CVE-2025-62114 https://vdp.patchstack.com/database/wordpress/plugin/download-media-library/vulnerability/wordpress-download-media-library-plugin-0-2-1-sensitive-data-exposure-vulnerability?_s_id=cve
 
Quadlayers--AI Copilot Missing Authorization vulnerability in Quadlayers AI Copilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Copilot: from n/a through 1.4.7. 2025-12-31 5.3 CVE-2025-62116 https://vdp.patchstack.com/database/wordpress/plugin/ai-copilot/vulnerability/wordpress-ai-copilot-plugin-1-4-7-broken-access-control-vulnerability?_s_id=cve
 
Jayce53--EasyIndex Cross-Site Request Forgery (CSRF) vulnerability in Jayce53 EasyIndex easyindex allows Cross Site Request Forgery.This issue affects EasyIndex: from n/a through 1.1.1704. 2025-12-31 5.4 CVE-2025-62117 https://vdp.patchstack.com/database/wordpress/plugin/easyindex/vulnerability/wordpress-easyindex-plugin-1-1-1704-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
ViitorCloud Technologies Pvt Ltd--Add Featured Image Custom Link Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ViitorCloud Technologies Pvt Ltd Add Featured Image Custom Link allows DOM-Based XSS.This issue affects Add Featured Image Custom Link: from n/a through 2.0.0. 2025-12-31 5.9 CVE-2025-62119 https://vdp.patchstack.com/database/wordpress/plugin/custom-url-to-featured-image/vulnerability/wordpress-add-featured-image-custom-link-plugin-2-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Rick Beckman--OpenHook Cross-Site Request Forgery (CSRF) vulnerability in Rick Beckman OpenHook allows Cross Site Request Forgery.This issue affects OpenHook: from n/a through 4.3.1. 2025-12-31 5.4 CVE-2025-62120 https://vdp.patchstack.com/database/wordpress/plugin/thesis-openhook/vulnerability/wordpress-openhook-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Imran Emu--Logo Slider , Logo Carousel , Logo showcase , Client Logo Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu Logo Slider , Logo Carousel , Logo showcase , Client Logo allows Stored XSS.This issue affects Logo Slider , Logo Carousel , Logo showcase , Client Logo: from n/a through 1.8.1. 2025-12-31 5.9 CVE-2025-62121 https://vdp.patchstack.com/database/wordpress/plugin/tc-logo-slider/vulnerability/wordpress-logo-slider-logo-carousel-logo-showcase-client-logo-plugin-1-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Solwininfotech--Trash Duplicate and 301 Redirect Missing Authorization vulnerability in Solwininfotech Trash Duplicate and 301 Redirect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trash Duplicate and 301 Redirect: from n/a through 1.9.1. 2025-12-31 5.3 CVE-2025-62122 https://vdp.patchstack.com/database/wordpress/plugin/trash-duplicate-and-301-redirect/vulnerability/wordpress-trash-duplicate-and-301-redirect-plugin-1-9-1-broken-access-control-vulnerability?_s_id=cve
 
Soli--WP Post Signature Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soli WP Post Signature allows Stored XSS.This issue affects WP Post Signature: from n/a through 0.4.1. 2025-12-31 5.9 CVE-2025-62124 https://vdp.patchstack.com/database/wordpress/plugin/wp-post-signature/vulnerability/wordpress-wp-post-signature-plugin-0-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Razvan Stanga--Varnish/Nginx Proxy Caching Insertion of Sensitive Information Into Sent Data vulnerability in Razvan Stanga Varnish/Nginx Proxy Caching allows Retrieve Embedded Sensitive Data.This issue affects Varnish/Nginx Proxy Caching: from n/a through 1.8.3. 2025-12-31 5.3 CVE-2025-62126 https://vdp.patchstack.com/database/wordpress/plugin/vcaching/vulnerability/wordpress-varnish-nginx-proxy-caching-plugin-1-8-3-sensitive-data-exposure-vulnerability?_s_id=cve
 
Magnigenie--RestroPress Missing Authorization vulnerability in Magnigenie RestroPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through 3.2.4.2. 2025-12-31 5.3 CVE-2025-62129 https://vdp.patchstack.com/database/wordpress/plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-4-2-broken-access-control-vulnerability?_s_id=cve
 
A WP Life--Contact Form Widget Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget allows Cross Site Request Forgery.This issue affects Contact Form Widget: from n/a through 1.5.1. 2025-12-31 5.4 CVE-2025-62134 https://vdp.patchstack.com/database/wordpress/plugin/new-contact-form-widget/vulnerability/wordpress-contact-form-widget-plugin-1-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
CedCommerce--WP Advanced PDF Missing Authorization vulnerability in CedCommerce WP Advanced PDF allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Advanced PDF: from n/a through 1.1.7. 2025-12-31 5.3 CVE-2025-62138 https://vdp.patchstack.com/database/wordpress/plugin/wp-advanced-pdf/vulnerability/wordpress-wp-advanced-pdf-plugin-1-1-7-other-vulnerability-type-vulnerability?_s_id=cve
 
Vladimir Statsenko--Terms descriptions Insertion of Sensitive Information Into Sent Data vulnerability in Vladimir Statsenko Terms descriptions allows Retrieve Embedded Sensitive Data.This issue affects Terms descriptions: from n/a through 3.4.9. 2025-12-31 5.3 CVE-2025-62139 https://vdp.patchstack.com/database/wordpress/plugin/terms-descriptions/vulnerability/wordpress-terms-descriptions-plugin-3-4-9-sensitive-data-exposure-vulnerability?_s_id=cve
 
Plainware--Locatoraid Store Locator Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Plainware Locatoraid Store Locator allows Stored XSS.This issue affects Locatoraid Store Locator: from n/a through 3.9.65. 2025-12-31 5.9 CVE-2025-62140 https://vdp.patchstack.com/database/wordpress/plugin/locatoraid/vulnerability/wordpress-locatoraid-store-locator-plugin-3-9-65-cross-site-scripting-xss-vulnerability?_s_id=cve
 
101gen--Wawp Missing Authorization vulnerability in 101gen Wawp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wawp: from n/a through 4.0.5. 2025-12-31 5.3 CVE-2025-62141 https://vdp.patchstack.com/database/wordpress/plugin/automation-web-platform/vulnerability/wordpress-wawp-plugin-4-0-5-broken-access-control-vulnerability?_s_id=cve
 
nicashmu--Cincopa video and media plug-in Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicashmu Cincopa video and media plugin allows Stored XSS.This issue affects Cincopa video and media plug-in: from n/a through 1.163. 2025-12-31 5.9 CVE-2025-62142 https://vdp.patchstack.com/database/wordpress/plugin/video-playlist-and-gallery-plugin/vulnerability/wordpress-post-video-players-plugin-1-163-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Mohammed Kaludi--Core Web Vitals & PageSpeed Booster Missing Authorization vulnerability in Mohammed Kaludi Core Web Vitals & PageSpeed Booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Core Web Vitals & PageSpeed Booster: from n/a through 1.0.27. 2025-12-31 5.4 CVE-2025-62144 https://vdp.patchstack.com/database/wordpress/plugin/core-web-vitals-pagespeed-booster/vulnerability/wordpress-core-web-vitals-pagespeed-booster-plugin-1-0-27-broken-access-control-vulnerability?_s_id=cve
 
NewClarity--DMCA Protection Badge Missing Authorization vulnerability in NewClarity DMCA Protection Badge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DMCA Protection Badge: from n/a through 2.2.0. 2025-12-31 5.3 CVE-2025-62145 https://vdp.patchstack.com/database/wordpress/plugin/dmca-badge/vulnerability/wordpress-dmca-protection-badge-plugin-2-2-0-broken-access-control-vulnerability?_s_id=cve
 
Nik Melnik--Realbig Missing Authorization vulnerability in Nik Melnik Realbig allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Realbig: from n/a through 1.1.3. 2025-12-31 5.3 CVE-2025-62147 https://vdp.patchstack.com/database/wordpress/plugin/realbig-media/vulnerability/wordpress-realbig-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve
 
SaifuMak--Add Custom Codes Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SaifuMak Add Custom Codes allows Stored XSS.This issue affects Add Custom Codes: from n/a through 4.80. 2025-12-31 5.9 CVE-2025-62149 https://vdp.patchstack.com/database/wordpress/plugin/add-custom-codes/vulnerability/wordpress-add-custom-codes-plugin-4-80-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Aum Watcharapon--Featured Image Generator Missing Authorization vulnerability in Aum Watcharapon Featured Image Generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image Generator: from n/a through 1.3.3. 2025-12-31 5.3 CVE-2025-62747 https://vdp.patchstack.com/database/wordpress/plugin/featured-image-generator/vulnerability/wordpress-featured-image-generator-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve
 
Filipe Seabra--WooCommerce Parcelas Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Filipe Seabra WooCommerce Parcelas allows DOM-Based XSS.This issue affects WooCommerce Parcelas: from n/a through 1.3.5. 2025-12-31 5.9 CVE-2025-62750 https://vdp.patchstack.com/database/wordpress/plugin/woocommerce-parcelas/vulnerability/wordpress-woocommerce-parcelas-plugin-1-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
GS Plugins--GS Portfolio for Envato Unauthenticated Broken Access Control in GS Portfolio for Envato <= 1.4.2 versions. 2025-12-31 5.3 CVE-2025-62755 https://vdp.patchstack.com/database/wordpress/plugin/gs-envato-portfolio/vulnerability/wordpress-gs-portfolio-for-envato-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve
 
Marco Milesi--WP Attachments Missing Authorization vulnerability in Marco Milesi WP Attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attachments: from n/a through 5.2. 2025-12-31 5.4 CVE-2025-62888 https://vdp.patchstack.com/database/wordpress/plugin/wp-attachments/vulnerability/wordpress-wp-attachments-plugin-5-2-broken-access-control-vulnerability?_s_id=cve
 
Boxy Studio--Cooked Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boxy Studio Cooked allows Stored XSS.This issue affects Cooked: from n/a through 1.11.2. 2025-12-31 5.9 CVE-2025-62989 https://vdp.patchstack.com/database/wordpress/plugin/cooked/vulnerability/wordpress-cooked-plugin-1-11-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
nicdark--Hotel Booking Missing Authorization vulnerability in nicdark Hotel Booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through 3.8. 2025-12-31 5.3 CVE-2025-63001 https://vdp.patchstack.com/database/wordpress/plugin/nd-booking/vulnerability/wordpress-hotel-booking-plugin-3-8-broken-access-control-vulnerability?_s_id=cve
 
Quadlayers--QuadLayers TikTok Feed Missing Authorization vulnerability in Quadlayers QuadLayers TikTok Feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects QuadLayers TikTok Feed: from n/a through 4.6.4. 2025-12-31 5.3 CVE-2025-63016 https://vdp.patchstack.com/database/wordpress/plugin/wp-tiktok-feed/vulnerability/wordpress-quadlayers-tiktok-feed-plugin-4-6-4-broken-access-control-vulnerability?_s_id=cve
 
Illia--Simple Like Page Missing Authorization vulnerability in Illia Simple Like Page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Like Page: from n/a through 1.5.3. 2025-12-31 5.3 CVE-2025-63022 https://vdp.patchstack.com/database/wordpress/plugin/simple-facebook-plugin/vulnerability/wordpress-simple-like-page-plugin-1-5-3-broken-access-control-vulnerability?_s_id=cve
 
WP Grids--EasyTest Missing Authorization vulnerability in WP Grids EasyTest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EasyTest: from n/a through 1.0.1. 2025-12-31 5.3 CVE-2025-63031 https://vdp.patchstack.com/database/wordpress/plugin/convertpro/vulnerability/wordpress-easytest-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve
 
Jewel Theme--Master Addons for Elementor Authorization Bypass Through User-Controlled Key vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.9.9.4. 2025-12-31 5.3 CVE-2025-63053 https://vdp.patchstack.com/database/wordpress/plugin/master-addons/vulnerability/wordpress-master-addons-for-elementor-plugin-2-0-9-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
WP Legal Pages--WP Cookie Notice for GDPR, CCPA & ePrivacy Consent Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through 4.0.3. 2025-12-30 5.3 CVE-2025-66080 https://vdp.patchstack.com/database/wordpress/plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-4-0-3-broken-access-control-vulnerability-2?_s_id=cve
 
merkulove--Worker for Elementor Missing Authorization vulnerability in merkulove Worker for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for Elementor: from n/a through 1.0.10. 2025-12-31 5.4 CVE-2025-66144 https://vdp.patchstack.com/database/wordpress/plugin/worker-elementor/vulnerability/wordpress-worker-for-elementor-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Worker for WPBakery Missing Authorization vulnerability in merkulove Worker for WPBakery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for WPBakery: from n/a through 1.1.1. 2025-12-31 5.4 CVE-2025-66145 https://vdp.patchstack.com/database/wordpress/plugin/worker-wpbakery/vulnerability/wordpress-worker-for-wpbakery-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Logger for Elementor Missing Authorization vulnerability in merkulove Logger for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Logger for Elementor: from n/a through 1.0.9. 2025-12-31 5.4 CVE-2025-66146 https://vdp.patchstack.com/database/wordpress/plugin/logger-elementor/vulnerability/wordpress-logger-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Conformer for Elementor Missing Authorization vulnerability in merkulove Conformer for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conformer for Elementor: from n/a through 1.0.7. 2025-12-31 5.4 CVE-2025-66148 https://vdp.patchstack.com/database/wordpress/plugin/conformer-elementor/vulnerability/wordpress-conformer-for-elementor-plugin-1-0-7-broken-access-control-vulnerability?_s_id=cve
 
merkulove--UnGrabber Missing Authorization vulnerability in merkulove UnGrabber allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnGrabber: from n/a through 3.1.3. 2025-12-31 5.4 CVE-2025-66149 https://vdp.patchstack.com/database/wordpress/plugin/ungrabber/vulnerability/wordpress-ungrabber-plugin-3-1-3-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Appender Missing Authorization vulnerability in merkulove Appender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appender: from n/a through 1.1.1. 2025-12-31 5.4 CVE-2025-66150 https://vdp.patchstack.com/database/wordpress/plugin/appender/vulnerability/wordpress-appender-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Countdowner for Elementor Missing Authorization vulnerability in merkulove Countdowner for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Countdowner for Elementor: from n/a through 1.0.4. 2025-12-31 5.4 CVE-2025-66151 https://vdp.patchstack.com/database/wordpress/plugin/countdowner-elementor/vulnerability/wordpress-countdowner-for-elementor-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Criptopayer for Elementor Missing Authorization vulnerability in merkulove Criptopayer for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Criptopayer for Elementor: from n/a through 1.0.1. 2025-12-31 5.4 CVE-2025-66152 https://vdp.patchstack.com/database/wordpress/plugin/criptopayer-elementor/vulnerability/wordpress-criptopayer-for-elementor-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Headinger for Elementor Missing Authorization vulnerability in merkulove Headinger for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Headinger for Elementor: from n/a through 1.1.4. 2025-12-31 5.4 CVE-2025-66153 https://vdp.patchstack.com/database/wordpress/plugin/headinger-elementor/vulnerability/wordpress-headinger-for-elementor-plugin-1-1-4-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Couponer for Elementor Missing Authorization vulnerability in merkulove Couponer for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Couponer for Elementor: from n/a through 1.1.7. 2025-12-31 5.4 CVE-2025-66154 https://vdp.patchstack.com/database/wordpress/plugin/couponer-elementor/vulnerability/wordpress-couponer-for-elementor-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Questionar for Elementor Missing Authorization vulnerability in merkulove Questionar for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Questionar for Elementor: from n/a through 1.1.7. 2025-12-31 5.4 CVE-2025-66155 https://vdp.patchstack.com/database/wordpress/plugin/questionar-elementor/vulnerability/wordpress-questionar-for-elementor-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Watcher for Elementor Missing Authorization vulnerability in merkulove Watcher for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watcher for Elementor: from n/a through 1.0.9. 2025-12-31 5.4 CVE-2025-66156 https://vdp.patchstack.com/database/wordpress/plugin/watcher-elementor/vulnerability/wordpress-watcher-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Slider for Elementor Missing Authorization vulnerability in merkulove Slider for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slider for Elementor: from n/a through 1.0.10. 2025-12-31 5.4 CVE-2025-66157 https://vdp.patchstack.com/database/wordpress/plugin/sliper-elementor/vulnerability/wordpress-sliper-for-elementor-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Gmaper for Elementor Missing Authorization vulnerability in merkulove Gmaper for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gmaper for Elementor: from n/a through 1.0.9. 2025-12-31 5.4 CVE-2025-66158 https://vdp.patchstack.com/database/wordpress/plugin/gmaper-elementor/vulnerability/wordpress-gmaper-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Walker for Elementor Missing Authorization vulnerability in merkulove Walker for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Walker for Elementor: from n/a through 1.1.6. 2025-12-31 5.4 CVE-2025-66159 https://vdp.patchstack.com/database/wordpress/plugin/walker-elementor/vulnerability/wordpress-walker-for-elementor-plugin-1-1-6-broken-access-control-vulnerability?_s_id=cve
 
merkulove--Select Graphist for Elementor Graphist for Elementor Missing Authorization vulnerability in merkulove Select Graphist for Elementor Graphist for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Select Graphist for Elementor Graphist for Elementor: from n/a through 1.2.10. 2025-12-31 5.4 CVE-2025-66160 https://vdp.patchstack.com/database/wordpress/plugin/graphist-elementor/vulnerability/wordpress-select-graphist-for-elementor-graphist-for-elementor-plugin-1-2-10-broken-access-control-vulnerability?_s_id=cve
 
Esri--ArcGIS Server ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files. 2025-12-31 5.6 CVE-2025-67706 https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
 
Esri--ArcGIS Server ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files. 2025-12-31 5.6 CVE-2025-67707 https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
 
SignalK--signalk-server Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks. Version 2.19.0 patches the issue. 2026-01-01 5.3 CVE-2025-68273 https://github.com/SignalK/signalk-server/security/advisories/GHSA-fpf5-w967-rr2m
https://github.com/SignalK/signalk-server/releases/tag/v2.19.0
 
ImageMagick--ImageMagick ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue. 2025-12-30 5.3 CVE-2025-68618 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637
https://github.com/ImageMagick/ImageMagick/commit/6f431d445f3ddd609c004a1dde617b0a73e60beb
 
frappe--crm Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized, causing cross-site scripting. Version 1.56.2 fixes the issue. No known workarounds are available. 2025-12-29 5.4 CVE-2025-68928 https://github.com/frappe/crm/security/advisories/GHSA-fm34-v6j7-chwc
https://github.com/frappe/crm/commit/c5766d9989131d17d954e866bfc4b8d3b23e4f10
https://github.com/frappe/crm/releases/tag/v1.56.2
 
thorsten--phpMyFAQ phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator's browser by registering a user whose display name contains HTML entities. When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. Version 4.0.16 contains a patch for the issue. 2025-12-29 5.4 CVE-2025-68951 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc
https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370
https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87
 
ImageMagick--ImageMagick ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, in the WriteSVGImage function, using an int variable to store number_attributes caused an integer overflow. This, in turn, triggered a buffer overflow and caused a DoS attack. Version 7.1.2-12 fixes the issue. 2025-12-30 5.3 CVE-2025-69204 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hrh7-j8q2-4qcw
https://github.com/ImageMagick/ImageMagick/commit/2c08c2311693759153c9aa99a6b2dcb5f985681e
 
Gitea--Gitea In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists. 2026-01-01 5.3 CVE-2025-69413 https://blog.gitea.com/release-of-1.25.2/
https://github.com/go-gitea/gitea/releases/tag/v1.25.2
https://github.com/go-gitea/gitea/issues/35984
https://github.com/go-gitea/gitea/pull/36002
 
Plex--plex.tv backend In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml. 2026-01-02 5 CVE-2025-69416 https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md
 
Plex--plex.tv backend In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint. 2026-01-02 5 CVE-2025-69417 https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md
 
stefanberger--libtpms libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available. 2026-01-02 5.5 CVE-2026-21444 https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f
https://github.com/stefanberger/libtpms/issues/541
https://github.com/stefanberger/libtpms/commit/33c9ff074cb16c1841ce7d7f33643c17c426743a
 
Mintplex-Labs--anything-llm AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue. 2026-01-03 5.3 CVE-2026-21484 https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-47vr-w3vm-69ch
https://github.com/Mintplex-Labs/anything-llm/commit/e287fab56089cf8fcea9ba579a3ecdeca0daa313
 
JM-DATA ONU--JF511-TV JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to authenticated stored cross-site scripting (XSS) attacks, allowing attackers with authenticated access to inject malicious scripts that will be executed in other users' browsers when they view the affected content. 2025-12-30 4.3 CVE-2022-50801 Zero Science Lab Disclosure (ZSL-2022-5708)
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange Entry
JM-DATA Vendor Homepage
VulnCheck Advisory: JM-DATA ONU JF511-TV 1.0.67 Authenticated Stored Cross-Site Scripting (XSS) Vulnerability
 
PKrystian--Full-Stack-Bank A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 25c9965a872c704f3a9475488dc5d3196902199a. It is suggested to install a patch to address this issue. 2025-12-31 4.7 CVE-2023-7331 VDB-338650 | PKrystian Full-Stack-Bank User sql injection
VDB-338650 | CTI Indicators (IOB, IOC, TTP)
https://github.com/PKrystian/Full-Stack-Bank/pull/21
https://github.com/PKrystian/Full-Stack-Bank/commit/25c9965a872c704f3a9475488dc5d3196902199a
 
wpchill--Strong Testimonials The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen. 2025-12-30 4.3 CVE-2025-14426 https://www.wordfence.com/threat-intel/vulnerabilities/id/c83f48dd-9070-412d-b911-98581a81e29a?source=cve
https://plugins.trac.wordpress.org/browser/strong-testimonials/tags/3.2.18/admin/class-strong-testimonials-post-editor.php#L379
https://plugins.trac.wordpress.org/browser/strong-testimonials/tags/3.2.18/admin/class-strong-testimonials-post-editor.php#L29
https://plugins.trac.wordpress.org/changeset/3416480/
 
galdub--All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs My Sticky Elements The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin. 2026-01-01 4.3 CVE-2025-14428 https://www.wordfence.com/threat-intel/vulnerabilities/id/1b82ce74-11ac-4719-961d-a16717ce023b?source=cve
https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L29
https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L1788
https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-front.php#L121
https://plugins.trac.wordpress.org/changeset/3423407/
 
smub--Easy Digital Downloads eCommerce Payments and Subscriptions made easy The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action. 2025-12-31 4.3 CVE-2025-14783 https://www.wordfence.com/threat-intel/vulnerabilities/id/3c0fb43c-f576-412e-a144-4725356ed9a0?source=cve
https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/users/lost-password.php#L187
https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/blocks/views/forms/lost-password.php#L24
https://plugins.trac.wordpress.org/changeset/3426524/easy-digital-downloads/trunk/includes/users/lost-password.php
 
JFrog--Artifactory (Workers) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JFrog Artifactory (Workers) allows Cross-Site Scripting (XSS).This issue affects Artifactory (Workers): from >=7.94.0 through <7.117.10. 2026-01-04 4.9 CVE-2025-14830 https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories
 
BiggiDroid--Simple PHP CMS A weakness has been identified in BiggiDroid Simple PHP CMS 1.0. Affected by this issue is some unknown functionality of the file /admin/editsite.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-29 4.7 CVE-2025-15169 VDB-338549 | BiggiDroid Simple PHP CMS editsite.php sql injection
VDB-338549 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #708845 | BiggiDroid Simple PHP CMS BiggiDroid 1.0 SQL Injection
https://gitee.com/sun-huizhi/dazhi/issues/IDBDAY
 
Advaya Softech--GEMS ERP Portal A security vulnerability has been detected in Advaya Softech GEMS ERP Portal up to 2.1. This affects an unknown part of the file /home.jsp?isError=true of the component Error Message Handler. The manipulation of the argument Message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-29 4.3 CVE-2025-15170 VDB-338550 | Advaya Softech GEMS ERP Portal Error Message home.jsp cross site scripting
VDB-338550 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #717590 | Advaya Softech GEMS ERP Portal 2.1 Cross Site Scripting
https://syansec.in/video_poc/cve_2025.mp4
 
code-projects--Content Management System A security flaw has been discovered in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. This vulnerability affects unknown code of the file /admin/editposts.php. Performing manipulation of the argument image results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. 2025-12-29 4.7 CVE-2025-15197 VDB-338584 | code-projects/anirbandutta9 Content Management System/News-Buzz editposts.php unrestricted upload
VDB-338584 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #724721 | Code-projects Content Management System v1.0 Arbitrary file upload vulnerability
https://github.com/Limingqian123/CVE/issues/7
 
code-projects--Student File Management System A vulnerability has been found in code-projects Student File Management System 1.0. The affected element is an unknown function of the file /download.php of the component File Download Handler. The manipulation of the argument store_id leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. 2025-12-30 4.3 CVE-2025-15213 VDB-338598 | code-projects Student File Management System File Download download.php improper authorization
VDB-338598 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725080 | Code-Projects 学生文件管理系统 V1.0 越权
https://github.com/Bai-public/CVE/issues/5
https://code-projects.org/
 
SohuTV--CacheCloud A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This affects the function init of the file src/main/java/com/sohu/cache/web/controller/LoginController.java. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-30 4.3 CVE-2025-15220 VDB-338605 | SohuTV CacheCloud LoginController.java init cross site scripting
VDB-338605 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716320 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/379
 
Philipinho--Simple-PHP-Blog A vulnerability was found in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. Impacted is an unknown function of the file /login.php. Performing manipulation of the argument Username results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure and makes clear that the product is "[f]or educational purposes only". 2025-12-31 4.3 CVE-2025-15223 VDB-338608 | Philipinho Simple-PHP-Blog login.php cross site scripting
VDB-338608 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #710150 | Philipinho Simple-PHP-Blog 1.0 Improper Neutralization of Alternate XSS Syntax
https://gitee.com/sun-huizhi/dazhi/issues/IDBUOY
 
08CMS--Novel System A security vulnerability has been detected in 08CMS Novel System up to 3.4. This issue affects some unknown processing of the file admina/mtpls.inc.php of the component Template Handler. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. 2025-12-30 4.7 CVE-2025-15250 VDB-338640 | 08CMS Novel System Template mtpls.inc.php code injection
VDB-338640 | CTI Indicators (IOB, IOC, TTP, IOA)
https://gitee.com/keneny/cve/issues/ID3DEM
 
BiggiDroid--Simple PHP CMS A security flaw has been discovered in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/edit.php of the component Site Logo Handler. Performing manipulation of the argument image results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. 2025-12-30 4.7 CVE-2025-15262 VDB-338656 | BiggiDroid Simple PHP CMS Site Logo edit.php unrestricted upload
VDB-338656 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725815 | BiggiDroid Simple PHP CMS 1.0 SQL Injection
https://gitee.com/shanyaohei/black-yam/issues/IDGML9
 
n/a--newbee-mall-plus A vulnerability was determined in newbee-mall-plus 2.0.0. This impacts the function Upload of the file src/main/java/ltd/newbee/mall/controller/common/UploadController.java of the component Product Information Edit Page. This manipulation of the argument File causes unrestricted upload. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-30 4.7 CVE-2025-15360 VDB-338744 | newbee-mall-plus Product Information Edit UploadController.java upload unrestricted upload
VDB-338744 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716785 | https://github.com/newbee-ltd/newbee-mall-plus newbee-mall-plus 2.0.0 Upload any file
https://github.com/zyhzheng500-maker/cve/blob/main/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md
 
n/a--iCMS A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-31 4.7 CVE-2025-15394 VDB-339163 | iCMS POST Parameter ConfigAdmincp.php save code injection
VDB-339163 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #719029 | ICMS https://www.icmsdev.com/ 8.0.0 Code Injection
https://note-hxlab.wetolink.com/share/QWuWZeAmzUdm
 
n/a--PHPEMS A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely. 2026-01-01 4.3 CVE-2025-15405 VDB-339325 | PHPEMS cross-site request forgery
VDB-339325 | CTI Indicators (IOB, IOC)
Submit #728314 | PHPEMS <=11.0 Cross-Site Request Forgery
https://byebydoggy.github.io/post/2025/1231-phpems-csrf-poc/
 
go-sonic--sonic A flaw has been found in go-sonic sonic up to 1.1.4. The affected element is the function FetchTheme of the file service/theme/git_fetcher.go of the component Theme Fetching API. Executing manipulation of the argument uri can lead to server-side request forgery. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-01 4.7 CVE-2025-15414 VDB-339335 | go-sonic Theme Fetching API git_fetcher.go FetchTheme server-side request forgery
VDB-339335 | CTI Indicators (IOB, IOC, IOA)
Submit #719789 | sonic https://github.com/go-sonic/sonic 1.1.4 Server-Side Request Forgery
https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ
https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ#-span--strong-proof-of-concept---strong---span-
 
xnx3--wangmarket A vulnerability has been found in xnx3 wangmarket up to 6.4. The impacted element is the function uploadImage of the file /sits/uploadImage.do of the component XML File Handler. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-01 4.7 CVE-2025-15415 VDB-339336 | xnx3 wangmarket XML File uploadImage.do uploadImage unrestricted upload
VDB-339336 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721078 | xnx3 https://github.com/xnx3/wangmarket <=v6.4 Cross Site Scripting
https://github.com/yuccun/CVE/blob/main/wangmarket-Upload2StoredXSS.md
 
n/a--PluXml A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready. 2026-01-02 4.7 CVE-2025-15438 VDB-339383 | PluXml Media Management medias.php __destruct deserialization
VDB-339383 | CTI Indicators (IOB, IOC, IOA)
Submit #713989 | PluXml 5.8.22 Deserialization Vulnerability
https://note-hxlab.wetolink.com/share/9SJUnaDcJuqz
 
n/a--CRMEB A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-04 4.7 CVE-2025-15442 VDB-339464 | CRMEB product_list sql injection
VDB-339464 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721915 | crmeb v5.6.1 SQL Injection
https://github.com/En0t5/vul/blob/main/crmeb/crmeb-export-product_list-SQL.md
https://github.com/En0t5/vul/blob/main/crmeb/crmeb-export-product_list-SQL.md#poc
 
n/a--CRMEB A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-04 4.7 CVE-2025-15443 VDB-339465 | CRMEB product_export sql injection
VDB-339465 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721916 | crmeb v5.6.1 SQL Injection
https://github.com/En0t5/vul/blob/main/crmeb/crmeb-product-productExport-SQL.md
https://github.com/En0t5/vul/blob/main/crmeb/crmeb-product-productExport-SQL.md#poc
 
Digages--Direct Payments WP Missing Authorization vulnerability in Digages Direct Payments WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Direct Payments WP: from n/a through 1.3.0. 2025-12-31 4.3 CVE-2025-49339 https://vdp.patchstack.com/database/wordpress/plugin/direct-payments-wp/vulnerability/wordpress-direct-payments-wp-plugin-1-3-0-broken-access-control-vulnerability?_s_id=cve
 
Digages--Direct Payments WP Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Digages Direct Payments WP allows Retrieve Embedded Sensitive Data.This issue affects Direct Payments WP: from n/a through 1.3.0. 2025-12-31 4.3 CVE-2025-49340 https://vdp.patchstack.com/database/wordpress/plugin/direct-payments-wp/vulnerability/wordpress-direct-payments-wp-plugin-1-3-0-sensitive-data-exposure-vulnerability?_s_id=cve
 
YoOhw Studio--Order Cancellation & Returns for WooCommerce Authorization Bypass Through User-Controlled Key vulnerability in YoOhw Studio Order Cancellation & Returns for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Cancellation & Returns for WooCommerce: from n/a through 1.1.10. 2025-12-31 4.3 CVE-2025-49352 https://vdp.patchstack.com/database/wordpress/plugin/wc-order-cancellation-return/vulnerability/wordpress-order-cancellation-returns-for-woocommerce-plugin-1-1-10-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mykola Lukin--Orders Chat for WooCommerce Missing Authorization vulnerability in Mykola Lukin Orders Chat for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Orders Chat for WooCommerce: from n/a through 1.2.0. 2025-12-31 4.3 CVE-2025-49356 https://vdp.patchstack.com/database/wordpress/plugin/orders-chat-for-woocommerce/vulnerability/wordpress-orders-chat-for-woocommerce-plugin-1-2-0-broken-access-control-vulnerability?_s_id=cve
 
Priority--Web CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') 2025-12-29 4.8 CVE-2025-55062 https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0
 
Priority--Web CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') 2025-12-29 4.8 CVE-2025-55063 https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0
 
Priority--Web CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') 2025-12-29 4.8 CVE-2025-55064 https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0
 
Appointify--Appointify Cross-Site Request Forgery (CSRF) vulnerability in Appointify allows Cross Site Request Forgery.This issue affects Appointify: from n/a through 1.0.8. 2025-12-31 4.3 CVE-2025-59130 https://vdp.patchstack.com/database/wordpress/plugin/appointify/vulnerability/wordpress-appointify-plugin-1-0-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Jthemes--Genemy Server-Side Request Forgery (SSRF) vulnerability in Jthemes Genemy allows Server Side Request Forgery.This issue affects Genemy: from n/a through 1.6.6. 2025-12-31 4.9 CVE-2025-59138 https://vdp.patchstack.com/database/wordpress/theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
Fahad Mahmood--Easy Upload Files During Checkout Missing Authorization vulnerability in Fahad Mahmood Easy Upload Files During Checkout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Upload Files During Checkout: from n/a through 3.0.0. 2025-12-31 4.3 CVE-2025-62078 https://vdp.patchstack.com/database/wordpress/plugin/easy-upload-files-during-checkout/vulnerability/wordpress-easy-upload-files-during-checkout-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve
 
Channelize.io Team--Live Shopping & Shoppable Videos For WooCommerce Cross-Site Request Forgery (CSRF) vulnerability in Channelize.Io Team Live Shopping & Shoppable Videos For WooCommerce allows Cross Site Request Forgery.This issue affects Live Shopping & Shoppable Videos For WooCommerce: from n/a through 2.2.0. 2025-12-31 4.3 CVE-2025-62080 https://vdp.patchstack.com/database/wordpress/plugin/live-shopping-video-streams/vulnerability/wordpress-live-shopping-shoppable-videos-for-woocommerce-plugin-2-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
WP Messiah--BoomDevs WordPress Coming Soon Plugin Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Messiah BoomDevs WordPress Coming Soon Plugin allows Retrieve Embedded Sensitive Data.This issue affects BoomDevs WordPress Coming Soon Plugin: from n/a through 1.0.4. 2025-12-31 4.3 CVE-2025-62083 https://vdp.patchstack.com/database/wordpress/plugin/coming-soon-by-boomdevs/vulnerability/wordpress-boomdevs-wordpress-coming-soon-plugin-plugin-1-0-4-sensitive-data-exposure-vulnerability?_s_id=cve
 
Imdad Next Web--iNext Woo Pincode Checker Cross-Site Request Forgery (CSRF) vulnerability in Imdad Next Web iNext Woo Pincode Checker allows Cross Site Request Forgery.This issue affects iNext Woo Pincode Checker: from n/a through 2.3.1. 2025-12-31 4.3 CVE-2025-62084 https://vdp.patchstack.com/database/wordpress/plugin/inext-woo-pincode-checker/vulnerability/wordpress-inext-woo-pincode-checker-plugin-2-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Web Builder 143--Sticky Notes for WP Dashboard Missing Authorization vulnerability in Web Builder 143 Sticky Notes for WP Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sticky Notes for WP Dashboard: from n/a through 1.2.4. 2025-12-31 4.3 CVE-2025-62087 https://vdp.patchstack.com/database/wordpress/plugin/wb-sticky-notes/vulnerability/wordpress-sticky-notes-for-wp-dashboard-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve
 
MERGADO--Mergado Pack Cross-Site Request Forgery (CSRF) vulnerability in MERGADO Mergado Pack allows Cross Site Request Forgery.This issue affects Mergado Pack: from n/a through 4.2.0. 2025-12-31 4.3 CVE-2025-62089 https://vdp.patchstack.com/database/wordpress/plugin/mergado-marketing-pack/vulnerability/wordpress-mergado-pack-plugin-4-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Approveme--Signature Add-On for Gravity Forms Missing Authorization vulnerability in Approveme Signature Add-On for Gravity Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Signature Add-On for Gravity Forms: from n/a through 1.8.6. 2025-12-31 4.3 CVE-2025-62099 https://vdp.patchstack.com/database/wordpress/plugin/gravity-signature-forms-add-on/vulnerability/wordpress-signature-add-on-for-gravity-forms-plugin-1-8-6-broken-access-control-vulnerability?_s_id=cve
 
Omid Shamloo--Pardakht Delkhah Cross-Site Request Forgery (CSRF) vulnerability in Omid Shamloo Pardakht Delkhah allows Cross Site Request Forgery.This issue affects Pardakht Delkhah: from n/a through 3.0.0. 2025-12-31 4.3 CVE-2025-62101 https://vdp.patchstack.com/database/wordpress/plugin/pardakht-delkhah/vulnerability/wordpress-pardakht-delkhah-plugin-3-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Merv Barrett--Import into Easy Property Listings Cross-Site Request Forgery (CSRF) vulnerability in Merv Barrett Import into Easy Property Listings allows Cross Site Request Forgery.This issue affects Import into Easy Property Listings: from n/a through 2.2.1. 2025-12-30 4.3 CVE-2025-62112 https://vdp.patchstack.com/database/wordpress/plugin/easy-property-listings-xml-csv-import/vulnerability/wordpress-import-into-easy-property-listings-plugin-2-2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
emendo_seb--Co-marquage service-public.fr Cross-Site Request Forgery (CSRF) vulnerability in emendo_seb Co-marquage service-public.Fr allows Cross Site Request Forgery.This issue affects Co-marquage service-public.Fr: from n/a through 0.5.77. 2025-12-31 4.3 CVE-2025-62113 https://vdp.patchstack.com/database/wordpress/plugin/co-marquage-service-public/vulnerability/wordpress-co-marquage-service-public-fr-plugin-0-5-77-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
ThemeBoy--Hide Plugins Missing Authorization vulnerability in ThemeBoy Hide Plugins allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hide Plugins: from n/a through 1.0.4. 2025-12-31 4.3 CVE-2025-62115 https://vdp.patchstack.com/database/wordpress/plugin/hide-plugins/vulnerability/wordpress-hide-plugins-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve
 
Ink themes--WP Gmail SMTP Cross-Site Request Forgery (CSRF) vulnerability in Ink themes WP Gmail SMTP allows Cross Site Request Forgery.This issue affects WP Gmail SMTP: from n/a through 1.0.7. 2025-12-31 4.3 CVE-2025-62123 https://vdp.patchstack.com/database/wordpress/plugin/wp-gmail-smtp/vulnerability/wordpress-wp-gmail-smtp-plugin-1-0-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
SiteLock--SiteLock Security Missing Authorization vulnerability in SiteLock SiteLock Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security: from n/a through 5.0.1. 2025-12-30 4.3 CVE-2025-62128 https://vdp.patchstack.com/database/wordpress/plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-1-broken-access-control-vulnerability?_s_id=cve
 
WPdiscover--Accordion Slider Gallery Missing Authorization vulnerability in WPdiscover Accordion Slider Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion Slider Gallery: from n/a through 2.7. 2025-12-31 4.3 CVE-2025-62130 https://vdp.patchstack.com/database/wordpress/plugin/accordion-slider-gallery/vulnerability/wordpress-accordion-slider-gallery-plugin-2-7-broken-access-control-vulnerability?_s_id=cve
 
Strategy11 Team--Tasty Recipes Lite Missing Authorization vulnerability in Strategy11 Team Tasty Recipes Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tasty Recipes Lite: from n/a through 1.1.5. 2025-12-31 4.3 CVE-2025-62131 https://vdp.patchstack.com/database/wordpress/plugin/tasty-recipes-lite/vulnerability/wordpress-tasty-recipes-lite-plugin-1-1-5-broken-access-control-vulnerability-2?_s_id=cve
 
Strategy11 Team--Tasty Recipes Lite Missing Authorization vulnerability in Strategy11 Team Tasty Recipes Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tasty Recipes Lite: from n/a through 1.1.5. 2025-12-31 4.3 CVE-2025-62132 https://vdp.patchstack.com/database/wordpress/plugin/tasty-recipes-lite/vulnerability/wordpress-tasty-recipes-lite-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve
 
Manidoraisamy--FormFacade Cross-Site Request Forgery (CSRF) vulnerability in Manidoraisamy FormFacade allows Cross Site Request Forgery.This issue affects FormFacade: from n/a through 1.4.1. 2025-12-31 4.3 CVE-2025-62133 https://vdp.patchstack.com/database/wordpress/plugin/formfacade/vulnerability/wordpress-formfacade-plugin-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
nicashmu--Post Video Players Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in nicashmu Post Video Players allows Retrieve Embedded Sensitive Data.This issue affects Post Video Players: from n/a through 1.163. 2025-12-31 4.3 CVE-2025-62143 https://vdp.patchstack.com/database/wordpress/plugin/video-playlist-and-gallery-plugin/vulnerability/wordpress-post-video-players-plugin-1-163-sensitive-data-exposure-vulnerability?_s_id=cve
 
Eugen Bobrowski--Robots.txt rewrite Cross-Site Request Forgery (CSRF) vulnerability in Eugen Bobrowski Robots.Txt rewrite allows Cross Site Request Forgery.This issue affects Robots.Txt rewrite: from n/a through 1.6.1. 2025-12-31 4.3 CVE-2025-62148 https://vdp.patchstack.com/database/wordpress/plugin/robotstxt-rewrite/vulnerability/wordpress-robots-txt-rewrite-plugin-1-6-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Themesawesome--History Timeline Missing Authorization vulnerability in Themesawesome History Timeline allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects History Timeline: from n/a through 1.0.6. 2025-12-31 4.3 CVE-2025-62150 https://vdp.patchstack.com/database/wordpress/plugin/timeline-awesome/vulnerability/wordpress-history-timeline-plugin-1-0-6-broken-access-control-vulnerability?_s_id=cve
 
Recorp--AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One Missing Authorization vulnerability in Recorp AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One: from n/a through 1.1.7. 2025-12-31 4.3 CVE-2025-62154 https://vdp.patchstack.com/database/wordpress/plugin/ai-content-writing-assistant/vulnerability/wordpress-ai-content-writing-assistant-content-writer-chatgpt-image-generator-all-in-one-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve
 
Extend Themes--Vireo Missing Authorization vulnerability in Extend Themes Vireo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vireo: from n/a through 1.0.24. 2025-12-31 4.3 CVE-2025-62751 https://vdp.patchstack.com/database/wordpress/theme/vireo/vulnerability/wordpress-vireo-theme-1-0-24-broken-access-control-vulnerability?_s_id=cve
 
Alexander--AnyComment Missing Authorization vulnerability in Alexander AnyComment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyComment: from n/a through 0.3.6. 2025-12-31 4.3 CVE-2025-62874 https://vdp.patchstack.com/database/wordpress/plugin/anycomment/vulnerability/wordpress-anycomment-plugin-0-3-6-broken-access-control-vulnerability?_s_id=cve
 
Skynet Technologies USA LLC--All in One Accessibility Missing Authorization vulnerability in Skynet Technologies USA LLC All in One Accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects All in One Accessibility: from n/a through 1.14. 2025-12-31 4.3 CVE-2025-63004 https://vdp.patchstack.com/database/wordpress/plugin/all-in-one-accessibility/vulnerability/wordpress-all-in-one-accessibility-plugin-1-14-broken-access-control-vulnerability?_s_id=cve
 
Serhii Pasyuk--Gmedia Photo Gallery Cross-Site Request Forgery (CSRF) vulnerability in Serhii Pasyuk Gmedia Photo Gallery allows Cross Site Request Forgery.This issue affects Gmedia Photo Gallery: from n/a through 1.24.1. 2025-12-31 4.3 CVE-2025-63014 https://vdp.patchstack.com/database/wordpress/plugin/grand-media/vulnerability/wordpress-gmedia-photo-gallery-plugin-1-24-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Northern Beaches Websites--WP Custom Admin Interface Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through 7.40. 2025-12-31 4.3 CVE-2025-63038 https://vdp.patchstack.com/database/wordpress/plugin/wp-custom-admin-interface/vulnerability/wordpress-wp-custom-admin-interface-plugin-7-40-broken-access-control-vulnerability?_s_id=cve
 
Saad Iqbal--Post Snippets Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Post Snippets allows Cross Site Request Forgery.This issue affects Post Snippets: from n/a through 4.0.11. 2025-12-31 4.3 CVE-2025-63040 https://vdp.patchstack.com/database/wordpress/plugin/post-snippets/vulnerability/wordpress-post-snippets-plugin-4-0-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Crocoblock--JetPopup Authorization Bypass Through User-Controlled Key vulnerability in Crocoblock JetPopup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetPopup: from n/a through 2.0.20.1. 2025-12-29 4.3 CVE-2025-68502 https://vdp.patchstack.com/database/wordpress/plugin/jet-popup/vulnerability/wordpress-jetpopup-plugin-2-0-20-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
HETWORKS--WordPress Image shrinker Server-Side Request Forgery (SSRF) vulnerability in HETWORKS WordPress Image shrinker allows Server Side Request Forgery.This issue affects WordPress Image shrinker: from n/a through 1.1.0. 2025-12-29 4.9 CVE-2025-68893 https://vdp.patchstack.com/database/wordpress/plugin/wp-image-shrinker/vulnerability/wordpress-wordpress-image-shrinker-plugin-1-1-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
ImageMagick--ImageMagick ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, Magick fails to check for circular references between two MVGs, leading to a stack overflow. This is a DoS vulnerability, and any situation that allows reading the mvg file will be affected. Version 7.1.2-12 fixes the issue. 2025-12-30 4 CVE-2025-68950 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7rvh-xqp3-pr8j
https://github.com/ImageMagick/ImageMagick/commit/204718c2211903949dcfc0df8e65ed066b008dec
 
HemmeligOrg--Hemmelig.app Hemmelig is a messing app with with client-side encryption and self-destructing messages. Prior to version 7.3.3, a Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding or open redirect services. This allows an authenticated user to make the server initiate HTTP requests to internal network resources. Version 7.3.3 contains a patch for the issue. 2025-12-29 4.3 CVE-2025-69206 https://github.com/HemmeligOrg/Hemmelig.app/security/advisories/GHSA-vvxf-wj5w-6gj5
https://github.com/HemmeligOrg/Hemmelig.app/commit/6c909e571d0797ee3bbd2c72e4eb767b57378228
 
libsodium--libsodium libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. 2025-12-31 4.5 CVE-2025-69277 https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae
https://00f.net/2025/12/30/libsodium-vulnerability/
https://news.ycombinator.com/item?id=46435614
https://ianix.com/pub/ed25519-deployment.html
 
makeplane--plane Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue. 2026-01-02 4.3 CVE-2025-69284 https://github.com/makeplane/plane/security/advisories/GHSA-7qx6-6739-c7qr
 
code-projects--Content Management System A security vulnerability has been detected in code-projects Content Management System 1.0. Impacted is an unknown function of the file /admin/edit_posts.php. The manipulation of the argument image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. 2026-01-02 4.7 CVE-2026-0566 VDB-339378 | code-projects Content Management System edit_posts.php unrestricted upload
VDB-339378 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #729228 | Code-projects Content Management System v1.0 Arbitrary file upload vulnerability
https://github.com/Limingqian123/CVE/issues/13
https://code-projects.org/
 
yeqifu--warehouse A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function createResponseEntity of the file warehouse\src\main\java\com\yeqifu\sys\common\AppFileUtils.java. The manipulation of the argument path results in path traversal. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. 2026-01-02 4.3 CVE-2026-0571 VDB-339385 | yeqifu warehouse AppFileUtils.java createResponseEntity path traversal
VDB-339385 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #729331 | yeqifu warehouse aaf29962ba407d22d991781de28796ee7b4670e4 Arbitrary File Read
https://github.com/5i1encee/Vul/blob/main/Arbitrary%20File%20Read%20Vulnerability%20in%20Project%20yeqifu%20warehouse.md
https://github.com/5i1encee/Vul/blob/main/Arbitrary%20File%20Read%20Vulnerability%20in%20Project%20yeqifu%20warehouse.md#poc
 

Back to top

Low Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
elinicksic--Razgover A security vulnerability has been detected in elinicksic Razgover up to db37dfc5c82f023a40f2f7834ded6633fb2b5262. This affects an unknown part of the file Chattify/send.php of the component Chat Message Handler. Such manipulation of the argument msg leads to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is 995dd89d0e3ec5522966724be23a5d58ca1bdac3. Applying a patch is advised to resolve this issue. This vulnerability only affects products that are no longer supported by the maintainer. 2025-12-31 3.5 CVE-2019-25262 VDB-338649 | elinicksic Razgover Chat Message send.php cross site scripting
VDB-338649 | CTI Indicators (IOB, IOC, TTP, IOA)
https://github.com/elinicksic/Razgover/commit/995dd89d0e3ec5522966724be23a5d58ca1bdac3
 
SohuTV--CacheCloud A vulnerability was identified in SohuTV CacheCloud up to 3.2.0. This affects the function index of the file src/main/java/com/sohu/cache/web/controller/ServerController.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-29 3.5 CVE-2025-15171 VDB-338556 | SohuTV CacheCloud ServerController.java index cross site scripting
VDB-338556 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716304 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/367
https://github.com/sohutv/cachecloud/issues/367#issue-3733551662
 
SohuTV--CacheCloud A security flaw has been discovered in SohuTV CacheCloud up to 3.2.0. This impacts the function preview of the file src/main/java/com/sohu/cache/web/controller/RedisConfigTemplateController.java. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-29 3.5 CVE-2025-15172 VDB-338557 | SohuTV CacheCloud RedisConfigTemplateController.java preview cross site scripting
VDB-338557 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716306 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/368
https://github.com/sohutv/cachecloud/issues/368#issue-3733556724
 
SohuTV--CacheCloud A weakness has been identified in SohuTV CacheCloud up to 3.2.0. Affected is the function advancedAnalysis of the file src/main/java/com/sohu/cache/web/controller/InstanceController.java. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-29 3.5 CVE-2025-15173 VDB-338558 | SohuTV CacheCloud InstanceController.java advancedAnalysis cross site scripting
VDB-338558 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716307 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/369
https://github.com/sohutv/cachecloud/issues/369#issue-3733560985
 
SohuTV--CacheCloud A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. Affected by this vulnerability is the function doAppAuditList of the file src/main/java/com/sohu/cache/web/controller/AppManageController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-29 3.5 CVE-2025-15174 VDB-338559 | SohuTV CacheCloud AppManageController.java doAppAuditList cross site scripting
VDB-338559 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716308 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/370
https://github.com/sohutv/cachecloud/issues/370#issue-3733566371
 
SohuTV--CacheCloud A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. Affected by this issue is the function doAppList/appCommandAnalysis of the file src/main/java/com/sohu/cache/web/controller/AppController.java. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-29 3.5 CVE-2025-15175 VDB-338560 | SohuTV CacheCloud AppController.java appCommandAnalysis cross site scripting
VDB-338560 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716309 | SohuTV CacheCloud <=3.2.0 Reflected XSS
Submit #716322 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate)
https://github.com/sohutv/cachecloud/issues/371
https://github.com/sohutv/cachecloud/issues/381
 
n/a--GreenCMS A vulnerability was found in GreenCMS up to 2.3. This affects an unknown part of the file /DataController.class.php of the component File Handler. Performing manipulation of the argument sqlFiles/zipFiles results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. 2025-12-29 3.8 CVE-2025-15187 VDB-338572 | GreenCMS File DataController.class.php path traversal
VDB-338572 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721387 | https://github.com/GreenCMS/GreenCMS Greencms v2.3 Arbitrary File Removal
Submit #724836 | https://github.com/GreenCMS/GreenCMS Greencms V2.3 Arbitrary File Removal (Duplicate)
Submit #725143 | Greencms https://github.com/GreenCMS/GreenCMS V2.3 arbitrary file deletion (Duplicate)
https://github.com/ueh1013/VULN/issues/4
https://github.com/ueh1013/VULN/issues/5
 
SohuTV--CacheCloud A flaw has been found in SohuTV CacheCloud up to 3.2.0. The impacted element is the function redirectNoPower of the file src/main/java/com/sohu/cache/web/controller/WebResourceController.java. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-29 3.5 CVE-2025-15201 VDB-338588 | SohuTV CacheCloud WebResourceController.java redirectNoPower cross site scripting
VDB-338588 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716312 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/373
 
SohuTV--CacheCloud A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. Affected by this issue is the function doMachineList/doPodList of the file src/main/java/com/sohu/cache/web/controller/MachineManageController.java. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-30 3.5 CVE-2025-15219 VDB-338604 | SohuTV CacheCloud MachineManageController.java doPodList cross site scripting
VDB-338604 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716318 | SohuTV CacheCloud <=3.2.0 Reflected XSS
Submit #716319 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate)
https://github.com/sohutv/cachecloud/issues/377
https://github.com/sohutv/cachecloud/issues/378
 
SohuTV--CacheCloud A flaw has been found in SohuTV CacheCloud up to 3.2.0. This vulnerability affects the function index of the file src/main/java/com/sohu/cache/web/controller/AppDataMigrateController.java. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-30 3.5 CVE-2025-15221 VDB-338606 | SohuTV CacheCloud AppDataMigrateController.java index cross site scripting
VDB-338606 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716321 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/380
 
CloudPanel--Community Edition A security vulnerability has been detected in CloudPanel Community Edition up to 2.5.1. The affected element is an unknown function of the file /admin/users of the component HTTP Header Handler. Such manipulation of the argument Referer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.5.2 is sufficient to fix this issue. Upgrading the affected component is recommended. 2025-12-30 3.5 CVE-2025-15241 VDB-338631 | CloudPanel Community Edition HTTP Header users redirect
VDB-338631 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725543 | CloudPanel CloudPanel Community Edition 2.5.1 URL Redirection to Untrusted Site ('Open Redirect')
https://github.com/Stolichnayer/cloudpanel-open-redirect
https://github.com/Stolichnayer/cloudpanel-open-redirect?tab=readme-ov-file#%EF%B8%8F-steps-to-reproduce
https://github.com/cloudpanel-io/cloudpanel-ce/releases/tag/v2.5.2
 
n/a--PHPEMS A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function of the component Coupon Handler. Performing manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit is now public and may be used. 2025-12-30 3.1 CVE-2025-15242 VDB-338632 | PHPEMS Coupon race condition
VDB-338632 | CTI Indicators (IOB, IOC)
Submit #725661 | PHPEMS <=11.0 Race Condition
https://byebydoggy.github.io/post/2025/1229-phpems-coupon-recharge-race-condition-poc/
 
n/a--PHPEMS A vulnerability has been found in PHPEMS up to 11.0. This impacts an unknown function of the component Purchase Request Handler. The manipulation leads to race condition. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used. 2025-12-30 3.7 CVE-2025-15244 VDB-338634 | PHPEMS Purchase Request race condition
VDB-338634 | CTI Indicators (IOB, IOC)
Submit #725727 | PHPEMS <=11.0 Race Condition
https://byebydoggy.github.io/post/2025/1229-phpems-points-race-condition-poc/
 
D-Link--DCS-850L A vulnerability was found in D-Link DCS-850L 1.02.09. Affected is the function uploadfirmware of the component Firmware Update Service. The manipulation of the argument DownloadFile results in path traversal. The attack must originate from the local network. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. 2025-12-30 3.5 CVE-2025-15245 VDB-338635 | D-Link DCS-850L Firmware Update Service uploadfirmware path traversal
VDB-338635 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725742 | D-Link DCS850L v1.02.09 Absolute Path Traversal
https://tzh00203.notion.site/D-Link-DCS850L-v1-02-09-Path-Traversal-Vulnerability-in-Firmware-Update-2d8b5c52018a803abbc7e30e2858d084?source=copy_link
https://www.dlink.com/
 
sunhailin12315--product-review A security flaw has been discovered in sunhailin12315 product-review 商品评价系统 up to 91ead6890b4065bb45b7602d0d73348e75cb4639. This affects an unknown part of the component Write a Review. Performing manipulation of the argument content results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. This product adopts a rolling release strategy to maintain continuous delivery The project was informed of the problem early through an issue report but has not responded yet. 2025-12-30 3.5 CVE-2025-15248 VDB-338638 | sunhailin12315 product-review 商品评价系统 Write a Review cross site scripting
VDB-338638 | CTI Indicators (IOB, IOC, TTP, IOA)
https://gitee.com/sunhailin12315/product-review/issues/ICK775
 
zhujunliang3--work_platform A weakness has been identified in zhujunliang3 work_platform up to 6bc5a50bb527ce27f7906d11ea6ec139beb79c31. This vulnerability affects unknown code of the component Content Handler. Executing manipulation can lead to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-30 3.5 CVE-2025-15249 VDB-338639 | zhujunliang3 work_platform Content cross site scripting
VDB-338639 | CTI Indicators (IOB, IOC, TTP)
https://gitee.com/zhujunliang3/work_platform/issues/ICLUJ2
 
Edimax--BR-6208AC A weakness has been identified in Edimax BR-6208AC 1.02/1.03. Affected by this issue is the function formALGSetup of the file /goform/formALGSetup of the component Web-based Configuration Interface. This manipulation of the argument wlan-url causes open redirect. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer. 2025-12-30 3.5 CVE-2025-15258 VDB-338648 | Edimax BR-6208AC Web-based Configuration formALGSetup redirect
VDB-338648 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #722446 | Edimax BR-6208AC V2_1.02 Open Redirect
https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Open-Redirect-Vulnerability-in-Web-formALGSetup-handler-2d3b5c52018a80188e9ae30d3cc8c3d1?source=copy_link
 
n/a--EyouCMS A vulnerability was detected in EyouCMS up to 1.7.7. The affected element is an unknown function of the file application/home/model/Ask.php of the component Ask Module. Performing manipulation of the argument content results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8". 2025-12-31 3.5 CVE-2025-15374 VDB-339082 | EyouCMS Ask Module Ask.php cross site scripting
VDB-339082 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #718480 | EyouCMS 1.7.7 Cross Site Scripting
https://note-hxlab.wetolink.com/share/LNickWiRaFiF
https://note-hxlab.wetolink.com/share/LNickWiRaFiF#-span--strong-proof-of-concept---strong---span-
 
Uasoft--badaso A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-31 3.7 CVE-2025-15398 VDB-339207 | Uasoft badaso Token BadasoAuthController.php forgetPassword password recovery
VDB-339207 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #720129 | badaso 2.9.7 Cryptographically Weak PRNG
https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq
https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq#-span--strong-step-1--trigger-password-reset-for-victim--strong---span-
 
n/a--Open5GS A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue. 2026-01-01 3.3 CVE-2025-15417 VDB-339339 | Open5GS GTPv2-C F-TEID s11-handler.c sgwc_s11_handle_create_session_request denial of service
VDB-339339 | CTI Indicators (IOB, IOC, IOA)
Submit #727616 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4203
https://github.com/open5gs/open5gs/issues/4203#issuecomment-3681643498
https://github.com/open5gs/open5gs/issues/4203#issue-3719257558
https://github.com/open5gs/open5gs/commit/465273d13ba5d47b274c38c9d1b07f04859178a1
 
n/a--Open5GS A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing manipulation results in denial of service. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is named 4e913d21f2c032b187815f063dbab5ebe65fe83a. To fix this issue, it is recommended to deploy a patch. 2026-01-01 3.3 CVE-2025-15418 VDB-339340 | Open5GS Bearer QoS IE Length types.c ogs_gtp2_parse_bearer_qos denial of service
VDB-339340 | CTI Indicators (IOB, IOC, IOA)
Submit #728043 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4217
https://github.com/open5gs/open5gs/issues/4217#issuecomment-3690767105
https://github.com/open5gs/open5gs/issues/4217#issue-3759615968
https://github.com/open5gs/open5gs/commit/4e913d21f2c032b187815f063dbab5ebe65fe83a
 
n/a--Open5GS A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. Executing a manipulation can lead to denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5aaa09907e7b9e0a326265a5f08d56f54280b5f2. It is advisable to implement a patch to correct this issue. 2026-01-02 3.3 CVE-2025-15419 VDB-339341 | Open5GS GTPv2-C Flow s5c-handler.c sgwc_s5c_handle_create_session_response denial of service
VDB-339341 | CTI Indicators (IOB, IOC, IOA)
Submit #728044 | Open5GS SGWC v2.7.6 Denial of Service
https://github.com/open5gs/open5gs/issues/4224
https://github.com/open5gs/open5gs/issues/4224#issuecomment-3698521008
https://github.com/open5gs/open5gs/issues/4224#issue-3766767406
https://github.com/open5gs/open5gs/commit/5aaa09907e7b9e0a326265a5f08d56f54280b5f2
 
n/a--LigeroSmart A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing manipulation of the argument REQUEST_URI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. Upgrading to version 6.1.26 and 6.3 is able to mitigate this issue. The patch is named 264ac5b2be5b3c673ebd8cb862e673f5d300d9a7. The affected component should be upgraded. 2026-01-02 3.5 CVE-2025-15437 VDB-339364 | LigeroSmart Environment Variable cross site scripting
VDB-339364 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #729021 | LigeroSmart 6.1.24 Cross Site Scripting
https://github.com/LigeroSmart/ligerosmart/issues/278
https://github.com/LigeroSmart/ligerosmart/issues/278#issuecomment-3675129508
https://github.com/LigeroSmart/ligerosmart/commit/264ac5b2be5b3c673ebd8cb862e673f5d300d9a7
https://github.com/LigeroSmart/ligerosmart/releases/tag/6.1.26
 
KDE--messagelib KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration. 2025-12-31 3.4 CVE-2025-69412 https://github.com/KDE/messagelib/compare/v25.11.80...v25.11.90
https://github.com/KDE/messagelib/commit/01adef0482bb3d5c817433db5208620c84a992b3
https://developers.google.com/safe-browsing/v4
https://developers.google.com/safe-browsing/v4/lookup-api
 
Campcodes--Complete Online Beauty Parlor Management System A vulnerability was determined in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/search-invoices.php. Executing manipulation of the argument searchdata can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. 2025-12-29 2.4 CVE-2025-15188 VDB-338573 | Campcodes Complete Online Beauty Parlor Management System search-invoices.php cross site scripting
VDB-338573 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721868 | campcodes Complete Online Beauty Parlor Management System V1.0 Cross Site Scripting
https://github.com/BUPT2025201/CVE/issues/1
https://www.campcodes.com/
 
SohuTV--CacheCloud A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. The affected element is the function getExceptionStatisticsByClient/getCommandStatisticsByClient/doIndex of the file src/main/java/com/sohu/cache/web/controller/AppClientDataShowController.java. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-29 2.4 CVE-2025-15200 VDB-338587 | SohuTV CacheCloud AppClientDataShowController.java doIndex cross site scripting
VDB-338587 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716311 | SohuTV CacheCloud <=3.2.0 Reflected XSS
Submit #716323 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate)
Submit #716324 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate)
https://github.com/sohutv/cachecloud/issues/372
https://github.com/sohutv/cachecloud/issues/382
 
SohuTV--CacheCloud A vulnerability has been found in SohuTV CacheCloud up to 3.2.0. This affects the function taskQueueList of the file src/main/java/com/sohu/cache/web/controller/TaskController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-29 2.4 CVE-2025-15202 VDB-338589 | SohuTV CacheCloud TaskController.java taskQueueList cross site scripting
VDB-338589 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716313 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/374
 
SohuTV--CacheCloud A vulnerability was found in SohuTV CacheCloud up to 3.2.0. This impacts the function index of the file src/main/java/com/sohu/cache/web/controller/ResourceController.java. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-29 2.4 CVE-2025-15203 VDB-338590 | SohuTV CacheCloud ResourceController.java index cross site scripting
VDB-338590 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716314 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/375
 
SohuTV--CacheCloud A vulnerability was determined in SohuTV CacheCloud up to 3.2.0. Affected is the function doQuartzList of the file src/main/java/com/sohu/cache/web/controller/QuartzManageController.java. Executing manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-29 2.4 CVE-2025-15204 VDB-338591 | SohuTV CacheCloud QuartzManageController.java doQuartzList cross site scripting
VDB-338591 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716315 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/376
 
Campcodes--Park Ticketing System A vulnerability was found in Campcodes Park Ticketing System 1.0. The impacted element is the function save_pricing of the file admin_class.php. The manipulation of the argument name/ride results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used. 2025-12-30 2.4 CVE-2025-15214 VDB-338599 | Campcodes Park Ticketing System admin_class.php save_pricing cross site scripting
VDB-338599 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #725104 | Campcodes Park Ticketing System v1.0 XSS
Submit #728898 | campcodes Park Ticketing System V1.0 Cross Site Scripting (Duplicate)
https://github.com/dobkill/CVE/issues/2
https://www.campcodes.com/
 
youlaitech--vue3-element-admin A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-31 2.4 CVE-2025-15372 VDB-339080 | youlaitech vue3-element-admin Notice index.vue cross site scripting
VDB-339080 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #718345 | youlaitech vue3-element-admin <=v3.4.0 XSS
https://github.com/AnalogyC0de/public_exp/blob/main/archives/vue3-element-admin/report.md
https://github.com/AnalogyC0de/public_exp/blob/main/archives/vue3-element-admin/report.md#proof-of-concept
 
xnx3--wangmarket A vulnerability was found in xnx3 wangmarket up to 6.4. This affects an unknown function of the file /siteVar/save.do of the component Add Global Variable Handler. The manipulation of the argument Remark/Variable Value results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2026-01-01 2.4 CVE-2025-15416 VDB-339337 | xnx3 wangmarket Add Global Variable save.do cross site scripting
VDB-339337 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721080 | xnx3 https://github.com/xnx3/wangmarket <=v6.4 Cross Site Scripting
https://github.com/yuccun/CVE/blob/main/wangmarket-Stored_Cross-Site_Scripting.md
 
The Tcpdump Group--libpcap pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer. 2025-12-31 1.9 CVE-2025-11961 https://github.com/the-tcpdump-group/libpcap/commit/b2d2f9a9a0581c40780bde509f7cc715920f1c02
 
The Tcpdump Group--libpcap On Windows only, if libpcap needs to convert a Windows error message to UTF-8 and the message includes characters that UTF-8 represents using 4 bytes, utf_16le_to_utf_8_truncated() can write data beyond the end of the provided buffer. 2025-12-31 1.9 CVE-2025-11964 https://github.com/the-tcpdump-group/libpcap/commit/7fabf607f2319a36a0bd78444247180acb838e69
 

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
Gargoyle--Gargoyle Router Management Utility Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands. 2025-12-31 not yet calculated CVE-2015-10145 https://packetstorm.news/files/id/132149
https://www.gargoyle-router.com/
https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/
https://www.vulncheck.com/advisories/gargoyle-authenticated-os-command-execution-via-run-commands-sh
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mei: fix potential NULL-ptr deref after clone If cloning the SKB fails, don't try to use it, but rather return as if we should pass it. Coverity CID: 1503456 2025-12-30 not yet calculated CVE-2022-50784 https://git.kernel.org/stable/c/8b8e25073f3dab93554ee3d5b264f7c013ebd92a
https://git.kernel.org/stable/c/0183b7c49cfdda91284505cbcdc7feecde48cbb9
https://git.kernel.org/stable/c/d3df49dda431f7ae4132a9a0ac25a5134c04e812
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fsi: occ: Prevent use after free Use get_device and put_device in the open and close functions to make sure the device doesn't get freed while a file descriptor is open. Also, lock around the freeing of the device buffer and check the buffer before using it in the submit function. 2025-12-30 not yet calculated CVE-2022-50785 https://git.kernel.org/stable/c/1d5ad0a874ddfcee9f932f54b1d34cbe8b9ddcfe
https://git.kernel.org/stable/c/3593e8efc9f0dac6be70bd5c964eadaa86bf2713
https://git.kernel.org/stable/c/d3e1e24604031b0d83b6c2d38f54eeea265cfcc0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: s5p-mfc: Clear workbit to handle error condition During error on CLOSE_INSTANCE command, ctx_work_bits was not getting cleared. During consequent mfc execution NULL pointer dereferencing of this context led to kernel panic. This patch fixes this issue by making sure to clear ctx_work_bits always. 2025-12-30 not yet calculated CVE-2022-50786 https://git.kernel.org/stable/c/12242bd13ce68acd571b2cce6ab302e154e8a4ee
https://git.kernel.org/stable/c/640075400c7c577b0f5369b935e22a588773fafa
https://git.kernel.org/stable/c/8ff64edf9d16e8c277dcc8189794763624e6b4b8
https://git.kernel.org/stable/c/ff27800c0a6d81571671b33f696109804d015409
https://git.kernel.org/stable/c/09c1fbbe532758e4046c20829f4c0c50b99332dc
https://git.kernel.org/stable/c/bd1b72f0c39a0d791a087b4e643701a48328ba8e
https://git.kernel.org/stable/c/d3f3c2fe54e30b0636496d842ffbb5ad3a547f9b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: xhci: dbc: Fix memory leak in xhci_alloc_dbc() If DbC is already in use, then the allocated memory for the xhci_dbc struct doesn't get freed before returning NULL, which leads to a memleak. 2025-12-30 not yet calculated CVE-2022-50809 https://git.kernel.org/stable/c/103b459590e1eb4d80b02761eb36c7cae1d9b58e
https://git.kernel.org/stable/c/116d6a6964986ea7eb516daa36128d270f1f248d
https://git.kernel.org/stable/c/69e67c804d09a6b1bcda1f4f242f151f813eeb4a
https://git.kernel.org/stable/c/d591b32e519603524a35b172156db71df9116902
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: rapidio: devices: fix missing put_device in mport_cdev_open When kfifo_alloc fails, the refcount of chdev->dev is left incremental. We should use put_device(&chdev->dev) to decrease the ref count of chdev->dev to avoid refcount leak. 2025-12-30 not yet calculated CVE-2022-50810 https://git.kernel.org/stable/c/6e4540e0970030e140998ce8847f5f0171b5afa1
https://git.kernel.org/stable/c/ae57222402bea455e60cc51d2f52ce73b63b7af8
https://git.kernel.org/stable/c/dfee9fe93dd34cd9d49520718f6ec2072de25e48
https://git.kernel.org/stable/c/bb7397f6312d2cbf05e415676ed5b1655cb82a34
https://git.kernel.org/stable/c/53915ecc43c5139d6cdd1caa4fdc9290b9597008
https://git.kernel.org/stable/c/a0d93aac54ce07a7cc71e90645d0cdabbda50450
https://git.kernel.org/stable/c/162433a96079bfa5ec748c486b4570f138d04fb5
https://git.kernel.org/stable/c/b596242585984b5f3085aa8f7a82c65640b384b6
https://git.kernel.org/stable/c/d5b6e6eba3af11cb2a2791fa36a2524990fcde1a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails Otherwise, meta buffers could be leaked. 2025-12-30 not yet calculated CVE-2022-50811 https://git.kernel.org/stable/c/091a8ca572a2e48554427feda78aa503e98c1028
https://git.kernel.org/stable/c/373b6f350aecf5dca2e7474f0b4ec8cca659f2f0
https://git.kernel.org/stable/c/d5d188b8f8b38d3d71dd05993874b4fc9284ce95
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6 A bad bug in clang's implementation of -fzero-call-used-regs can result in NULL pointer dereferences (see the links above the check for more information). Restrict CONFIG_CC_HAS_ZERO_CALL_USED_REGS to either a supported GCC version or a clang newer than 15.0.6, which will catch both a theoretical 15.0.7 and the upcoming 16.0.0, which will both have the bug fixed. 2025-12-30 not yet calculated CVE-2022-50812 https://git.kernel.org/stable/c/8a4236456a3a402f6bb92aa7b75e7a3b4ef7a72c
https://git.kernel.org/stable/c/0b202dfedb5aa2e7d07d849be33fa3a48c026926
https://git.kernel.org/stable/c/21ca0bfa11bbb9a9207f5d2104f47d3d71b4616e
https://git.kernel.org/stable/c/d6a9fb87e9d18f3394a9845546bbe868efdccfd2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drivers: mcb: fix resource leak in mcb_probe() When probe hook function failed in mcb_probe(), it doesn't put the device. Compiled test only. 2025-12-30 not yet calculated CVE-2022-50813 https://git.kernel.org/stable/c/531ac7b911a962b3b29565dad6ea6b5c3fad3317
https://git.kernel.org/stable/c/6f3467aa5712e6b5550e75a16454b3f17aa1f380
https://git.kernel.org/stable/c/e420ca85bf42a684ea729c505c07de6709500ed2
https://git.kernel.org/stable/c/68e54d9ee8222d7805a0b9d3e1c37b8cf3be536a
https://git.kernel.org/stable/c/0d1c2c8db28919c4351000d7c1692f1767bdc4f7
https://git.kernel.org/stable/c/f3686e5e8de0a03c8e70e3ee0ce3078fed612909
https://git.kernel.org/stable/c/0a23dda78946f604ff752fe223c3c1f4fa6dd7b4
https://git.kernel.org/stable/c/0468a585710bbb807a1b9c31df54bcf564d28b2b
https://git.kernel.org/stable/c/d7237462561fcd224fa687c56ccb68629f50fc0d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr KASAN reported this Bug: [17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60 [17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958 ... [17619.698934] The buggy address belongs to the variable: [17619.708371] sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip] There is a mismatch in hisi_zip when get/set the variable sgl_sge_nr. The type of sgl_sge_nr is u16, and get/set sgl_sge_nr by param_get/set_int. Replacing param_get/set_int to param_get/set_ushort can fix this bug. 2025-12-30 not yet calculated CVE-2022-50814 https://git.kernel.org/stable/c/d88b88514ef28515ccfa1f1787c2aedef75a79dd
https://git.kernel.org/stable/c/272093471305261c4e07a2fc97c2d1e53cd56819
https://git.kernel.org/stable/c/f8a983d6e01b198320d310cb1326364d7d973b2a
https://git.kernel.org/stable/c/5eaebd19fbb0e26e73a34f55d3b1dc310df0eb15
https://git.kernel.org/stable/c/d74f9340097a881869c4c22ca376654cc2516ecc
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext2: Add sanity checks for group and filesystem size Add sanity check that filesystem size does not exceed the underlying device size and that group size is big enough so that metadata can fit into it. This avoid trying to mount some crafted filesystems with extremely large group counts. 2025-12-30 not yet calculated CVE-2022-50815 https://git.kernel.org/stable/c/40ff52527daec00cf1530c17a95636916ddd3b38
https://git.kernel.org/stable/c/321440079763998076b75e0c802524e2218a7d97
https://git.kernel.org/stable/c/d766f2d1e3e3bd44024a7f971ffcf8b8fbb7c5d2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipv6: ensure sane device mtu in tunnels Another syzbot report [1] with no reproducer hints at a bug in ip6_gre tunnel (dev:ip6gretap0) Since ipv6 mcast code makes sure to read dev->mtu once and applies a sanity check on it (see commit b9b312a7a451 "ipv6: mcast: better catch silly mtu values"), a remaining possibility is that a layer is able to set dev->mtu to an underflowed value (high order bit set). This could happen indeed in ip6gre_tnl_link_config_route(), ip6_tnl_link_config() and ipip6_tunnel_bind_dev() Make sure to sanitize mtu value in a local variable before it is written once on dev->mtu, as lockless readers could catch wrong temporary value. [1] skbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:120 Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 Workqueue: mld mld_ifc_work pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic+0x4c/0x50 net/core/skbuff.c:116 lr : skb_panic+0x4c/0x50 net/core/skbuff.c:116 sp : ffff800020dd3b60 x29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800 x26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200 x23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38 x20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9 x17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80 x14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80 x11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00 x8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089 Call trace: skb_panic+0x4c/0x50 net/core/skbuff.c:116 skb_over_panic net/core/skbuff.c:125 [inline] skb_put+0xd4/0xdc net/core/skbuff.c:2049 ip6_mc_hdr net/ipv6/mcast.c:1714 [inline] mld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765 add_grhead net/ipv6/mcast.c:1851 [inline] add_grec+0xa20/0xae0 net/ipv6/mcast.c:1989 mld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115 mld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Code: 91011400 aa0803e1 a90027ea 94373093 (d4210000) 2025-12-30 not yet calculated CVE-2022-50816 https://git.kernel.org/stable/c/2bab6fa449d16af36d9c9518865f783a15f446c7
https://git.kernel.org/stable/c/78297d513157a31fd629626fe4cbb85a7dcbb94a
https://git.kernel.org/stable/c/af51fc23a03f02b0c6df09ab0d60f23794436052
https://git.kernel.org/stable/c/44affe7ede596f078c4f2f41e0d160266ccda818
https://git.kernel.org/stable/c/ad3f1d9bf162c487d23df684852597961b745cae
https://git.kernel.org/stable/c/ccd94bd4939690e24d13e23814bce7ed853a09f3
https://git.kernel.org/stable/c/d89d7ff01235f218dad37de84457717f699dee79
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: hsr: avoid possible NULL deref in skb_clone() syzbot got a crash [1] in skb_clone(), caused by a bug in hsr_get_untagged_frame(). When/if create_stripped_skb_hsr() returns NULL, we must not attempt to call skb_clone(). While we are at it, replace a WARN_ONCE() by netdev_warn_once(). [1] general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 1 PID: 754 Comm: syz-executor.0 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 RIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641 Code: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 4a 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00 RSP: 0018:ffffc90003ccf4e0 EFLAGS: 00010207 RAX: dffffc0000000000 RBX: ffffc90003ccf5f8 RCX: ffffc9000c24b000 RDX: 000000000000000f RSI: ffffffff8751cb13 RDI: 0000000000000000 RBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140 R10: fffffbfff181d972 R11: 0000000000000000 R12: ffff888161fc3640 R13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5f620 FS: 00007feb621e4700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007feb621e3ff8 CR3: 00000001643a9000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> hsr_get_untagged_frame+0x4e/0x610 net/hsr/hsr_forward.c:164 hsr_forward_do net/hsr/hsr_forward.c:461 [inline] hsr_forward_skb+0xcca/0x1d50 net/hsr/hsr_forward.c:623 hsr_handle_frame+0x588/0x7c0 net/hsr/hsr_slave.c:69 __netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379 __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599 netif_receive_skb_internal net/core/dev.c:5685 [inline] netif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744 tun_rx_batched+0x4ab/0x7a0 drivers/net/tun.c:1544 tun_get_user+0x2686/0x3a00 drivers/net/tun.c:1995 tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2025 call_write_iter include/linux/fs.h:2187 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x9e9/0xdd0 fs/read_write.c:584 ksys_write+0x127/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd 2025-12-30 not yet calculated CVE-2022-50817 https://git.kernel.org/stable/c/ff7ba766758313129794f150bbc4d351b5e17a53
https://git.kernel.org/stable/c/35ece858660eae13ee0242496a1956c39d29418e
https://git.kernel.org/stable/c/c46f2e0fcd1ecfc6046e5cf785ff89f0572f94e4
https://git.kernel.org/stable/c/d8b57135fd9ffe9a5b445350a686442a531c5339
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix running_req for internal abort commands Disabling the remote phy for a SATA disk causes a hang: root@(none)$ more /sys/class/sas_phy/phy-0:0:8/target_port_protocols sata root@(none)$ echo 0 > sys/class/sas_phy/phy-0:0:8/enable root@(none)$ [ 67.855950] sas: ex 500e004aaaaaaa1f phy08 change count has changed [ 67.920585] sd 0:0:2:0: [sdc] Synchronizing SCSI cache [ 67.925780] sd 0:0:2:0: [sdc] Synchronize Cache(10) failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK [ 67.935094] sd 0:0:2:0: [sdc] Stopping disk [ 67.939305] sd 0:0:2:0: [sdc] Start/Stop Unit failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK ... [ 123.998998] INFO: task kworker/u192:1:642 blocked for more than 30 seconds. [ 124.005960] Not tainted 6.0.0-rc1-205202-gf26f8f761e83 #218 [ 124.012049] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 124.019872] task:kworker/u192:1 state:D stack:0 pid: 642 ppid: 2 flags:0x00000008 [ 124.028223] Workqueue: 0000:04:00.0_event_q sas_port_event_worker [ 124.034319] Call trace: [ 124.036758] __switch_to+0x128/0x278 [ 124.040333] __schedule+0x434/0xa58 [ 124.043820] schedule+0x94/0x138 [ 124.047045] schedule_timeout+0x2fc/0x368 [ 124.051052] wait_for_completion+0xdc/0x200 [ 124.055234] __flush_workqueue+0x1a8/0x708 [ 124.059328] sas_porte_broadcast_rcvd+0xa8/0xc0 [ 124.063858] sas_port_event_worker+0x60/0x98 [ 124.068126] process_one_work+0x3f8/0x660 [ 124.072134] worker_thread+0x70/0x700 [ 124.075793] kthread+0x1a4/0x1b8 [ 124.079014] ret_from_fork+0x10/0x20 The issue is that the per-device running_req read in pm8001_dev_gone_notify() never goes to zero and we never make progress. This is caused by missing accounting for running_req for when an internal abort command completes. In commit 2cbbf489778e ("scsi: pm8001: Use libsas internal abort support") we started to send internal abort commands as a proper sas_task. In this when we deliver a sas_task to HW the per-device running_req is incremented in pm8001_queue_command(). However it is never decremented for internal abort commnds, so decrement in pm8001_mpi_task_abort_resp(). 2025-12-30 not yet calculated CVE-2022-50818 https://git.kernel.org/stable/c/4e750e0d8e486569fcb7f4ba6f6471673ce7d8a2
https://git.kernel.org/stable/c/a62b9fc9775fbc8e666bb328f6e53c168054d6fe
https://git.kernel.org/stable/c/d8c22c4697c11ed28062afe3c2b377025be11a23
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: udmabuf: Set ubuf->sg = NULL if the creation of sg table fails When userspace tries to map the dmabuf and if for some reason (e.g. OOM) the creation of the sg table fails, ubuf->sg needs to be set to NULL. Otherwise, when the userspace subsequently closes the dmabuf fd, we'd try to erroneously free the invalid sg table from release_udmabuf resulting in the following crash reported by syzbot: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 3609 Comm: syz-executor487 Not tainted 5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline] RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline] RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c 8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2 RSP: 0018:ffffc900037efd30 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000 RBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000 R13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000 FS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78 __dentry_kill+0x42b/0x640 fs/dcache.c:612 dentry_kill fs/dcache.c:733 [inline] dput+0x806/0xdb0 fs/dcache.c:913 __fput+0x39c/0x9d0 fs/file_table.c:333 task_work_run+0xdd/0x1a0 kernel/task_work.c:177 ptrace_notify+0x114/0x140 kernel/signal.c:2353 ptrace_report_syscall include/linux/ptrace.h:420 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline] syscall_exit_work kernel/entry/common.c:249 [inline] syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276 __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline] syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fc1c0c35b6b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b RDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006 RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c R13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline] RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline] RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114 2025-12-30 not yet calculated CVE-2022-50819 https://git.kernel.org/stable/c/bbe2f6f90310b3a0b5de4e0dc022b36faabfd718
https://git.kernel.org/stable/c/dfbed8c92eb853929f4fa676ba493391dab47be4
https://git.kernel.org/stable/c/fc285549f454c0f50f87ec945fc0bf44719c0fa4
https://git.kernel.org/stable/c/9861e43f097a50678041f973347b3a88f2da09cf
https://git.kernel.org/stable/c/d9c04a1b7a15b5e74b2977461d9511e497f05d8f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: perf/arm_dmc620: Fix hotplug callback leak in dmc620_pmu_init() dmc620_pmu_init() won't remove the callback added by cpuhp_setup_state_multi() when platform_driver_register() failed. Remove the callback by cpuhp_remove_multi_state() in fail path. Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus: arm-ccn: Prevent hotplug callback leak") 2025-12-30 not yet calculated CVE-2022-50820 https://git.kernel.org/stable/c/b99fbe8d949a99fe456f08c7aad421327685aa50
https://git.kernel.org/stable/c/af170afa97e50d4169cfaa7ff4ec5d3841182641
https://git.kernel.org/stable/c/adf7c3bbcc819db6e95b6a61c9822230f0ef4778
https://git.kernel.org/stable/c/d9f564c966e63925aac4ba273a9319d7fb6f4b4e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails 2025-12-30 not yet calculated CVE-2022-50821 https://git.kernel.org/stable/c/76f2497a2faa6a4e91efb94a7f55705b403273fd
https://git.kernel.org/stable/c/aa91afe597401b78baa7d751c71eedb92c80bd4d
https://git.kernel.org/stable/c/2cd6026e257362f030c8be57abaf7fc0049df60a
https://git.kernel.org/stable/c/d01fa993eb7fbc305f0a9c3e8bfac6513efc13b6
https://git.kernel.org/stable/c/67eb848161c2799f2007968ea3bc87adb15c9567
https://git.kernel.org/stable/c/c9ded831e2552b9c3cab7e2591a190e94f9d29c0
https://git.kernel.org/stable/c/da522b5fe1a5f8b7c20a0023e87b52a150e53bf5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/restrack: Release MR restrack when delete The MR restrack also needs to be released when delete it, otherwise it cause memory leak as the task struct won't be released. 2025-12-30 not yet calculated CVE-2022-50822 https://git.kernel.org/stable/c/13586753ae55146269a6dc8b216f17d86b81560c
https://git.kernel.org/stable/c/37c90753079fc95d93cc31b79796dd2ae57ad018
https://git.kernel.org/stable/c/8731cb5c7820bef577bab4ff17691fbf61c671cb
https://git.kernel.org/stable/c/dac153f2802db1ad46207283cb9b2aae3d707a45
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: clk: tegra: Fix refcount leak in tegra114_clock_init of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. 2025-12-30 not yet calculated CVE-2022-50823 https://git.kernel.org/stable/c/1f0e1cbbaffd729560716e9592aa5e609ea93bb6
https://git.kernel.org/stable/c/ce699dcdac2bfdb6b238f2517ba41d9623b15f46
https://git.kernel.org/stable/c/8cc87a9c142ae0e276a3ff9ce50f78a1668da36f
https://git.kernel.org/stable/c/5984b1d66126b024ee77482602ac6e51b53f4116
https://git.kernel.org/stable/c/c01bfd23cc13a420b3f6a36bcab98410f49d480d
https://git.kernel.org/stable/c/e7a57fb92af52c4da69cd947752e8946e5ada50a
https://git.kernel.org/stable/c/8e1fe30253930c6a67385c19802c5ab8706a76d9
https://git.kernel.org/stable/c/a7d3fb5814c73d7d49913e4294f8f508a3038bb4
https://git.kernel.org/stable/c/db16a80c76ea395766913082b1e3f939dde29b2c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak In check_acpi_tpm2(), we get the TPM2 table just to make sure the table is there, not used after the init, so the acpi_put_table() should be added to release the ACPI memory. 2025-12-30 not yet calculated CVE-2022-50824 https://git.kernel.org/stable/c/8bc6c10d3f389693410adb14b4e9deec01ff6334
https://git.kernel.org/stable/c/de667a2704ae799f697fd45cf4317623d8c79fb7
https://git.kernel.org/stable/c/e027f3b9fabd2b410a4e6a7651e7a45b87019f23
https://git.kernel.org/stable/c/3b6c822238da9ee8984803355601bcc603d49cb5
https://git.kernel.org/stable/c/43135fb098126ef2cd6ed584900fd7bfa25f95ce
https://git.kernel.org/stable/c/e0d1cf8ef84bb14a673215699fb8acc187aa2c4a
https://git.kernel.org/stable/c/e60fa800a32a693d672b1a091424d780278c4587
https://git.kernel.org/stable/c/db9622f762104459ff87ecdf885cc42c18053fd9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: typec: wusb3801: fix fwnode refcount leak in wusb3801_probe() I got the following report while doing fault injection test: OF: ERROR: memory leak, expected refcount 1 instead of 4, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/tcpc@60/connector If wusb3801_hw_init() fails, fwnode_handle_put() needs be called to avoid refcount leak. 2025-12-30 not yet calculated CVE-2022-50825 https://git.kernel.org/stable/c/de1e2eb7f102e3073714396414592a39efb66b3e
https://git.kernel.org/stable/c/82d1211f673bbdc822eaf1dbcbf1f2ae06556964
https://git.kernel.org/stable/c/dc18a4c7b3bd447cef2395deeb1f6ac16dfaca0e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection() Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose() with a subdev state of NULL leads to a NULL pointer dereference. This can currently happen in imgu_subdev_set_selection() when the state passed in is NULL, as this method first gets pointers to both the "try" and "active" states and only then decides which to use. The same issue has been addressed for imgu_subdev_get_selection() with commit 30d03a0de650 ("ipu3-imgu: Fix NULL pointer dereference in active selection access"). However the issue still persists in imgu_subdev_set_selection(). Therefore, apply a similar fix as done in the aforementioned commit to imgu_subdev_set_selection(). To keep things a bit cleaner, introduce helper functions for "crop" and "compose" access and use them in both imgu_subdev_set_selection() and imgu_subdev_get_selection(). 2025-12-30 not yet calculated CVE-2022-50826 https://git.kernel.org/stable/c/fa6bbb4894b9b947063c6ff90018a954c5f9f4b3
https://git.kernel.org/stable/c/611d617bdb6c5d636a9861ec1c98e813fc8a5556
https://git.kernel.org/stable/c/5038ee677606106c91564f9c4557d808d14bad70
https://git.kernel.org/stable/c/dc608edf7d45ba0c2ad14c06eccd66474fec7847
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix memory leak in lpfc_create_port() Commit 5e633302ace1 ("scsi: lpfc: vmid: Add support for VMID in mailbox command") introduced allocations for the VMID resources in lpfc_create_port() after the call to scsi_host_alloc(). Upon failure on the VMID allocations, the new code would branch to the 'out' label, which returns NULL without unwinding anything, thus skipping the call to scsi_host_put(). Fix the problem by creating a separate label 'out_free_vmid' to unwind the VMID resources and make the 'out_put_shost' label call only scsi_host_put(), as was done before the introduction of allocations for VMID. 2025-12-30 not yet calculated CVE-2022-50827 https://git.kernel.org/stable/c/9749595feb33a1a2b848800192224ffeed5346b4
https://git.kernel.org/stable/c/5ea1f195f51c2bb5915ccfb2b2885ca81ce9262b
https://git.kernel.org/stable/c/dc8e483f684a24cc06e1d5fa958b54db58855093
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: clk: zynqmp: Fix stack-out-of-bounds in strncpy` "BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68" Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is longer than 15 bytes, string terminated NULL character will not be received by Linux. Add explicit NULL character at last byte to fix issues when clock name is longer. This fixes below bug reported by KASAN: ================================================================== BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68 Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3 Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT) Call trace: dump_backtrace+0x0/0x1e8 show_stack+0x14/0x20 dump_stack+0xd4/0x108 print_address_description.isra.0+0xbc/0x37c __kasan_report+0x144/0x198 kasan_report+0xc/0x18 __asan_load1+0x5c/0x68 strncpy+0x30/0x68 zynqmp_clock_probe+0x238/0x7b8 platform_drv_probe+0x6c/0xc8 really_probe+0x14c/0x418 driver_probe_device+0x74/0x130 __device_attach_driver+0xc4/0xe8 bus_for_each_drv+0xec/0x150 __device_attach+0x160/0x1d8 device_initial_probe+0x10/0x18 bus_probe_device+0xe0/0xf0 device_add+0x528/0x950 of_device_add+0x5c/0x80 of_platform_device_create_pdata+0x120/0x168 of_platform_bus_create+0x244/0x4e0 of_platform_populate+0x50/0xe8 zynqmp_firmware_probe+0x370/0x3a8 platform_drv_probe+0x6c/0xc8 really_probe+0x14c/0x418 driver_probe_device+0x74/0x130 device_driver_attach+0x94/0xa0 __driver_attach+0x70/0x108 bus_for_each_dev+0xe4/0x158 driver_attach+0x30/0x40 bus_add_driver+0x21c/0x2b8 driver_register+0xbc/0x1d0 __platform_driver_register+0x7c/0x88 zynqmp_firmware_driver_init+0x1c/0x24 do_one_initcall+0xa4/0x234 kernel_init_freeable+0x1b0/0x24c kernel_init+0x10/0x110 ret_from_fork+0x10/0x18 The buggy address belongs to the page: page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff page dumped because: kasan: bad access detected addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame: zynqmp_clock_probe+0x0/0x7b8 this frame has 3 objects: [32, 44) 'response' [64, 80) 'ret_payload' [96, 112) 'name' Memory state around the buggy address: ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2 >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== 2025-12-30 not yet calculated CVE-2022-50828 https://git.kernel.org/stable/c/5dbfcf7b080306b65d9f756fadf46c9495793750
https://git.kernel.org/stable/c/d9e2585c3bcecb1c83febad31b9f450e93d2509e
https://git.kernel.org/stable/c/0a07b13af04d0db7325018aaa83b5ffe864790c9
https://git.kernel.org/stable/c/d66fea97671fcb516bd6d34bcc033f650ac7ee91
https://git.kernel.org/stable/c/bce41e4ac6f5ca3b22a07e8cdadc12044bbf9d3b
https://git.kernel.org/stable/c/dd80fb2dbf1cd8751efbe4e53e54056f56a9b115
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() It is possible that skb is freed in ath9k_htc_rx_msg(), then usb_submit_urb() fails and we try to free skb again. It causes use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes NULL but rx_buf is not freed and there can be a memory leak. The patch removes unnecessary nskb and makes skb processing more clear: it is supposed that ath9k_htc_rx_msg() either frees old skb or passes its managing to another callback function. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. 2025-12-30 not yet calculated CVE-2022-50829 https://git.kernel.org/stable/c/5e8751a977a49a6e00cce1a8da5ca16da83f9c8c
https://git.kernel.org/stable/c/f127c2b4c967025e5c3a4ce7e13b79135d46a33d
https://git.kernel.org/stable/c/0c8dd2ea4b419da96ab4953e4967e9363e2f8a4f
https://git.kernel.org/stable/c/988bd27de2484faf17afe0408db2e3d9e5ac61fc
https://git.kernel.org/stable/c/98d9172822dc6f38138333941984bd759a89d419
https://git.kernel.org/stable/c/355f16f756aad0c95cdaa0c14a34ab4137d32815
https://git.kernel.org/stable/c/53b9bb1a00c4285ee7f58a11129dbea015db61bc
https://git.kernel.org/stable/c/71fc0ad671a62c494d2aec731baeabd3bfe6c95d
https://git.kernel.org/stable/c/dd95f2239fc846795fc926787c3ae0ca701c9840
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: auxdisplay: hd44780: Fix potential memory leak in hd44780_remove() hd44780_probe() allocates a memory chunk for hd with kzalloc() and makes "lcd->drvdata->hd44780" point to it. When we call hd44780_remove(), we should release all relevant memory and resource. But "lcd->drvdata ->hd44780" is not released, which will lead to a memory leak. We should release the "lcd->drvdata->hd44780" in hd44780_remove() to fix the memory leak bug. 2025-12-30 not yet calculated CVE-2022-50830 https://git.kernel.org/stable/c/8311961a1724bfc64390c539dedc31e067a80315
https://git.kernel.org/stable/c/6cd37f8232f5e169a723e1d5fbe3b2139c2ef763
https://git.kernel.org/stable/c/5d407911e605702ffcc0e97a6db546592ab27dd0
https://git.kernel.org/stable/c/ddf75a86aba2cfb7ec4497e8692b60c8c8fe0ee7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix potential memory leak in wilc_mac_xmit() The wilc_mac_xmit() returns NETDEV_TX_OK without freeing skb, add dev_kfree_skb() to fix it. Compile tested only. 2025-12-30 not yet calculated CVE-2022-50832 https://git.kernel.org/stable/c/a12610e83789c838493034e5c50ac5c903ad8c0d
https://git.kernel.org/stable/c/a1e94fb4d09d0fcfeaa73aa49d787f06c42db7ee
https://git.kernel.org/stable/c/5706d00fde3f1d5eb7296a4dfefb6aea35108224
https://git.kernel.org/stable/c/07dcd756e28f27e4f8fcd8b809ffa05a5cc5de2b
https://git.kernel.org/stable/c/baef42df7de7c35ba60b75a5f96d1eb039f4d782
https://git.kernel.org/stable/c/deb962ec9e1c9a81babd3d37542ad4bd6ac3396e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works syzbot is reporting attempt to schedule hdev->cmd_work work from system_wq WQ into hdev->workqueue WQ which is under draining operation [1], for commit c8efcc2589464ac7 ("workqueue: allow chained queueing during destruction") does not allow such operation. The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") was incomplete. Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}_timer works because hci_{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect the queuing operation with RCU read lock in order to avoid calling queue_delayed_work() after cancel_delayed_work() completed. 2025-12-30 not yet calculated CVE-2022-50833 https://git.kernel.org/stable/c/c4635cf3d845a7324c25c52d549b70c8bd7ad4c7
https://git.kernel.org/stable/c/3c6b036fe5c8ed8b6c4cbdc03605929882907ef0
https://git.kernel.org/stable/c/deee93d13d385103205879a8a0915036ecd83261
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nfc: Fix potential resource leaks nfc_get_device() take reference for the device, add missing nfc_put_device() to release it when not need anymore. Also fix the style warnning by use error EOPNOTSUPP instead of ENOTSUPP. 2025-12-30 not yet calculated CVE-2022-50834 https://git.kernel.org/stable/c/277f0d0a9084e7454e5532c823a7a876a7b00af7
https://git.kernel.org/stable/c/d1d912e7f82d7216ba4e266048ec1d1f5ea93839
https://git.kernel.org/stable/c/d8e410315ad393b23520b5db0706be853589c548
https://git.kernel.org/stable/c/e0f5c962c066e769c187f037fedc883f8abd4e82
https://git.kernel.org/stable/c/b63bc2db244c1b57e36f16ea5f2a1becda413f68
https://git.kernel.org/stable/c/a743128fca394a43425020a4f287d3168d94d04f
https://git.kernel.org/stable/c/b32f6bef248562bb5191ada527717ea50b319466
https://git.kernel.org/stable/c/df49908f3c52d211aea5e2a14a93bbe67a2cb3af
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: jbd2: add miss release buffer head in fc_do_one_pass() In fc_do_one_pass() miss release buffer head after use which will lead to reference count leak. 2025-12-30 not yet calculated CVE-2022-50835 https://git.kernel.org/stable/c/e65506ff181fc176088f32117d69b9cb1ddda777
https://git.kernel.org/stable/c/56fcd0788f0d9243c1754bd6f80b8b327c4afeee
https://git.kernel.org/stable/c/27c7bd35135d5ab38b9138ecf186ce54a96c98d9
https://git.kernel.org/stable/c/1f48116cbd3404898c9022892e114dd7cc3063c1
https://git.kernel.org/stable/c/dfff66f30f66b9524b661f311bbed8ff3d2ca49f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev() The kfree() should be called when of_irq_get_byname() fails or devm_request_threaded_irq() fails in qcom_add_sysmon_subdev(), otherwise there will be a memory leak, so add kfree() to fix it. 2025-12-30 not yet calculated CVE-2022-50836 https://git.kernel.org/stable/c/27441fab2651cd909d8a5440ca079bc50245f427
https://git.kernel.org/stable/c/e4539eb5c0c342567183fe386d0699c8dab49490
https://git.kernel.org/stable/c/131c0a3ead78d45f0f39ddb42cf1bd9be26239b0
https://git.kernel.org/stable/c/1a62bebe0705556d37cfa8409ddc759b11d404f6
https://git.kernel.org/stable/c/ec97e9a5c2f25d2f9f9d7005e9ac67f23cc751cd
https://git.kernel.org/stable/c/e01ce676aaef3b13d02343d7e70f9637d93a3367
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register() error path If dsa_tag_8021q_setup() fails, for example due to the inability of the device to install a VLAN, the tag_8021q context of the switch will leak. Make sure it is freed on the error path. 2025-12-30 not yet calculated CVE-2022-50837 https://git.kernel.org/stable/c/09f30f394e832ed09859b6a80fdd20668a9104ff
https://git.kernel.org/stable/c/39691d51af99f80efb9e365f94b8e0c791fa1a2f
https://git.kernel.org/stable/c/14ed46a13aba42a6ddd85de6f6274090df3586a5
https://git.kernel.org/stable/c/e095493091e850d5292ad01d8fbf5cde1d89ac53
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: stream: purge sk_error_queue in sk_stream_kill_queues() Changheon Lee reported TCP socket leaks, with a nice repro. It seems we leak TCP sockets with the following sequence: 1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket. Each ACK will cook an skb put in error queue, from __skb_tstamp_tx(). __skb_tstamp_tx() is using skb_clone(), unless SOF_TIMESTAMPING_OPT_TSONLY was also requested. 2) If the application is also using MSG_ZEROCOPY, then we put in the error queue cloned skbs that had a struct ubuf_info attached to them. Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc() does a sock_hold(). As long as the cloned skbs are still in sk_error_queue, socket refcount is kept elevated. 3) Application closes the socket, while error queue is not empty. Since tcp_close() no longer purges the socket error queue, we might end up with a TCP socket with at least one skb in error queue keeping the socket alive forever. This bug can be (ab)used to consume all kernel memory and freeze the host. We need to purge the error queue, with proper synchronization against concurrent writers. 2025-12-30 not yet calculated CVE-2022-50838 https://git.kernel.org/stable/c/c8c1eec578a9ae2dc8f14a1846942a0b7bf29d1d
https://git.kernel.org/stable/c/bab542cf56fc174c8447c00b73be99ffd66d2d39
https://git.kernel.org/stable/c/6f00bd0402a1e3d2d556afba57c045bd7931e4d3
https://git.kernel.org/stable/c/4f1d37ff4226eb99d6b69e9f4518e279e1a851bf
https://git.kernel.org/stable/c/9062493811676ee0efe6c74d98f00ca38c4e17d4
https://git.kernel.org/stable/c/9da204cd67c4fe97e8aa465d10d5c2e7076f7f42
https://git.kernel.org/stable/c/8c330c36b3970d0917f48827fa6c7a9c75aa4602
https://git.kernel.org/stable/c/b458d349f8753f666233828ebd30df6f100cf7d5
https://git.kernel.org/stable/c/e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: jbd2: fix potential buffer head reference count leak As in 'jbd2_fc_wait_bufs' if buffer isn't uptodate, will return -EIO without update 'journal->j_fc_off'. But 'jbd2_fc_release_bufs' will release buffer head from 'j_fc_off - 1' if 'bh' is NULL will terminal release which will lead to buffer head buffer head reference count leak. To solve above issue, update 'journal->j_fc_off' before return -EIO. 2025-12-30 not yet calculated CVE-2022-50839 https://git.kernel.org/stable/c/7a33dde572fceb45d02d188e0213c47059401c93
https://git.kernel.org/stable/c/e7385c868ee038d6a0cb0e85c22d2741e7910fd5
https://git.kernel.org/stable/c/68ed9c76b2affd47177b92495446abb7262d0ef7
https://git.kernel.org/stable/c/9b073d73725366d886b711b74e058c02f51e7a0e
https://git.kernel.org/stable/c/e0d5fc7a6d80ac2406c7dfc6bb625201d0250a8a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: snic: Fix possible UAF in snic_tgt_create() Smatch reports a warning as follows: drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn: '&tgt->list' not removed from list If device_add() fails in snic_tgt_create(), tgt will be freed, but tgt->list will not be removed from snic->disc.tgt_list, then list traversal may cause UAF. Remove from snic->disc.tgt_list before free(). 2025-12-30 not yet calculated CVE-2022-50840 https://git.kernel.org/stable/c/f9d8b8ba0f1a16cde0b1fc9e80466df76b6db8ff
https://git.kernel.org/stable/c/3772319e40527e6a5f2ec1d729e01f271d818f5c
https://git.kernel.org/stable/c/3007f96ca20c848d0b1b052df6d2cb5ae5586e78
https://git.kernel.org/stable/c/6866154c23fba40888ad6d554cccd4bf2edb755e
https://git.kernel.org/stable/c/ad27f74e901fc48729733c88818e6b96c813057d
https://git.kernel.org/stable/c/1895e908b3ae66a5312fd1b2cdda2da82993dca7
https://git.kernel.org/stable/c/c7f0f8dab1ae5def57c1a8a9cafd6fabe1dc27cc
https://git.kernel.org/stable/c/4141cd9e8b3379aea52a85d2c35f6eaf26d14e86
https://git.kernel.org/stable/c/e118df492320176af94deec000ae034cc92be754
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add overflow check for attribute size The offset addition could overflow and pass the used size check given an attribute with very large size (e.g., 0xffffff7f) while parsing MFT attributes. This could lead to out-of-bound memory R/W if we try to access the next attribute derived by Add2Ptr(attr, asize) [ 32.963847] BUG: unable to handle page fault for address: ffff956a83c76067 [ 32.964301] #PF: supervisor read access in kernel mode [ 32.964526] #PF: error_code(0x0000) - not-present page [ 32.964893] PGD 4dc01067 P4D 4dc01067 PUD 0 [ 32.965316] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 32.965727] CPU: 0 PID: 243 Comm: mount Not tainted 5.19.0+ #6 [ 32.966050] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 32.966628] RIP: 0010:mi_enum_attr+0x44/0x110 [ 32.967239] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a [ 32.968101] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283 [ 32.968364] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f [ 32.968651] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8 [ 32.968963] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f [ 32.969249] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000 [ 32.969870] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170 [ 32.970655] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000 [ 32.971098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 32.971378] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0 [ 32.972098] Call Trace: [ 32.972842] <TASK> [ 32.973341] ni_enum_attr_ex+0xda/0xf0 [ 32.974087] ntfs_iget5+0x1db/0xde0 [ 32.974386] ? slab_post_alloc_hook+0x53/0x270 [ 32.974778] ? ntfs_fill_super+0x4c7/0x12a0 [ 32.975115] ntfs_fill_super+0x5d6/0x12a0 [ 32.975336] get_tree_bdev+0x175/0x270 [ 32.975709] ? put_ntfs+0x150/0x150 [ 32.975956] ntfs_fs_get_tree+0x15/0x20 [ 32.976191] vfs_get_tree+0x2a/0xc0 [ 32.976374] ? capable+0x19/0x20 [ 32.976572] path_mount+0x484/0xaa0 [ 32.977025] ? putname+0x57/0x70 [ 32.977380] do_mount+0x80/0xa0 [ 32.977555] __x64_sys_mount+0x8b/0xe0 [ 32.978105] do_syscall_64+0x3b/0x90 [ 32.978830] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 32.979311] RIP: 0033:0x7fdab72e948a [ 32.980015] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 32.981251] RSP: 002b:00007ffd15b87588 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 32.981832] RAX: ffffffffffffffda RBX: 0000557de0aaf060 RCX: 00007fdab72e948a [ 32.982234] RDX: 0000557de0aaf260 RSI: 0000557de0aaf2e0 RDI: 0000557de0ab7ce0 [ 32.982714] RBP: 0000000000000000 R08: 0000557de0aaf280 R09: 0000000000000020 [ 32.983046] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000557de0ab7ce0 [ 32.983494] R13: 0000557de0aaf260 R14: 0000000000000000 R15: 00000000ffffffff [ 32.984094] </TASK> [ 32.984352] Modules linked in: [ 32.984753] CR2: ffff956a83c76067 [ 32.985911] ---[ end trace 0000000000000000 ]--- [ 32.986555] RIP: 0010:mi_enum_attr+0x44/0x110 [ 32.987217] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a [ 32.988232] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283 [ 32.988532] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f [ 32.988916] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8 [ 32.989356] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f [ 32.989994] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000 [ 32.990415] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170 [ 32.991011] FS: ---truncated--- 2025-12-30 not yet calculated CVE-2022-50841 https://git.kernel.org/stable/c/d4489ba8fb806e07b43eecca5e9af5865d94cbf6
https://git.kernel.org/stable/c/a1f0b873cf6ac1f00a749707d866494ed0708978
https://git.kernel.org/stable/c/0bb9f93ba63acfdb7c363d9f9fc2199fc6fa913d
https://git.kernel.org/stable/c/e19c6277652efba203af4ecd8eed4bd30a0054c9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/virtio: Check whether transferred 2D BO is shmem Transferred 2D BO always must be a shmem BO. Add check for that to prevent NULL dereference if userspace passes a VRAM BO. 2025-12-30 not yet calculated CVE-2022-50842 https://git.kernel.org/stable/c/f134f261d76ae3d5ecf68db642eaa746ceb84cfb
https://git.kernel.org/stable/c/f122bcb34f1a4b02ef3d95058d8fd1316ea03785
https://git.kernel.org/stable/c/989164305b933af06d69bb91044dafbd01025371
https://git.kernel.org/stable/c/36e133af33ea54193378b190cf92c47c12a43d34
https://git.kernel.org/stable/c/e473216b42aa1fd9fc6b94b608b42c210c655908
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dm clone: Fix UAF in clone_dtr() Dm_clone also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in clone_dtr(). 2025-12-30 not yet calculated CVE-2022-50843 https://git.kernel.org/stable/c/520b56cfd9faee7683f081c3a38f11a81b13a68e
https://git.kernel.org/stable/c/342cfd8426dff4228e6c714bcb9fc8295a2748dd
https://git.kernel.org/stable/c/856edd0e92f3fe89606b704c86a93daedddfe6ec
https://git.kernel.org/stable/c/b1ddb666073bb5f36390aaabaa1a4d48d78c52ed
https://git.kernel.org/stable/c/9e113cd4f61f3b0000843b2d0a90ce8b40a1fcff
https://git.kernel.org/stable/c/e4b5957c6f749a501c464f92792f1c8e26b61a94
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/gpu/drm/amd/amdgpu/../pm/swsmu/amdgpu_smu.c:3008:29: error: incompatible function pointer types initializing 'int (*)(void *, uint32_t, long *, uint32_t)' (aka 'int (*)(void *, unsigned int, long *, unsigned int)') with an expression of type 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, uint32_t)' (aka 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict] .odn_edit_dpm_table = smu_od_edit_dpm_table, ^~~~~~~~~~~~~~~~~~~~~ 1 error generated. There are only two implementations of ->odn_edit_dpm_table() in 'struct amd_pm_funcs': smu_od_edit_dpm_table() and pp_odn_edit_dpm_table(). One has a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND' and the other uses 'u32'. Ultimately, smu_od_edit_dpm_table() calls ->od_edit_dpm_table() from 'struct pptable_funcs' and pp_odn_edit_dpm_table() calls ->odn_edit_dpm_table() from 'struct pp_hwmgr_func', which both have a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND'. Update the type parameter in both the prototype in 'struct amd_pm_funcs' and pp_odn_edit_dpm_table() to 'enum PP_OD_DPM_TABLE_COMMAND', which cleans up the warning. 2025-12-30 not yet calculated CVE-2022-50844 https://git.kernel.org/stable/c/f9084e9930db562bdcd47fa199a66fb45e16dab5
https://git.kernel.org/stable/c/24cba9d865157c9e23128fbcf8b86f5da9570edd
https://git.kernel.org/stable/c/36217f676b55932a12d6732c95388150015fdee6
https://git.kernel.org/stable/c/e4d0ef752081e7aa6ffb7ccac11c499c732a2e05
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext4: fix inode leak in ext4_xattr_inode_create() on an error path There is issue as follows when do setxattr with inject fault: [localhost]# fsck.ext4 -fn /dev/sda e2fsck 1.46.6-rc1 (12-Sep-2022) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Unattached zero-length inode 15. Clear? no Unattached inode 15 Connect to /lost+found? no Pass 5: Checking group summary information /dev/sda: ********** WARNING: Filesystem still has errors ********** /dev/sda: 15/655360 files (0.0% non-contiguous), 66755/2621440 blocks This occurs in 'ext4_xattr_inode_create()'. If 'ext4_mark_inode_dirty()' fails, dropping i_nlink of the inode is needed. Or will lead to inode leak. 2025-12-30 not yet calculated CVE-2022-50845 https://git.kernel.org/stable/c/0f709e08caffb41bbc9b38b9a4c1bd0769794007
https://git.kernel.org/stable/c/eab94a46560f68d4bcd15222701ced479f84f427
https://git.kernel.org/stable/c/9ef603086c5b796fde1c7f22a17d0fc826ba54cb
https://git.kernel.org/stable/c/9882601ee689975c1c0076ee65bf222a2a35e535
https://git.kernel.org/stable/c/322cf639b0b7f137543072c55545adab782b3a25
https://git.kernel.org/stable/c/fdaaf45786dc8c17a72901021772520fceb18f8c
https://git.kernel.org/stable/c/70e5b46beba64706430a87a6d516054225e8ac8a
https://git.kernel.org/stable/c/e4db04f7d3dbbe16680e0ded27ea2a65b10f766a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mmc: via-sdmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path which will call mmc_free_host(). 2025-12-30 not yet calculated CVE-2022-50846 https://git.kernel.org/stable/c/076bcd2c93e16b05c10564e299d6e5d26a766d00
https://git.kernel.org/stable/c/12b8e81b77c05c658efd9cde3585bbd65ae39b59
https://git.kernel.org/stable/c/95025a8dd0ec015872f6c16473fe04d6264e68ca
https://git.kernel.org/stable/c/f59ef2a47a228e51322ad76752a55a8917c56e38
https://git.kernel.org/stable/c/63400da6cd37a9793c19bb6aed7131b58b975a04
https://git.kernel.org/stable/c/0959cc1685eb19774300d43ef25e318b457b156b
https://git.kernel.org/stable/c/0ec94795114edc7e24ec71849dce42bfa61dafa3
https://git.kernel.org/stable/c/ba91b413983a9235792523c6b9f7ba2586c4d75d
https://git.kernel.org/stable/c/e4e46fb61e3bb4628170810d3f2b996b709b90d9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/bridge: it6505: Initialize AUX channel in it6505_i2c_probe During device boot, the HPD interrupt could be triggered before the DRM subsystem registers it6505 as a DRM bridge. In such cases, the driver tries to access AUX channel and causes NULL pointer dereference. Initializing the AUX channel earlier to prevent such error. 2025-12-30 not yet calculated CVE-2022-50847 https://git.kernel.org/stable/c/8ed8505803774fc3f36a432718036c21cc51e2ba
https://git.kernel.org/stable/c/172d4d64075075f955e6e416915e3f287eec514a
https://git.kernel.org/stable/c/e577d4b13064c337b83fe7edecb3f34e87144821
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drivers: dio: fix possible memory leak in dio_init() If device_register() returns error, the 'dev' and name needs be freed. Add a release function, and then call put_device() in the error path, so the name is freed in kobject_cleanup() and to the 'dev' is freed in release function. 2025-12-30 not yet calculated CVE-2022-50848 https://git.kernel.org/stable/c/affe3cea6b3148fa66796a48640664822ceccd48
https://git.kernel.org/stable/c/4b68caa95064ac464f1b261d08ac677e753d1088
https://git.kernel.org/stable/c/a524e7fed696a4dfef671e0fda3511bfd2dca0cf
https://git.kernel.org/stable/c/da64e01da40c6b71a54144126da53cc3b27201ac
https://git.kernel.org/stable/c/fce9890e1be4c0460dad850cc8c00414a9d25f0f
https://git.kernel.org/stable/c/a0ead7e8da84f4c3759417b8e928b65e0207c646
https://git.kernel.org/stable/c/8e002b9fe831b27d4506df6fa60cb33ba0730ac3
https://git.kernel.org/stable/c/78fddc0ff971f9874d53c854818cc4aafa144114
https://git.kernel.org/stable/c/e63e99397b2613d50a5f4f02ed07307e67a190f1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP An oops can be induced by running 'cat /proc/kcore > /dev/null' on devices using pstore with the ram backend because kmap_atomic() assumes lowmem pages are accessible with __va(). Unable to handle kernel paging request at virtual address ffffff807ff2b000 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000 [ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] PREEMPT SMP Modules linked in: dm_integrity CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba Hardware name: Google Lazor (rev3 - 8) (DT) pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __memcpy+0x110/0x260 lr : vread+0x194/0x294 sp : ffffffc013ee39d0 x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000 x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000 x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000 x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60 x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001 x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78 x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000 Call trace: __memcpy+0x110/0x260 read_kcore+0x584/0x778 proc_reg_read+0xb4/0xe4 During early boot, memblock reserves the pages for the ramoops reserved memory node in DT that would otherwise be part of the direct lowmem mapping. Pstore's ram backend reuses those reserved pages to change the memory type (writeback or non-cached) by passing the pages to vmap() (see pfn_to_page() usage in persistent_ram_vmap() for more details) with specific flags. When read_kcore() starts iterating over the vmalloc region, it runs over the virtual address that vmap() returned for ramoops. In aligned_vread() the virtual address is passed to vmalloc_to_page() which returns the page struct for the reserved lowmem area. That lowmem page is passed to kmap_atomic(), which effectively calls page_to_virt() that assumes a lowmem page struct must be directly accessible with __va() and friends. These pages are mapped via vmap() though, and the lowmem mapping was never made, so accessing them via the lowmem virtual address oopses like above. Let's side-step this problem by passing VM_IOREMAP to vmap(). This will tell vread() to not include the ramoops region in the kcore. Instead the area will look like a bunch of zeros. The alternative is to teach kmap() about vmalloc areas that intersect with lowmem. Presumably such a change isn't a one-liner, and there isn't much interest in inspecting the ramoops region in kcore files anyway, so the most expedient route is taken for now. 2025-12-30 not yet calculated CVE-2022-50849 https://git.kernel.org/stable/c/1579bed1613802a323a1e14567faa95c149e105e
https://git.kernel.org/stable/c/fdebcc33b663d2e8da937653ddfbfc1315047eaa
https://git.kernel.org/stable/c/6d9460214e363e1f3d0756ee5d947e76e3e6f86c
https://git.kernel.org/stable/c/4d3126f242a0090342ffe925c35fb4f4252b7562
https://git.kernel.org/stable/c/295f59cd2cdeed841850d02dddde3a122cbf6fc6
https://git.kernel.org/stable/c/ebc73c4f266281e2cad1a372ecd81572d95375b6
https://git.kernel.org/stable/c/69dbff7d2681c55a4d979fd9b75576303e69979f
https://git.kernel.org/stable/c/2f82381d0681b10f9ddd27be98c27363b5a3cd1c
https://git.kernel.org/stable/c/e6b842741b4f39007215fd7e545cb55aa3d358a2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: ipr: Fix WARNING in ipr_init() ipr_init() will not call unregister_reboot_notifier() when pci_register_driver() fails, which causes a WARNING. Call unregister_reboot_notifier() when pci_register_driver() fails. notifier callback ipr_halt [ipr] already registered WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29 notifier_chain_register+0x16d/0x230 Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks agpgart cfbft CPU: 3 PID: 299 Comm: modprobe Tainted: G W 6.1.0-rc1-00190-g39508d23b672-dirty #332 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:notifier_chain_register+0x16d/0x230 Call Trace: <TASK> __blocking_notifier_chain_register+0x73/0xb0 ipr_init+0x30/0x1000 [ipr] do_one_initcall+0xdb/0x480 do_init_module+0x1cf/0x680 load_module+0x6a50/0x70a0 __do_sys_finit_module+0x12f/0x1c0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd 2025-12-30 not yet calculated CVE-2022-50850 https://git.kernel.org/stable/c/020b66023712b1cc42c6ab8b76e4ec13efe4a092
https://git.kernel.org/stable/c/e965c4a60c1daa6e24355e35d78ca8e9f195196f
https://git.kernel.org/stable/c/5debd337f534b122f7c5eac6557a41b5636c9b51
https://git.kernel.org/stable/c/eccbec017c95b9b9ecd4c05c6f5234d1487c72cc
https://git.kernel.org/stable/c/f4ba143b04a17559f2c85e18b47db117f40d8cf3
https://git.kernel.org/stable/c/e59da172059f05c594fda03a9e8a3a0e1f5116c0
https://git.kernel.org/stable/c/8c739021b2022fbc40f71d3fa2e9162beef0c84a
https://git.kernel.org/stable/c/4399a8632e5f8f1f695d91d992c7d418fb451f07
https://git.kernel.org/stable/c/e6f108bffc3708ddcff72324f7d40dfcd0204894
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: fix the crash in unmap a large memory While testing in vIOMMU, sometimes Guest will unmap very large memory, which will cause the crash. To fix this, add a new function vhost_vdpa_general_unmap(). This function will only unmap the memory that saved in iotlb. Call Trace: [ 647.820144] ------------[ cut here ]------------ [ 647.820848] kernel BUG at drivers/iommu/intel/iommu.c:1174! [ 647.821486] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 647.822082] CPU: 10 PID: 1181 Comm: qemu-system-x86 Not tainted 6.0.0-rc1home_lulu_2452_lulu7_vhost+ #62 [ 647.823139] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qem4 [ 647.824365] RIP: 0010:domain_unmap+0x48/0x110 [ 647.825424] Code: 48 89 fb 8d 4c f6 1e 39 c1 0f 4f c8 83 e9 0c 83 f9 3f 7f 18 48 89 e8 48 d3 e8 48 85 c0 75 59 [ 647.828064] RSP: 0018:ffffae5340c0bbf0 EFLAGS: 00010202 [ 647.828973] RAX: 0000000000000001 RBX: ffff921793d10540 RCX: 000000000000001b [ 647.830083] RDX: 00000000080000ff RSI: 0000000000000001 RDI: ffff921793d10540 [ 647.831214] RBP: 0000000007fc0100 R08: ffffae5340c0bcd0 R09: 0000000000000003 [ 647.832388] R10: 0000007fc0100000 R11: 0000000000100000 R12: 00000000080000ff [ 647.833668] R13: ffffae5340c0bcd0 R14: ffff921793d10590 R15: 0000008000100000 [ 647.834782] FS: 00007f772ec90640(0000) GS:ffff921ce7a80000(0000) knlGS:0000000000000000 [ 647.836004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 647.836990] CR2: 00007f02c27a3a20 CR3: 0000000101b0c006 CR4: 0000000000372ee0 [ 647.838107] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 647.839283] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 647.840666] Call Trace: [ 647.841437] <TASK> [ 647.842107] intel_iommu_unmap_pages+0x93/0x140 [ 647.843112] __iommu_unmap+0x91/0x1b0 [ 647.844003] iommu_unmap+0x6a/0x95 [ 647.844885] vhost_vdpa_unmap+0x1de/0x1f0 [vhost_vdpa] [ 647.845985] vhost_vdpa_process_iotlb_msg+0xf0/0x90b [vhost_vdpa] [ 647.847235] ? _raw_spin_unlock+0x15/0x30 [ 647.848181] ? _copy_from_iter+0x8c/0x580 [ 647.849137] vhost_chr_write_iter+0xb3/0x430 [vhost] [ 647.850126] vfs_write+0x1e4/0x3a0 [ 647.850897] ksys_write+0x53/0xd0 [ 647.851688] do_syscall_64+0x3a/0x90 [ 647.852508] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 647.853457] RIP: 0033:0x7f7734ef9f4f [ 647.854408] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 76 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c8 [ 647.857217] RSP: 002b:00007f772ec8f040 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 647.858486] RAX: ffffffffffffffda RBX: 00000000fef00000 RCX: 00007f7734ef9f4f [ 647.859713] RDX: 0000000000000048 RSI: 00007f772ec8f090 RDI: 0000000000000010 [ 647.860942] RBP: 00007f772ec8f1a0 R08: 0000000000000000 R09: 0000000000000000 [ 647.862206] R10: 0000000000000001 R11: 0000000000000293 R12: 0000000000000010 [ 647.863446] R13: 0000000000000002 R14: 0000000000000000 R15: ffffffff01100000 [ 647.864692] </TASK> [ 647.865458] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs v] [ 647.874688] ---[ end trace 0000000000000000 ]--- 2025-12-30 not yet calculated CVE-2022-50851 https://git.kernel.org/stable/c/26b7400c89b81e2f6de4f224ba1fdf06f293de31
https://git.kernel.org/stable/c/8b258a31c2e8d4d4e42be70a7c6ca35a5afbff0d
https://git.kernel.org/stable/c/e794070af224ade46db368271896b2685ff4f96b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix use after free in mt7921_acpi_read() Don't dereference "sar_root" after it has been freed. 2025-12-30 not yet calculated CVE-2022-50852 https://git.kernel.org/stable/c/3ed0b382cb36f6dac9f93b3a5533cfcd699409a5
https://git.kernel.org/stable/c/e7de4b4979bd8d313ec837931dde936653ca82ea
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: NFSv4: Fix a credential leak in _nfs4_discover_trunking() 2025-12-30 not yet calculated CVE-2022-50853 https://git.kernel.org/stable/c/c6aca4c7ba8f6d40a0cfeeb09160dd8efdf97c64
https://git.kernel.org/stable/c/dfad5d5e7511933c2ae3d12a8131840074c5a73d
https://git.kernel.org/stable/c/b247a9828f6607d41189fa6c2a3be754d33cae86
https://git.kernel.org/stable/c/e83458fce080dc23c25353a1af90bfecf79c7369
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nfc: virtual_ncidev: Fix memory leak in virtual_nci_send() skb should be free in virtual_nci_send(), otherwise kmemleak will report memleak. Steps for reproduction (simulated in qemu): cd tools/testing/selftests/nci make ./nci_dev BUG: memory leak unreferenced object 0xffff888107588000 (size 208): comm "nci_dev", pid 206, jiffies 4294945376 (age 368.248s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000008d94c8fd>] __alloc_skb+0x1da/0x290 [<00000000278bc7f8>] nci_send_cmd+0xa3/0x350 [<0000000081256a22>] nci_reset_req+0x6b/0xa0 [<000000009e721112>] __nci_request+0x90/0x250 [<000000005d556e59>] nci_dev_up+0x217/0x5b0 [<00000000e618ce62>] nfc_dev_up+0x114/0x220 [<00000000981e226b>] nfc_genl_dev_up+0x94/0xe0 [<000000009bb03517>] genl_family_rcv_msg_doit.isra.14+0x228/0x2d0 [<00000000b7f8c101>] genl_rcv_msg+0x35c/0x640 [<00000000c94075ff>] netlink_rcv_skb+0x11e/0x350 [<00000000440cfb1e>] genl_rcv+0x24/0x40 [<0000000062593b40>] netlink_unicast+0x43f/0x640 [<000000001d0b13cc>] netlink_sendmsg+0x73a/0xbf0 [<000000003272487f>] __sys_sendto+0x324/0x370 [<00000000ef9f1747>] __x64_sys_sendto+0xdd/0x1b0 [<000000001e437841>] do_syscall_64+0x3f/0x90 2025-12-30 not yet calculated CVE-2022-50854 https://git.kernel.org/stable/c/88e879c9f59511174ef0ab1a3c9c83e2dbf8a213
https://git.kernel.org/stable/c/2c46a9a5f0b1c7341aa67667801079f3ff571678
https://git.kernel.org/stable/c/e840d8f4a1b323973052a1af5ad4edafcde8ae3d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: prevent leak of lsm program after failed attach In [0], we added the ability to bpf_prog_attach LSM programs to cgroups, but in our validation to make sure the prog is meant to be attached to BPF_LSM_CGROUP, we return too early if the check fails. This results in lack of decrementing prog's refcnt (through bpf_prog_put) leaving the LSM program alive past the point of the expected lifecycle. This fix allows for the decrement to take place. [0] https://lore.kernel.org/all/20220628174314.1216643-4-sdf@google.com/ 2025-12-30 not yet calculated CVE-2022-50855 https://git.kernel.org/stable/c/82b39df5ddb298daaf6dc504032ff7eb027fa106
https://git.kernel.org/stable/c/6a1504dd36cd9a0a69250d61da8bdb17b29f1fe8
https://git.kernel.org/stable/c/e89f3edffb860a0f54a9ed16deadb7a4a1fa3862
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: cifs: Fix xid leak in cifs_ses_add_channel() Before return, should free the xid, otherwise, the xid will be leaked. 2025-12-30 not yet calculated CVE-2022-50856 https://git.kernel.org/stable/c/7286f875510486fdc2fc426b7c826262e2283a65
https://git.kernel.org/stable/c/847301f0ee1c29f34cc48547ce1071990f24969c
https://git.kernel.org/stable/c/db2a8b6c17e128d91f35d836c569f4a6bda4471b
https://git.kernel.org/stable/c/e909d054bdea75ef1ec48c18c5936affdaecbb2c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: rapidio: rio: fix possible name leak in rio_register_mport() If device_register() returns error, the name allocated by dev_set_name() need be freed. It should use put_device() to give up the reference in the error path, so that the name can be freed in kobject_cleanup(), and list_del() is called to delete the port from rio_mports. 2025-12-30 not yet calculated CVE-2022-50857 https://git.kernel.org/stable/c/0a71344f99289250e4d5b8adbac76f444485c840
https://git.kernel.org/stable/c/117fede82e9d6ea3de30746d500eb5edc2eb8310
https://git.kernel.org/stable/c/a73a626c0510d203e369aeb26c4d6ec9c75af027
https://git.kernel.org/stable/c/1bbad5793f404cf218757e3beb600eca6080330f
https://git.kernel.org/stable/c/97d9eb45ffa67ffa112a6659953321b8f7db0065
https://git.kernel.org/stable/c/a47de2fd3f88a7788be19f94ade72c2244a98045
https://git.kernel.org/stable/c/4ddbeae5f224d924cf0b12460dda88c7480aa452
https://git.kernel.org/stable/c/9abba4aa60874c5216fc8de7dededadc791de696
https://git.kernel.org/stable/c/e92a216d16bde65d21a3227e0fb2aa0794576525
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mmc: alcor: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and calling mmc_free_host() in the error path. 2025-12-30 not yet calculated CVE-2022-50858 https://git.kernel.org/stable/c/289c964fe182ce755044a6cd57698072e12ffa6f
https://git.kernel.org/stable/c/4a6e5d0222804a3eaf2ea4cf893f412e7cf98cb2
https://git.kernel.org/stable/c/29c5b4da41f35108136d843c7432885c78cf8272
https://git.kernel.org/stable/c/48dc06333d75f41c2ce9ba954bc3231324b45914
https://git.kernel.org/stable/c/60fafcf2fb7ee9a4125dc9a86eeb9d490acf23e2
https://git.kernel.org/stable/c/e93d1468f429475a753d6baa79b853b7ee5ef8c0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message Commit d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") extend the dialects from 3 to 4, but forget to decrease the extended length when specific the dialect, then the message length is larger than expected. This maybe leak some info through network because not initialize the message body. After apply this patch, the VALIDATE_NEGOTIATE_INFO message length is reduced from 28 bytes to 26 bytes. 2025-12-30 not yet calculated CVE-2022-50859 https://git.kernel.org/stable/c/d0050ec3ebbcb3451df9a65b8460be9b9e02e80c
https://git.kernel.org/stable/c/9312e04b6c6bc46354ecd0cc82052a2b3df0b529
https://git.kernel.org/stable/c/60480291c1fcafad8425d93f771b5bcc2bd398b4
https://git.kernel.org/stable/c/943eb0ede74ecd609fdfd3f0b83e0d237613e526
https://git.kernel.org/stable/c/fada9b8c95c77bb46b89e18117405bc90fce9f74
https://git.kernel.org/stable/c/e98ecc6e94f4e6d21c06660b0f336df02836694f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix memleak in alloc_ns() After changes in commit a1bd627b46d1 ("apparmor: share profile name on replacement"), the hname member of struct aa_policy is not valid slab object, but a subset of that, it can not be freed by kfree_sensitive(), use aa_policy_destroy() to fix it. 2025-12-30 not yet calculated CVE-2022-50860 https://git.kernel.org/stable/c/9a32aa87a25d800b2c6f47bc2749a7bfd9a486f3
https://git.kernel.org/stable/c/5f509fa740b17307f0cba412485072f632d5af36
https://git.kernel.org/stable/c/0250cf8d37bb5201a117177afd24dc73a1c81657
https://git.kernel.org/stable/c/12695b4b76d437b9c0182a6f7dfb2248013a9daf
https://git.kernel.org/stable/c/e9e6fa49dbab6d84c676666f3fe7d360497fd65b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: NFSD: Finish converting the NFSv2 GETACL result encoder The xdr_stream conversion inadvertently left some code that set the page_len of the send buffer. The XDR stream encoders should handle this automatically now. This oversight adds garbage past the end of the Reply message. Clients typically ignore the garbage, but NFSD does not need to send it, as it leaks stale memory contents onto the wire. 2025-12-30 not yet calculated CVE-2022-50861 https://git.kernel.org/stable/c/a20b0abab966a189a79aba6ebf41f59024a3224d
https://git.kernel.org/stable/c/5030d4d2bf8b6f6f3d16401ab92a88bc5aa2377a
https://git.kernel.org/stable/c/d5b867fd2d7f79630b1a2906a7bb4f4b75bf297a
https://git.kernel.org/stable/c/2b825efb0577a32a872e872a869e0947cf9dd6d3
https://git.kernel.org/stable/c/ea5021e911d3479346a75ac9b7d9dcd751b0fb99
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: prevent decl_tag from being referenced in func_proto Syzkaller was able to hit the following issue: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3609 at kernel/bpf/btf.c:1946 btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946 Modules linked in: CPU: 0 PID: 3609 Comm: syz-executor361 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 RIP: 0010:btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946 Code: ef e8 7f 8e e4 ff 41 83 ff 0b 77 28 f6 44 24 10 18 75 3f e8 6d 91 e4 ff 44 89 fe bf 0e 00 00 00 e8 20 8e e4 ff e8 5b 91 e4 ff <0f> 0b 45 31 f6 e9 98 02 00 00 41 83 ff 12 74 18 e8 46 91 e4 ff 44 RSP: 0018:ffffc90003cefb40 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: ffff8880259c0000 RSI: ffffffff81968415 RDI: 0000000000000005 RBP: ffff88801270ca00 R08: 0000000000000005 R09: 000000000000000e R10: 0000000000000011 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000011 R14: ffff888026ee6424 R15: 0000000000000011 FS: 000055555641b300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000f2e258 CR3: 000000007110e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> btf_func_proto_check kernel/bpf/btf.c:4447 [inline] btf_check_all_types kernel/bpf/btf.c:4723 [inline] btf_parse_type_sec kernel/bpf/btf.c:4752 [inline] btf_parse kernel/bpf/btf.c:5026 [inline] btf_new_fd+0x1926/0x1e70 kernel/bpf/btf.c:6892 bpf_btf_load kernel/bpf/syscall.c:4324 [inline] __sys_bpf+0xb7d/0x4cf0 kernel/bpf/syscall.c:5010 __do_sys_bpf kernel/bpf/syscall.c:5069 [inline] __se_sys_bpf kernel/bpf/syscall.c:5067 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:5067 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f0fbae41c69 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc8aeb6228 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0fbae41c69 RDX: 0000000000000020 RSI: 0000000020000140 RDI: 0000000000000012 RBP: 00007f0fbae05e10 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 00007f0fbae05ea0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Looks like it tries to create a func_proto which return type is decl_tag. For the details, see Martin's spot on analysis in [0]. 0: https://lore.kernel.org/bpf/CAKH8qBuQDLva_hHxxBuZzyAcYNO4ejhovz6TQeVSk8HY-2SO6g@mail.gmail.com/T/#mea6524b3fcd6298347432226e81b1e6155efc62c 2025-12-30 not yet calculated CVE-2022-50862 https://git.kernel.org/stable/c/e9dbb4c539d058852b76937dcd7347d3f38054f2
https://git.kernel.org/stable/c/ea68376c8bed5cd156900852aada20c3a0874d17
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: free unused skb to prevent memory leak This avoid potential memory leak under power saving mode. 2025-12-30 not yet calculated CVE-2022-50863 https://git.kernel.org/stable/c/d4b4f6ff8ff1b87d25977423cf38fb61744d0023
https://git.kernel.org/stable/c/216c59b66f2d0c428a4fdaa24dc28cd6be4a2bf6
https://git.kernel.org/stable/c/eae672f386049146058b9e5d3d33e9e4af9dca1d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix shift-out-of-bounds due to too large exponent of block size If field s_log_block_size of superblock data is corrupted and too large, init_nilfs() and load_nilfs() still can trigger a shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn is set): shift exponent 38973 is too large for 32-bit type 'int' Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ubsan_epilogue+0xb/0x50 __ubsan_handle_shift_out_of_bounds.cold.12+0x17b/0x1f5 init_nilfs.cold.11+0x18/0x1d [nilfs2] nilfs_mount+0x9b5/0x12b0 [nilfs2] ... This fixes the issue by adding and using a new helper function for getting block size with sanity check. 2025-12-30 not yet calculated CVE-2022-50864 https://git.kernel.org/stable/c/ec93b5430ec0f60877a5388bb023d60624f9ab9f
https://git.kernel.org/stable/c/8b6ef451b5701b37d9a5905534595776a662edfc
https://git.kernel.org/stable/c/ddb6615a168f97b91175e00eda4c644741cf531c
https://git.kernel.org/stable/c/a16731fa1b96226c75bbf18e73513b14fc318360
https://git.kernel.org/stable/c/ebeccaaef67a4895d2496ab8d9c2fb8d89201211
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tcp: fix a signed-integer-overflow bug in tcp_add_backlog() The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and in tcp_add_backlog(), the variable limit is caculated by adding sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value of int and overflow. This patch reduces the limit budget by halving the sndbuf to solve this issue since ACK packets are much smaller than the payload. 2025-12-30 not yet calculated CVE-2022-50865 https://git.kernel.org/stable/c/9d04b4d0feee12bce6bfe37f30d8e953d3c30368
https://git.kernel.org/stable/c/4f23cb2be530785db284a685d1b1c30224d8a538
https://git.kernel.org/stable/c/a85d39f14aa8a71e29cfb5eb5de02878a8779898
https://git.kernel.org/stable/c/28addf029417d53b1df062b4c87feb7bc033cb5f
https://git.kernel.org/stable/c/ec791d8149ff60c40ad2074af3b92a39c916a03f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ASoC: pxa: fix null-pointer dereference in filter() kasprintf() would return NULL pointer when kmalloc() fail to allocate. Need to check the return pointer before calling strcmp(). 2025-12-30 not yet calculated CVE-2022-50866 https://git.kernel.org/stable/c/3ec75e0ea9550b8f2e531172f2e67ba9d5227ec3
https://git.kernel.org/stable/c/5b510a82740d2a42a75b5661b402bcaf8ae22cd5
https://git.kernel.org/stable/c/0abd1d78317a3a2dfe00b203fbf14ee7df537e0a
https://git.kernel.org/stable/c/a8baccb79de2f48a2083d51febf627eb50ce1898
https://git.kernel.org/stable/c/21a1409e8cf73053b54f7860548e3043dfa351a9
https://git.kernel.org/stable/c/83baa509396a742e0ce145b09fde1ce0a948f49a
https://git.kernel.org/stable/c/9fb9b3b67a5b8669296d6372cd901ef86557e6f6
https://git.kernel.org/stable/c/21b92cf41952577a95bfa430e39478cbd66e42a7
https://git.kernel.org/stable/c/ec7bf231aaa1bdbcb69d23bc50c753c80fb22429
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: Fix kvzalloc vs state_kcalloc usage adreno_show_object() is a trap! It will re-allocate the pointer it is passed on first call, when the data is ascii85 encoded, using kvmalloc/ kvfree(). Which means the data *passed* to it must be kvmalloc'd, ie. we cannot use the state_kcalloc() helper. This partially reverts commit ec8f1813bf8d ("drm/msm/a6xx: Replace kcalloc() with kvzalloc()"), but adds the missing kvfree() to fix the memory leak that was present previously. And adds a warning comment. Patchwork: https://patchwork.freedesktop.org/patch/507014/ 2025-12-30 not yet calculated CVE-2022-50867 https://git.kernel.org/stable/c/4b1bbc0571a5d7ee10f754186dc3d619b9ced5c1
https://git.kernel.org/stable/c/83d18e9d9c0150d98dc24e3642ea93f5e245322c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: hwrng: amd - Fix PCI device refcount leak for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() for the normal and error path. 2025-12-30 not yet calculated CVE-2022-50868 https://git.kernel.org/stable/c/f1c97f72ffd504f49882774e2ab689d982dc7afc
https://git.kernel.org/stable/c/526c316948819d3ecd2bb20fe5e2580c51a1b760
https://git.kernel.org/stable/c/e246f5eff26055bdcb61a2cc99c50af72a19680f
https://git.kernel.org/stable/c/1199f8e02941b326c60ab71a63002b7c80e38212
https://git.kernel.org/stable/c/5998e5c30e839f73e62cb29e0d9617b0d16ccba3
https://git.kernel.org/stable/c/2b79a5e560779b35e1164d57ae35c48b43373082
https://git.kernel.org/stable/c/cb348c7908631dd9f60083a0a1542eab055d3edf
https://git.kernel.org/stable/c/2e10ecd012ae2b2a374b34f307e9bc1e6096c03d
https://git.kernel.org/stable/c/ecadb5b0111ea19fc7c240bb25d424a94471eb7d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds in r_page When PAGE_SIZE is 64K, if read_log_page is called by log_read_rst for the first time, the size of *buffer would be equal to DefaultLogPageSize(4K).But for *buffer operations like memcpy, if the memory area size(n) which being assigned to buffer is larger than 4K (log->page_size(64K) or bytes(64K-page_off)), it will cause an out of boundary error. Call trace: [...] kasan_report+0x44/0x130 check_memory_region+0xf8/0x1a0 memcpy+0xc8/0x100 ntfs_read_run_nb+0x20c/0x460 read_log_page+0xd0/0x1f4 log_read_rst+0x110/0x75c log_replay+0x1e8/0x4aa0 ntfs_loadlog_and_replay+0x290/0x2d0 ntfs_fill_super+0x508/0xec0 get_tree_bdev+0x1fc/0x34c [...] Fix this by setting variable r_page to NULL in log_read_rst. 2025-12-30 not yet calculated CVE-2022-50869 https://git.kernel.org/stable/c/ed686e7a26dd19ae6b46bb662f735acfa88ff7bc
https://git.kernel.org/stable/c/bf86a640a34947d92062996e1a75b9cd9d83dd19
https://git.kernel.org/stable/c/6d076293e5bffdf897ea5f975669206e09beed6a
https://git.kernel.org/stable/c/ecfbd57cf9c5ca225184ae266ce44ae473792132
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: avoid device tree lookups in rtas_os_term() rtas_os_term() is called during panic. Its behavior depends on a couple of conditions in the /rtas node of the device tree, the traversal of which entails locking and local IRQ state changes. If the kernel panics while devtree_lock is held, rtas_os_term() as currently written could hang. Instead of discovering the relevant characteristics at panic time, cache them in file-static variables at boot. Note the lookup for "ibm,extended-os-term" is converted to of_property_read_bool() since it is a boolean property, not an RTAS function token. [mpe: Incorporate suggested change from Nick] 2025-12-30 not yet calculated CVE-2022-50870 https://git.kernel.org/stable/c/e23822c7381c59d9e42e65771b6e17c71ed30ea7
https://git.kernel.org/stable/c/06a07fbb32b3a23eec20a42b1e64474da0a3b33e
https://git.kernel.org/stable/c/c2fa91abf22a705cf02f886cd99cff41f4ceda60
https://git.kernel.org/stable/c/f2167f10fcca68ab9ae3f8d94d2c704c5541ac69
https://git.kernel.org/stable/c/d8939315b7342860df143afe0adda6212cdd3193
https://git.kernel.org/stable/c/698e682c849e356fb47a8be47ca8baa817cf31e0
https://git.kernel.org/stable/c/464d10e8d797454e16a173ef1292a446b2adf21c
https://git.kernel.org/stable/c/ed2213bfb192ab51f09f12e9b49b5d482c6493f3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Fix qmi_msg_handler data structure initialization qmi_msg_handler is required to be null terminated by QMI module. There might be a case where a handler for a msg id is not present in the handlers array which can lead to infinite loop while searching the handler and therefore out of bound access in qmi_invoke_handler(). Hence update the initialization in qmi_msg_handler data structure. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 2025-12-30 not yet calculated CVE-2022-50871 https://git.kernel.org/stable/c/d5d71de448f36e34592f7c81b5e300d3e8dbb735
https://git.kernel.org/stable/c/a10e1530c424bb277b4edc7def0195857a548495
https://git.kernel.org/stable/c/ed3725e15a154ebebf44e0c34806c57525483f92
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ARM: OMAP2+: Fix memory leak in realtime_counter_init() The "sys_clk" resource is malloced by clk_get(), it is not released when the function return. 2025-12-30 not yet calculated CVE-2022-50872 https://git.kernel.org/stable/c/5f9aedabce3404dd8bb769822fc11317c55fbdc1
https://git.kernel.org/stable/c/e3a6af3059e4f83d1a986a3180eb1e04f99c9e64
https://git.kernel.org/stable/c/8041f9a2a958277f95926560dc85910aecd48c0b
https://git.kernel.org/stable/c/4862c41d5f3bee1ec64c979c82bd8cfe96b78f7d
https://git.kernel.org/stable/c/10fcdad2b9f3f424873714eb8713a3e6f7ab84bb
https://git.kernel.org/stable/c/98df4bdf3b010c23cc3c542d0c303016e5fceb40
https://git.kernel.org/stable/c/4f7ad1b08533247c4bf29217ba499ea4138cc2c1
https://git.kernel.org/stable/c/ed8167cbf65c2b6ff6faeb0f96ded4d6d581e1ac
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove In vp_vdpa_remove(), the code kfree(&vp_vdpa_mgtdev->mgtdev.id_table) uses a reference of pointer as the argument of kfree, which is the wrong pointer and then may hit crash like this: Unable to handle kernel paging request at virtual address 00ffff003363e30c Internal error: Oops: 96000004 [#1] SMP Call trace: rb_next+0x20/0x5c ext4_readdir+0x494/0x5c4 [ext4] iterate_dir+0x168/0x1b4 __se_sys_getdents64+0x68/0x170 __arm64_sys_getdents64+0x24/0x30 el0_svc_common.constprop.0+0x7c/0x1bc do_el0_svc+0x2c/0x94 el0_svc+0x20/0x30 el0_sync_handler+0xb0/0xb4 el0_sync+0x160/0x180 Code: 54000220 f9400441 b4000161 aa0103e0 (f9400821) SMP: stopping secondary CPUs Starting crashdump kernel... 2025-12-30 not yet calculated CVE-2022-50873 https://git.kernel.org/stable/c/8fe12680b2c731201519935013ec9219c93ec540
https://git.kernel.org/stable/c/6ccc891f36d0c20ee220551caabdcd3886ec584b
https://git.kernel.org/stable/c/ed843d6ed7310a27cf7c8ee0a82a482eed0cb4a6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Fix refcount leak in erdma_mmap rdma_user_mmap_entry_get() take reference, we should release it when not need anymore, add the missing rdma_user_mmap_entry_put() in the error path to fix it. 2025-12-30 not yet calculated CVE-2022-50874 https://git.kernel.org/stable/c/8372207b009d6abdd60bb05624640bd86386599f
https://git.kernel.org/stable/c/410f0f46ffca4d0102470c1e0c747ecfece4204c
https://git.kernel.org/stable/c/ee84146c05ad2316b9a7222d0ec4413e0bf30eeb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop() When kmalloc() fail to allocate memory in kasprintf(), fn_1 or fn_2 will be NULL, and strcmp() will cause null pointer dereference. 2025-12-30 not yet calculated CVE-2022-50875 https://git.kernel.org/stable/c/9ec5781879b4535ad59b5354b385825378e45618
https://git.kernel.org/stable/c/2b4af99b44861646013821019dd13a4ac48c0219
https://git.kernel.org/stable/c/ce1b3a41e7964cb8dd56a702a95dd90ad27f51cd
https://git.kernel.org/stable/c/ab5bb7bbacf531de8e32912cc2e21f906113cee8
https://git.kernel.org/stable/c/71d88c7453ec3d2ceff98e18ce4d6354abd3b5b6
https://git.kernel.org/stable/c/ee9d7a0e754568180a2f8ebc4aad226278a9116f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix musb_gadget.c rxstate overflow bug The usb function device call musb_gadget_queue() adds the passed request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) and (is_buffer_mapped(req) return false),the rxstate() will copy all data in fifo to request->buf which may cause request->buf out of bounds. Fix it by add the length check : fifocnt = min_t(unsigned, request->length - request->actual, fifocnt); 2025-12-30 not yet calculated CVE-2022-50876 https://git.kernel.org/stable/c/826f84ab04a5cafe484ea9c2c85a3930068e5cb7
https://git.kernel.org/stable/c/a1008c8b9f357691ce6a8fdb8f157aecb2d79167
https://git.kernel.org/stable/c/7c80f3a918ba9aa26fb699ee887064ec3af0396a
https://git.kernel.org/stable/c/d6afcab1b48f4051211c50145b9e91be3b1b42c9
https://git.kernel.org/stable/c/acf0006f2b2b2ca672988875fd154429aafb2a9b
https://git.kernel.org/stable/c/3c84c7f592c4ba38f54ddaddd0115acc443025db
https://git.kernel.org/stable/c/a9ccd2ab1becf5dcb6d57e9fcd981f5eaa606c96
https://git.kernel.org/stable/c/523313881f0aa5cbbdb548ce575b6e58b202bd76
https://git.kernel.org/stable/c/eea4c860c3b366369eff0489d94ee4f0571d467d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: broadcom: bcm4908_enet: update TX stats after actual transmission Queueing packets doesn't guarantee their transmission. Update TX stats after hardware confirms consuming submitted data. This also fixes a possible race and NULL dereference. bcm4908_enet_start_xmit() could try to access skb after freeing it in the bcm4908_enet_poll_tx(). 2025-12-30 not yet calculated CVE-2022-50877 https://git.kernel.org/stable/c/c9589e18a60c55c76772a38117ef9a16b942e56b
https://git.kernel.org/stable/c/2adedc80faec243ede55355e57142110d6f46e08
https://git.kernel.org/stable/c/ef3556ee16c68735ec69bd08df41d1cd83b14ad3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init() A NULL check for bridge->encoder shows that it may be NULL, but it already been dereferenced on all paths leading to the check. 812 if (!bridge->encoder) { Dereference the pointer bridge->encoder. 810 drm_connector_attach_encoder(&lt9611->connector, bridge->encoder); 2025-12-30 not yet calculated CVE-2022-50878 https://git.kernel.org/stable/c/3959e8faf8bf6bea619e8856c736db64e6eced37
https://git.kernel.org/stable/c/a29f7427041a943484f916157c43c46d3bbf25d4
https://git.kernel.org/stable/c/b2e4323e0020213f44dca6ffc815d66aef39f6f6
https://git.kernel.org/stable/c/912f84e15e94ab87f5a7156aa1870090373d8304
https://git.kernel.org/stable/c/ef8886f321c5dab8124b9153d25afa2a71d05323
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: objtool: Fix SEGFAULT find_insn() will return NULL in case of failure. Check insn in order to avoid a kernel Oops for NULL pointer dereference. 2025-12-30 not yet calculated CVE-2022-50879 https://git.kernel.org/stable/c/418ef921cce2d7415fab7e3e93529227f239e4bb
https://git.kernel.org/stable/c/0af0e115ff59d638f45416a004cdd8edb38db40c
https://git.kernel.org/stable/c/23a249b1185cdd5bfb6971d1608ba49e589f2288
https://git.kernel.org/stable/c/38b9415abbd703438ebbc6fb74990bd0fbddc5b9
https://git.kernel.org/stable/c/fcee8a2d4db404a93e690d79e7273b6ef9d33575
https://git.kernel.org/stable/c/efb11fdb3e1a9f694fa12b70b21e69e55ec59c36
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() When peer delete failed in a disconnect operation, use-after-free detected by KFENCE in below log. It is because for each vdev_id and address, it has only one struct ath10k_peer, it is allocated in ath10k_peer_map_event(). When connected to an AP, it has more than one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the array peer_map of struct ath10k will be set muti-elements to the same ath10k_peer in ath10k_peer_map_event(). When peer delete failed in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer id in array peer_map of struct ath10k, and then use-after-free happened for the 2nd peer id because they map to the same ath10k_peer. And clean up all peers in array peer_map for the ath10k_peer, then user-after-free disappeared peer map event log: [ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e [ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 [ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166 peer unmap event log: [ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING) [ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) [ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166 use-after-free log: [21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING) [21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 [21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed [21713.799968] ================================================================== [21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.799991] [21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): [21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.800041] drv_sta_state+0x115/0x677 [mac80211] [21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211] [21713.800076] __sta_info_flush+0x11d/0x162 [mac80211] [21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] [21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] [21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] [21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211] [21713.800161] genl_rcv_msg+0x38e/0x3be [21713.800166] netlink_rcv_skb+0x89/0xf7 [21713.800171] genl_rcv+0x28/0x36 [21713.800176] netlink_unicast+0x179/0x24b [21713.800181] netlink_sendmsg+0x3a0/0x40e [21713.800187] sock_sendmsg+0x72/0x76 [21713.800192] ____sys_sendmsg+0x16d/0x1e3 [21713.800196] ___sys_sendmsg+0x95/0xd1 [21713.800200] __sys_sendmsg+0x85/0xbf [21713.800205] do_syscall_64+0x43/0x55 [21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [21713.800213] [21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k [21713.800219] [21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: [21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core] [21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core] [21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core] [21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core] [21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d ---truncated--- 2025-12-30 not yet calculated CVE-2022-50880 https://git.kernel.org/stable/c/15604ab67179ae27ea3c7fb24b6df32b143257c4
https://git.kernel.org/stable/c/2d6259715c9597a6cfa25db8911683eb0073b1c6
https://git.kernel.org/stable/c/f12fc305c127bd07bb50373e29c6037696f916a8
https://git.kernel.org/stable/c/4494ec1c0bb850eaa80fed98e5b041d961011d3e
https://git.kernel.org/stable/c/08faf07717be0c88b02b5aa45aad2225dfcdd2dc
https://git.kernel.org/stable/c/54a3201f3c1ff813523937da78b5fa7649dbab71
https://git.kernel.org/stable/c/2bf916418d2141b810c40812433ab4ecfd3c2934
https://git.kernel.org/stable/c/38245f2d62cd4d1f38a763a7b4045ab4565b30a0
https://git.kernel.org/stable/c/f020d9570a04df0762a2ac5c50cf1d8c511c9164
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect() This patch fixes a use-after-free in ath9k that occurs in ath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access 'drv_priv' that has already been freed by ieee80211_free_hw(), called by ath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before ieee80211_free_hw(). Note that urbs from the driver should be killed before freeing 'wmi' with ath9k_destroy_wmi() as their callbacks will access 'wmi'. Found by a modified version of syzkaller. ================================================================== BUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40 Read of size 8 at addr ffff8881069132a0 by task kworker/0:1/7 CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack_lvl+0x8e/0xd1 print_address_description.constprop.0.cold+0x93/0x334 ? ath9k_destroy_wmi+0x38/0x40 ? ath9k_destroy_wmi+0x38/0x40 kasan_report.cold+0x83/0xdf ? ath9k_destroy_wmi+0x38/0x40 ath9k_destroy_wmi+0x38/0x40 ath9k_hif_usb_disconnect+0x329/0x3f0 ? ath9k_hif_usb_suspend+0x120/0x120 ? usb_disable_interface+0xfc/0x180 usb_unbind_interface+0x19b/0x7e0 ? usb_autoresume_device+0x50/0x50 device_release_driver_internal+0x44d/0x520 bus_remove_device+0x2e5/0x5a0 device_del+0x5b2/0xe30 ? __device_link_del+0x370/0x370 ? usb_remove_ep_devs+0x43/0x80 ? remove_intf_ep_devs+0x112/0x1a0 usb_disable_device+0x1e3/0x5a0 usb_disconnect+0x267/0x870 hub_event+0x168d/0x3950 ? rcu_read_lock_sched_held+0xa1/0xd0 ? hub_port_debounce+0x2e0/0x2e0 ? check_irq_usage+0x860/0xf20 ? drain_workqueue+0x281/0x360 ? lock_release+0x640/0x640 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 process_one_work+0x92b/0x1460 ? pwq_dec_nr_in_flight+0x330/0x330 ? rwlock_bug.part.0+0x90/0x90 worker_thread+0x95/0xe00 ? __kthread_parkme+0x115/0x1e0 ? process_one_work+0x1460/0x1460 kthread+0x3a1/0x480 ? set_kthread_struct+0x120/0x120 ret_from_fork+0x1f/0x30 The buggy address belongs to the page: page:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913 flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635 prep_new_page+0x1aa/0x240 get_page_from_freelist+0x159a/0x27c0 __alloc_pages+0x2da/0x6a0 alloc_pages+0xec/0x1e0 kmalloc_order+0x39/0xf0 kmalloc_order_trace+0x19/0x120 __kmalloc+0x308/0x390 wiphy_new_nm+0x6f5/0x1dd0 ieee80211_alloc_hw_nm+0x36d/0x2230 ath9k_htc_probe_device+0x9d/0x1e10 ath9k_htc_hw_init+0x34/0x50 ath9k_hif_usb_firmware_cb+0x25f/0x4e0 request_firmware_work_func+0x131/0x240 process_one_work+0x92b/0x1460 worker_thread+0x95/0xe00 kthread+0x3a1/0x480 page last free stack trace: free_pcp_prepare+0x3d3/0x7f0 free_unref_page+0x1e/0x3d0 device_release+0xa4/0x240 kobject_put+0x186/0x4c0 put_device+0x20/0x30 ath9k_htc_disconnect_device+0x1cf/0x2c0 ath9k_htc_hw_deinit+0x26/0x30 ath9k_hif_usb_disconnect+0x2d9/0x3f0 usb_unbind_interface+0x19b/0x7e0 device_release_driver_internal+0x44d/0x520 bus_remove_device+0x2e5/0x5a0 device_del+0x5b2/0xe30 usb_disable_device+0x1e3/0x5a0 usb_disconnect+0x267/0x870 hub_event+0x168d/0x3950 process_one_work+0x92b/0x1460 Memory state around the buggy address: ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888 ---truncated--- 2025-12-30 not yet calculated CVE-2022-50881 https://git.kernel.org/stable/c/99ff971b62e5bd5dee65bbe9777375206f5db791
https://git.kernel.org/stable/c/634a5471a6bd774c0d0fa448dfa6ec593e899ec9
https://git.kernel.org/stable/c/1f137c634a8c8faba648574f687805641e62f92e
https://git.kernel.org/stable/c/de15e8bbd9eb26fe94a06d0ec7be82dc490eb729
https://git.kernel.org/stable/c/f099c5c9e2ba08a379bd354a82e05ef839ae29ac
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix memory leak in uvc_gpio_parse Previously the unit buffer was allocated before checking the IRQ for privacy GPIO. In case of error, the unit buffer was leaked. Allocate the unit buffer after the IRQ to avoid it. Addresses-Coverity-ID: 1474639 ("Resource leak") 2025-12-30 not yet calculated CVE-2022-50882 https://git.kernel.org/stable/c/6c5da92103bddd1f0c36cb69446ff7cae3043986
https://git.kernel.org/stable/c/deb8f32ae4b10a48c433f2da1b1159521ac24674
https://git.kernel.org/stable/c/4a7ae8d982a89b3b43b36ec7d62a2e3d06ffa16e
https://git.kernel.org/stable/c/f0f078457f18f10696888f8d0e6aba9deb9cde92
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent decl_tag from being referenced in func_proto arg Syzkaller managed to hit another decl_tag issue: btf_func_proto_check kernel/bpf/btf.c:4506 [inline] btf_check_all_types kernel/bpf/btf.c:4734 [inline] btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763 btf_parse kernel/bpf/btf.c:5042 [inline] btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709 bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342 __sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034 __do_sys_bpf kernel/bpf/syscall.c:5093 [inline] __se_sys_bpf kernel/bpf/syscall.c:5091 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091 do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 This seems similar to commit ea68376c8bed ("bpf: prevent decl_tag from being referenced in func_proto") but for the argument. 2025-12-30 not yet calculated CVE-2022-50883 https://git.kernel.org/stable/c/3f3d54962a032581996edda8e6bcbf7a30371234
https://git.kernel.org/stable/c/e6d276dcc9204f95632580c43d66c52ca502d7ec
https://git.kernel.org/stable/c/f17472d4599697d701aa239b4c475a506bccfd19
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm: Prevent drm_copy_field() to attempt copying a NULL pointer There are some struct drm_driver fields that are required by drivers since drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION. But it can be possible that a driver has a bug and did not set some of the fields, which leads to drm_copy_field() attempting to copy a NULL pointer: [ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ +0.010955] Mem abort info: [ +0.002835] ESR = 0x0000000096000004 [ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits [ +0.005395] SET = 0, FnV = 0 [ +0.003113] EA = 0, S1PTW = 0 [ +0.003182] FSC = 0x04: level 0 translation fault [ +0.004964] Data abort info: [ +0.002919] ISV = 0, ISS = 0x00000004 [ +0.003886] CM = 0, WnR = 0 [ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000 [ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ +0.006925] Internal error: Oops: 96000004 [#1] SMP ... [ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ +0.007061] pc : __pi_strlen+0x14/0x150 [ +0.003895] lr : drm_copy_field+0x30/0x1a4 [ +0.004156] sp : ffff8000094b3a50 [ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040 [ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040 [ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000 [ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000 [ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40 [ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8 [ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141 [ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000 [ +0.007240] Call trace: [ +0.002475] __pi_strlen+0x14/0x150 [ +0.003537] drm_version+0x84/0xac [ +0.003448] drm_ioctl_kernel+0xa8/0x16c [ +0.003975] drm_ioctl+0x270/0x580 [ +0.003448] __arm64_sys_ioctl+0xb8/0xfc [ +0.003978] invoke_syscall+0x78/0x100 [ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4 [ +0.004767] do_el0_svc+0x38/0x4c [ +0.003357] el0_svc+0x34/0x100 [ +0.003185] el0t_64_sync_handler+0x11c/0x150 [ +0.004418] el0t_64_sync+0x190/0x194 [ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02) [ +0.006180] ---[ end trace 0000000000000000 ]--- 2025-12-30 not yet calculated CVE-2022-50884 https://git.kernel.org/stable/c/d213914386a0ede76a4549b41de30192fb92c595
https://git.kernel.org/stable/c/ee9885cd936aad88f84d0cf90bf9a70e83e42a97
https://git.kernel.org/stable/c/8052612b9d08048ebbebcb572894670b4ac07d2f
https://git.kernel.org/stable/c/cdde55f97298e5bb9af6d41c9303a3ec545a370e
https://git.kernel.org/stable/c/c28a8082b25ce4ec94999e10a30c50d20bd44a25
https://git.kernel.org/stable/c/ca163e389f0ae096a4e1e19f0a95e60ed80b4e31
https://git.kernel.org/stable/c/2d6708ea5c2033ff53267feff1876a717689989f
https://git.kernel.org/stable/c/6cf5e9356b2d856403ee480f987f3ea64dbf8d8c
https://git.kernel.org/stable/c/f6ee30407e883042482ad4ad30da5eaba47872ee
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed There is a null-ptr-deref when mount.cifs over rdma: BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] Read of size 8 at addr 0000000000000018 by task mount.cifs/3046 CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 kasan_report+0xad/0x130 rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] execute_in_process_context+0x25/0x90 __rxe_cleanup+0x101/0x1d0 [rdma_rxe] rxe_create_qp+0x16a/0x180 [rdma_rxe] create_qp.part.0+0x27d/0x340 ib_create_qp_kernel+0x73/0x160 rdma_create_qp+0x100/0x230 _smbd_get_connection+0x752/0x20f0 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The root cause of the issue is the socket create failed in rxe_qp_init_req(). So move the reset rxe_qp_do_cleanup() after the NULL ptr check. 2025-12-30 not yet calculated CVE-2022-50885 https://git.kernel.org/stable/c/ee24de095569935eba600f7735e8e8ddea5b418e
https://git.kernel.org/stable/c/7340ca9f782be6fbe3f64a134dc112772764f766
https://git.kernel.org/stable/c/bd7106a6004f1077a365ca7f5a99c7a708e20714
https://git.kernel.org/stable/c/6bb5a62bfd624039b05157745c234068508393a9
https://git.kernel.org/stable/c/f64f08b9e6fb305a25dd75329e06ae342b9ce336
https://git.kernel.org/stable/c/5b924632d84a60bc0c7fe6e9bbbce99d03908957
https://git.kernel.org/stable/c/821f9a18210f6b9fd6792471714c799607b25db4
https://git.kernel.org/stable/c/f67376d801499f4fa0838c18c1efcad8840e550d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mmc: toshsd: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, free_irq() also needs be called. 2025-12-30 not yet calculated CVE-2022-50886 https://git.kernel.org/stable/c/34ae492f8d172f0bd193c24cad588b35419ea47a
https://git.kernel.org/stable/c/3329e7b7132ca727263fb0ee214cf52cc6dcaaad
https://git.kernel.org/stable/c/4f6cb1c685f9e20a4a9fa565e442f5af4dad70ff
https://git.kernel.org/stable/c/3dbb69a0242c31ea4c9eee22b1c41b515fe509a0
https://git.kernel.org/stable/c/aabbedcb6c9a72d12d35dc672e83f0c8064d8a61
https://git.kernel.org/stable/c/6444079767b68b1fbed0e7668081146e80dcb719
https://git.kernel.org/stable/c/647e370dd0ef7e212d8d014bda748e461eab2e8c
https://git.kernel.org/stable/c/bfd77b194c94aefbde4efc30ddf8607dd9244672
https://git.kernel.org/stable/c/f670744a316ea983113a65313dcd387b5a992444
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() I got the the following report: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@62/regulators/exten In of_get_regulator(), the node is returned from of_parse_phandle() with refcount incremented, after using it, of_node_put() need be called. 2025-12-30 not yet calculated CVE-2022-50887 https://git.kernel.org/stable/c/0e88505ac0a6ae97746bcdbd4b042ee9f20455ae
https://git.kernel.org/stable/c/4dfcf5087db9a34a300d6b99009232d4537c3e6a
https://git.kernel.org/stable/c/3ac888db0f67813d91373a9a61c840f815cd4ec9
https://git.kernel.org/stable/c/d39937f8de641c44a337cec4a2e5d3e8add20a7d
https://git.kernel.org/stable/c/f48c474efe05cf9ce5e535b5e0ddd710e963936c
https://git.kernel.org/stable/c/cda1895f3b7f324ece1614308a815a3994983b97
https://git.kernel.org/stable/c/2b93c58adddd98812ad928bbc2063038f3df1ffd
https://git.kernel.org/stable/c/2f98469c3141f8e42ba11075a273fb795bbad57f
https://git.kernel.org/stable/c/f2b41b748c19962b82709d9f23c6b2b0ce9d2f91
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio() q6v5_wcss_init_mmio() will call platform_get_resource_byname() that may fail and return NULL. devm_ioremap() will use res->start as input, which may causes null-ptr-deref. Check the ret value of platform_get_resource_byname() to avoid the null-ptr-deref. 2025-12-30 not yet calculated CVE-2022-50888 https://git.kernel.org/stable/c/098ebb9089c4eedea09333f912d105fa63377496
https://git.kernel.org/stable/c/3afa88ae9911b65702a3aca9d92ea23fe496e56f
https://git.kernel.org/stable/c/0903a87490a9ed456ac765a84dcc484c1ee42c32
https://git.kernel.org/stable/c/f360e2b275efbb745ba0af8b47d9ef44221be586
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dm integrity: Fix UAF in dm_integrity_dtr() Dm_integrity also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in dm_integrity_dtr(). 2025-12-30 not yet calculated CVE-2022-50889 https://git.kernel.org/stable/c/792e51aac376cfb5bd527c2a30826223b82dd177
https://git.kernel.org/stable/c/a506b5c92757b034034ef683e667bffc456c600b
https://git.kernel.org/stable/c/9215b25f2e105032114e9b92c9783a2a84ee8af9
https://git.kernel.org/stable/c/9f8e1e54a3a424c6c4fb8742e094789d3ec91e42
https://git.kernel.org/stable/c/b6c93cd61afab061d80cc842333abca97b289774
https://git.kernel.org/stable/c/f50cb2cbabd6c4a60add93d72451728f86e4791c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix possible memory leak in smb2_lock() argv needs to be free when setup_async_work fails or when the current process is woken up. 2025-12-30 not yet calculated CVE-2023-54162 https://git.kernel.org/stable/c/bfe8372ef2dbdce97f13b21d76e2080ddeef5a79
https://git.kernel.org/stable/c/6bf555ed8938444466c3d7f3252eb874a518f293
https://git.kernel.org/stable/c/11d38f8a0c19763e34d2093b5ecb640e012cb2d2
https://git.kernel.org/stable/c/d3ca9f7aeba793d74361d88a8800b2f205c9236b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: fix iso_conn related locking and validity issues sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations that check/update sk_state and access conn should hold lock_sock, otherwise they can race. The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock, which is how it is in connect/disconnect_cfm -> iso_conn_del -> iso_chan_del. Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock around updating sk_state and conn. iso_conn_del must not occur during iso_connect_cis/bis, as it frees the iso_conn. Hold hdev->lock longer to prevent that. This should not reintroduce the issue fixed in commit 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency"), since the we acquire locks in order. We retain the fix in iso_sock_connect to release lock_sock before iso_connect_* acquires hdev->lock. Similarly for commit 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency"). We retain the fix in iso_conn_ready to not acquire iso_conn_lock before lock_sock. iso_conn_add shall return iso_conn with valid hcon. Make it so also when reusing an old CIS connection waiting for disconnect timeout (see __iso_sock_close where conn->hcon is set to NULL). Trace with iso_conn_del after iso_chan_add in iso_connect_cis: =============================================================== iso_sock_create:771: sock 00000000be9b69b7 iso_sock_init:693: sk 000000004dff667e iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1 iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_connect:875: sk 000000004dff667e iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e __iso_chan_add:214: conn 00000000daf8625e iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12 iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16 iso_sock_clear_timer:117: sock 000000004dff667e state 3 <Note: sk_state is BT_BOUND (3), so iso_connect_cis is still running at this point> iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16 hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535 hci_conn_unlink:1102: hci0: hcon 000000007b65d182 hci_chan_list_flush:2780: hcon 000000007b65d182 iso_sock_getsockopt:1376: sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getsockopt:1376: sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1 __iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7 <Note: sk_state is BT_CONNECT (5), even though iso_chan_del sets BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it must be that iso_chan_del occurred between iso_chan_add and end of iso_connect_cis.> BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth =============================================================== Trace with iso_conn_del before iso_chan_add in iso_connect_cis: =============================================================== iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da ... iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504 hci_dev_put:1487: hci0 orig refcnt 21 hci_event_packet:7607: hci0: e ---truncated--- 2025-12-30 not yet calculated CVE-2023-54164 https://git.kernel.org/stable/c/e969bfed84c1f88dc722a678ee08488e86f0ec1a
https://git.kernel.org/stable/c/88ad50f2b843a510bd7c922c0a4e2484aff9d645
https://git.kernel.org/stable/c/d40ae85ee62e3666f45bc61864b22121346f88ef
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: zsmalloc: move LRU update from zs_map_object() to zs_malloc() Under memory pressure, we sometimes observe the following crash: [ 5694.832838] ------------[ cut here ]------------ [ 5694.842093] list_del corruption, ffff888014b6a448->next is LIST_POISON1 (dead000000000100) [ 5694.858677] WARNING: CPU: 33 PID: 418824 at lib/list_debug.c:47 __list_del_entry_valid+0x42/0x80 [ 5694.961820] CPU: 33 PID: 418824 Comm: fuse_counters.s Kdump: loaded Tainted: G S 5.19.0-0_fbk3_rc3_hoangnhatpzsdynshrv41_10870_g85a9558a25de #1 [ 5694.990194] Hardware name: Wiwynn Twin Lakes MP/Twin Lakes Passive MP, BIOS YMM16 05/24/2021 [ 5695.007072] RIP: 0010:__list_del_entry_valid+0x42/0x80 [ 5695.017351] Code: 08 48 83 c2 22 48 39 d0 74 24 48 8b 10 48 39 f2 75 2c 48 8b 51 08 b0 01 48 39 f2 75 34 c3 48 c7 c7 55 d7 78 82 e8 4e 45 3b 00 <0f> 0b eb 31 48 c7 c7 27 a8 70 82 e8 3e 45 3b 00 0f 0b eb 21 48 c7 [ 5695.054919] RSP: 0018:ffffc90027aef4f0 EFLAGS: 00010246 [ 5695.065366] RAX: 41fe484987275300 RBX: ffff888008988180 RCX: 0000000000000000 [ 5695.079636] RDX: ffff88886006c280 RSI: ffff888860060480 RDI: ffff888860060480 [ 5695.093904] RBP: 0000000000000002 R08: 0000000000000000 R09: ffffc90027aef370 [ 5695.108175] R10: 0000000000000000 R11: ffffffff82fdf1c0 R12: 0000000010000002 [ 5695.122447] R13: ffff888014b6a448 R14: ffff888014b6a420 R15: 00000000138dc240 [ 5695.136717] FS: 00007f23a7d3f740(0000) GS:ffff888860040000(0000) knlGS:0000000000000000 [ 5695.152899] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5695.164388] CR2: 0000560ceaab6ac0 CR3: 000000001c06c001 CR4: 00000000007706e0 [ 5695.178659] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 5695.192927] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 5695.207197] PKRU: 55555554 [ 5695.212602] Call Trace: [ 5695.217486] <TASK> [ 5695.221674] zs_map_object+0x91/0x270 [ 5695.229000] zswap_frontswap_store+0x33d/0x870 [ 5695.237885] ? do_raw_spin_lock+0x5d/0xa0 [ 5695.245899] __frontswap_store+0x51/0xb0 [ 5695.253742] swap_writepage+0x3c/0x60 [ 5695.261063] shrink_page_list+0x738/0x1230 [ 5695.269255] shrink_lruvec+0x5ec/0xcd0 [ 5695.276749] ? shrink_slab+0x187/0x5f0 [ 5695.284240] ? mem_cgroup_iter+0x6e/0x120 [ 5695.292255] shrink_node+0x293/0x7b0 [ 5695.299402] do_try_to_free_pages+0xea/0x550 [ 5695.307940] try_to_free_pages+0x19a/0x490 [ 5695.316126] __folio_alloc+0x19ff/0x3e40 [ 5695.323971] ? __filemap_get_folio+0x8a/0x4e0 [ 5695.332681] ? walk_component+0x2a8/0xb50 [ 5695.340697] ? generic_permission+0xda/0x2a0 [ 5695.349231] ? __filemap_get_folio+0x8a/0x4e0 [ 5695.357940] ? walk_component+0x2a8/0xb50 [ 5695.365955] vma_alloc_folio+0x10e/0x570 [ 5695.373796] ? walk_component+0x52/0xb50 [ 5695.381634] wp_page_copy+0x38c/0xc10 [ 5695.388953] ? filename_lookup+0x378/0xbc0 [ 5695.397140] handle_mm_fault+0x87f/0x1800 [ 5695.405157] do_user_addr_fault+0x1bd/0x570 [ 5695.413520] exc_page_fault+0x5d/0x110 [ 5695.421017] asm_exc_page_fault+0x22/0x30 After some investigation, I have found the following issue: unlike other zswap backends, zsmalloc performs the LRU list update at the object mapping time, rather than when the slot for the object is allocated. This deviation was discussed and agreed upon during the review process of the zsmalloc writeback patch series: https://lore.kernel.org/lkml/Y3flcAXNxxrvy3ZH@cmpxchg.org/ Unfortunately, this introduces a subtle bug that occurs when there is a concurrent store and reclaim, which interleave as follows: zswap_frontswap_store() shrink_worker() zs_malloc() zs_zpool_shrink() spin_lock(&pool->lock) zs_reclaim_page() zspage = find_get_zspage() spin_unlock(&pool->lock) spin_lock(&pool->lock) zspage = list_first_entry(&pool->lru) ---truncated--- 2025-12-30 not yet calculated CVE-2023-54165 https://git.kernel.org/stable/c/e95adf7486f2cb5f1bb303113ca30460951923e9
https://git.kernel.org/stable/c/d461aac924b937bcb4fd0ca1242b3ef6868ecddd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: igc: Fix Kernel Panic during ndo_tx_timeout callback The Xeon validation group has been carrying out some loaded tests with various HW configurations, and they have seen some transmit queue time out happening during the test. This will cause the reset adapter function to be called by igc_tx_timeout(). Similar race conditions may arise when the interface is being brought down and up in igc_reinit_locked(), an interrupt being generated, and igc_clean_tx_irq() being called to complete the TX. When the igc_tx_timeout() function is invoked, this patch will turn off all TX ring HW queues during igc_down() process. TX ring HW queues will be activated again during the igc_configure_tx_ring() process when performing the igc_up() procedure later. This patch also moved existing igc_disable_tx_ring_hw() to avoid using forward declaration. Kernel trace: [ 7678.747813] ------------[ cut here ]------------ [ 7678.757914] NETDEV WATCHDOG: enp1s0 (igc): transmit queue 2 timed out [ 7678.770117] WARNING: CPU: 0 PID: 13 at net/sched/sch_generic.c:525 dev_watchdog+0x1ae/0x1f0 [ 7678.784459] Modules linked in: xt_conntrack nft_chain_nat xt_MASQUERADE xt_addrtype nft_compat nf_tables nfnetlink br_netfilter bridge stp llc overlay dm_mod emrcha(PO) emriio(PO) rktpm(PO) cegbuf_mod(PO) patch_update(PO) se(PO) sgx_tgts(PO) mktme(PO) keylocker(PO) svtdx(PO) svfs_pci_hotplug(PO) vtd_mod(PO) davemem(PO) svmabort(PO) svindexio(PO) usbx2(PO) ehci_sched(PO) svheartbeat(PO) ioapic(PO) sv8259(PO) svintr(PO) lt(PO) pcierootport(PO) enginefw_mod(PO) ata(PO) smbus(PO) spiflash_cdf(PO) arden(PO) dsa_iax(PO) oobmsm_punit(PO) cpm(PO) svkdb(PO) ebg_pch(PO) pch(PO) sviotargets(PO) svbdf(PO) svmem(PO) svbios(PO) dram(PO) svtsc(PO) targets(PO) superio(PO) svkernel(PO) cswitch(PO) mcf(PO) pentiumIII_mod(PO) fs_svfs(PO) mdevdefdb(PO) svfs_os_services(O) ixgbe mdio mdio_devres libphy emeraldrapids_svdefs(PO) regsupport(O) libnvdimm nls_cp437 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core snd_pcm snd_timer isst_if_mbox_pci [ 7678.784496] input_leds isst_if_mmio sg snd isst_if_common soundcore wmi button sad9(O) drm fuse backlight configfs efivarfs ip_tables x_tables vmd sdhci led_class rtl8150 r8152 hid_generic pegasus mmc_block usbhid mmc_core hid megaraid_sas ixgb igb i2c_algo_bit ice i40e hpsa scsi_transport_sas e1000e e1000 e100 ax88179_178a usbnet xhci_pci sd_mod xhci_hcd t10_pi crc32c_intel crc64_rocksoft igc crc64 crc_t10dif usbcore crct10dif_generic ptp crct10dif_common usb_common pps_core [ 7679.200403] RIP: 0010:dev_watchdog+0x1ae/0x1f0 [ 7679.210201] Code: 28 e9 53 ff ff ff 4c 89 e7 c6 05 06 42 b9 00 01 e8 17 d1 fb ff 44 89 e9 4c 89 e6 48 c7 c7 40 ad fb 81 48 89 c2 e8 52 62 82 ff <0f> 0b e9 72 ff ff ff 65 8b 05 80 7d 7c 7e 89 c0 48 0f a3 05 0a c1 [ 7679.245438] RSP: 0018:ffa00000001f7d90 EFLAGS: 00010282 [ 7679.256021] RAX: 0000000000000000 RBX: ff11000109938440 RCX: 0000000000000000 [ 7679.268710] RDX: ff11000361e26cd8 RSI: ff11000361e1b880 RDI: ff11000361e1b880 [ 7679.281314] RBP: ffa00000001f7da8 R08: ff1100035f8fffe8 R09: 0000000000027ffb [ 7679.293840] R10: 0000000000001f0a R11: ff1100035f840000 R12: ff11000109938000 [ 7679.306276] R13: 0000000000000002 R14: dead000000000122 R15: ffa00000001f7e18 [ 7679.318648] FS: 0000000000000000(0000) GS:ff11000361e00000(0000) knlGS:0000000000000000 [ 7679.332064] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 7679.342757] CR2: 00007ffff7fca168 CR3: 000000013b08a006 CR4: 0000000000471ef8 [ 7679.354984] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 7679.367207] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 7679.379370] PKRU: 55555554 [ 7679.386446] Call Trace: [ 7679.393152] <TASK> [ 7679.399363] ? __pfx_dev_watchdog+0x10/0x10 [ 7679.407870] call_timer_fn+0x31/0x110 [ 7679.415698] e ---truncated--- 2025-12-30 not yet calculated CVE-2023-54166 https://git.kernel.org/stable/c/feba294c454a51bb1e80dd2ff038e335f07ae481
https://git.kernel.org/stable/c/c09df09241fdd6aa5b94a5243369662a13ec608a
https://git.kernel.org/stable/c/c12554d97fcd954d5c66bcd016586732cf240d0b
https://git.kernel.org/stable/c/d4a7ce642100765119a872d4aba1bf63e3a22c8a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: m68k: mm: Move initrd phys_to_virt handling after paging_init() When booting with an initial ramdisk on platforms where physical memory does not start at address zero (e.g. on Amiga): initrd: 0ef0602c - 0f800000 Zone ranges: DMA [mem 0x0000000008000000-0x000000f7ffffffff] Normal empty Movable zone start for each node Early memory node ranges node 0: [mem 0x0000000008000000-0x000000000f7fffff] Initmem setup node 0 [mem 0x0000000008000000-0x000000000f7fffff] Unable to handle kernel access at virtual address (ptrval) Oops: 00000000 Modules linked in: PC: [<00201d3c>] memcmp+0x28/0x56 As phys_to_virt() relies on m68k_memoffset and module_fixup(), it must not be called before paging_init(). Hence postpone the phys_to_virt handling for the initial ramdisk until after calling paging_init(). While at it, reduce #ifdef clutter by using IS_ENABLED() instead. 2025-12-30 not yet calculated CVE-2023-54167 https://git.kernel.org/stable/c/ceb089e2337f810d3594d310953d9af4783f660a
https://git.kernel.org/stable/c/58662cfb459150b9c0c22d20cddaea439b3844bd
https://git.kernel.org/stable/c/d4b97925e87eb133e400fe4a482d750c74ce392f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() The ucmd->log_sq_bb_count variable is controlled by the user so this shift can wrap. Fix it by using check_shl_overflow() in the same way that it was done in commit 515f60004ed9 ("RDMA/hns: Prevent undefined behavior in hns_roce_set_user_sq_size()"). 2025-12-30 not yet calculated CVE-2023-54168 https://git.kernel.org/stable/c/3d5ae269c4bd392ec1edbfb3bd031b8f42d7feff
https://git.kernel.org/stable/c/8feca625900777e02a449e53fe4121339934c38a
https://git.kernel.org/stable/c/9ad3221c86cc9c6305594b742d4a72dfbd4ea579
https://git.kernel.org/stable/c/9911be2155720221a4f1f722b22bd0e2388d8bcf
https://git.kernel.org/stable/c/3ce0df3493277b9df275cb8455d9c677ae701230
https://git.kernel.org/stable/c/196a6df08b08699ace4ce70e1efcdd9081b6565f
https://git.kernel.org/stable/c/a183905869e692b6b7805b7472235585eff8e429
https://git.kernel.org/stable/c/d50b3c73f1ac20dabc53dc6e9d64ce9c79a331eb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix memory leak in mlx5e_ptp_open When kvzalloc_node or kvzalloc failed in mlx5e_ptp_open, the memory pointed by "c" or "cparams" is not freed, which can lead to a memory leak. Fix by freeing the array in the error path. 2025-12-30 not yet calculated CVE-2023-54169 https://git.kernel.org/stable/c/4892e1e548b5bd6524c1c89df06e4849df26fc20
https://git.kernel.org/stable/c/83a8f7337a14cdb215c76a8f4cf3f3be8b59177d
https://git.kernel.org/stable/c/7035e3ae600c4e9cb3dc220c24dd77112ddff8b1
https://git.kernel.org/stable/c/d543b649ffe58a0cb4b6948b3305069c5980a1fa
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: keys: Fix linking a duplicate key to a keyring's assoc_array When making a DNS query inside the kernel using dns_query(), the request code can in rare cases end up creating a duplicate index key in the assoc_array of the destination keyring. It is eventually found by a BUG_ON() check in the assoc_array implementation and results in a crash. Example report: [2158499.700025] kernel BUG at ../lib/assoc_array.c:652! [2158499.700039] invalid opcode: 0000 [#1] SMP PTI [2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 [2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] [2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 [2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f [2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 [2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 [2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 [2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 [2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 [2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 [2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 [2158499.700702] Call Trace: [2158499.700741] ? key_alloc+0x447/0x4b0 [2158499.700768] ? __key_link_begin+0x43/0xa0 [2158499.700790] __key_link_begin+0x43/0xa0 [2158499.700814] request_key_and_link+0x2c7/0x730 [2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] [2158499.700873] ? key_default_cmp+0x20/0x20 [2158499.700898] request_key_tag+0x43/0xa0 [2158499.700926] dns_query+0x114/0x2ca [dns_resolver] [2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] [2158499.701164] ? scnprintf+0x49/0x90 [2158499.701190] ? __switch_to_asm+0x40/0x70 [2158499.701211] ? __switch_to_asm+0x34/0x70 [2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] [2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] [2158499.701632] process_one_work+0x1f8/0x3e0 [2158499.701658] worker_thread+0x2d/0x3f0 [2158499.701682] ? process_one_work+0x3e0/0x3e0 [2158499.701703] kthread+0x10d/0x130 [2158499.701723] ? kthread_park+0xb0/0xb0 [2158499.701746] ret_from_fork+0x1f/0x40 The situation occurs as follows: * Some kernel facility invokes dns_query() to resolve a hostname, for example, "abcdef". The function registers its global DNS resolver cache as current->cred.thread_keyring and passes the query to request_key_net() -> request_key_tag() -> request_key_and_link(). * Function request_key_and_link() creates a keyring_search_context object. Its match_data.cmp method gets set via a call to type->match_preparse() (resolves to dns_resolver_match_preparse()) to dns_resolver_cmp(). * Function request_key_and_link() continues and invokes search_process_keyrings_rcu() which returns that a given key was not found. The control is then passed to request_key_and_link() -> construct_alloc_key(). * Concurrently to that, a second task similarly makes a DNS query for "abcdef." and its result gets inserted into the DNS resolver cache. * Back on the first task, function construct_alloc_key() first runs __key_link_begin() to determine an assoc_array_edit operation to insert a new key. Index keys in the array are compared exactly as-is, using keyring_compare_object(). The operation ---truncated--- 2025-12-30 not yet calculated CVE-2023-54170 https://git.kernel.org/stable/c/65bd66a794bfa059375ec834885bb610d75c0182
https://git.kernel.org/stable/c/0a6b0ca58685be34979236f83f2b322635b80b32
https://git.kernel.org/stable/c/9aecfebea24fe6071ace5cc9fd6d690b87276bbb
https://git.kernel.org/stable/c/00edfa6d4fe022942e2f2e6f3294ff13ef78b15c
https://git.kernel.org/stable/c/e091bb55af9a930801f83df78195a908a76e1479
https://git.kernel.org/stable/c/d55901522f96082a43b9842d34867363c0cdbac5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tracing: Fix memory leak of iter->temp when reading trace_pipe kmemleak reports: unreferenced object 0xffff88814d14e200 (size 256): comm "cat", pid 336, jiffies 4294871818 (age 779.490s) hex dump (first 32 bytes): 04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00 ................ 0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff .........Z...... backtrace: [<ffffffff9bdff18f>] __kmalloc+0x4f/0x140 [<ffffffff9bc9238b>] trace_find_next_entry+0xbb/0x1d0 [<ffffffff9bc9caef>] trace_print_lat_context+0xaf/0x4e0 [<ffffffff9bc94490>] print_trace_line+0x3e0/0x950 [<ffffffff9bc95499>] tracing_read_pipe+0x2d9/0x5a0 [<ffffffff9bf03a43>] vfs_read+0x143/0x520 [<ffffffff9bf04c2d>] ksys_read+0xbd/0x160 [<ffffffff9d0f0edf>] do_syscall_64+0x3f/0x90 [<ffffffff9d2000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 when reading file 'trace_pipe', 'iter->temp' is allocated or relocated in trace_find_next_entry() but not freed before 'trace_pipe' is closed. To fix it, free 'iter->temp' in tracing_release_pipe(). 2025-12-30 not yet calculated CVE-2023-54171 https://git.kernel.org/stable/c/1a1e793e021d75cd0accd8f329ec9456e5cd105e
https://git.kernel.org/stable/c/954792db9f61b6c0b8a94b8831fed5f146014029
https://git.kernel.org/stable/c/be970e22c53d5572b2795b79da9716ada937023b
https://git.kernel.org/stable/c/3f42d57a76e7e96585f08855554e002218cbca0c
https://git.kernel.org/stable/c/d5a821896360cc8b93a15bd888fabc858c038dc0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs with ConfigVersion 9.3 or later support IBT in the guest. However, current versions of Hyper-V have a bug in that there's not an ENDBR64 instruction at the beginning of the hypercall page. Since hypercalls are made with an indirect call to the hypercall page, all hypercall attempts fail with an exception and Linux panics. A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux panic by clearing X86_FEATURE_IBT if the hypercall page doesn't start with ENDBR. The VM will boot and run without IBT. If future Linux 32-bit kernels were to support IBT, additional hypercall page hackery would be needed to make IBT work for such kernels in a Hyper-V VM. 2025-12-30 not yet calculated CVE-2023-54172 https://git.kernel.org/stable/c/98cccbd0a19a161971bc7f7feb10577adc62c400
https://git.kernel.org/stable/c/73626b70b361ddda7c380e52c236aa4f2487c402
https://git.kernel.org/stable/c/d5ace2a776442d80674eff9ed42e737f7dd95056
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Disable preemption in bpf_event_output We received report [1] of kernel crash, which is caused by using nesting protection without disabled preemption. The bpf_event_output can be called by programs executed by bpf_prog_run_array_cg function that disabled migration but keeps preemption enabled. This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like: BUG: kernel NULL pointer dereference, address: 0000000000000001 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page ... ? perf_output_sample+0x12a/0x9a0 ? finish_task_switch.isra.0+0x81/0x280 ? perf_event_output+0x66/0xa0 ? bpf_event_output+0x13a/0x190 ? bpf_event_output_data+0x22/0x40 ? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb ? xa_load+0x87/0xe0 ? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0 ? release_sock+0x3e/0x90 ? sk_setsockopt+0x1a1/0x12f0 ? udp_pre_connect+0x36/0x50 ? inet_dgram_connect+0x93/0xa0 ? __sys_connect+0xb4/0xe0 ? udp_setsockopt+0x27/0x40 ? __pfx_udp_push_pending_frames+0x10/0x10 ? __sys_setsockopt+0xdf/0x1a0 ? __x64_sys_connect+0xf/0x20 ? do_syscall_64+0x3a/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc Fixing this by disabling preemption in bpf_event_output. [1] https://github.com/cilium/cilium/issues/26756 2025-12-30 not yet calculated CVE-2023-54173 https://git.kernel.org/stable/c/3048cb0dc0cc9dc74ed93690dffef00733bcad5b
https://git.kernel.org/stable/c/c81bdf8f9f2b002d217c3d5357cdea9f2b82ff90
https://git.kernel.org/stable/c/36dd8ca330b76585640ed32255a3c99f901e1502
https://git.kernel.org/stable/c/063c9ce8e74e07bf94f99cd13146f42867875e8b
https://git.kernel.org/stable/c/d62cc390c2e99ae267ffe4b8d7e2e08b6c758c32
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd group->iommufd is not initialized for the iommufd_ctx_put() [20018.331541] BUG: kernel NULL pointer dereference, address: 0000000000000000 [20018.377508] RIP: 0010:iommufd_ctx_put+0x5/0x10 [iommufd] ... [20018.476483] Call Trace: [20018.479214] <TASK> [20018.481555] vfio_group_fops_unl_ioctl+0x506/0x690 [vfio] [20018.487586] __x64_sys_ioctl+0x6a/0xb0 [20018.491773] ? trace_hardirqs_on+0xc5/0xe0 [20018.496347] do_syscall_64+0x67/0x90 [20018.500340] entry_SYSCALL_64_after_hwframe+0x4b/0xb5 2025-12-30 not yet calculated CVE-2023-54174 https://git.kernel.org/stable/c/8f24eef598ce7cce0bbefe0ec642bcc031d0f528
https://git.kernel.org/stable/c/d649c34cb916b015fdcb487e51409fcc5caeca8d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path The xiic_xfer() function gets a runtime PM reference when the function is entered. This reference is released when the function is exited. There is currently one error path where the function exits directly, which leads to a leak of the runtime PM reference. Make sure that this error path also releases the runtime PM reference. 2025-12-30 not yet calculated CVE-2023-54175 https://git.kernel.org/stable/c/2d320d9de7d31c0eb279b3f8a02cf1af473a3737
https://git.kernel.org/stable/c/72cb227a368cf286efb8ce1e741e8c7085747b4d
https://git.kernel.org/stable/c/06e661a259978305c0015f6f33d14477a0cfbe8f
https://git.kernel.org/stable/c/6027d84c073e26cb1b32a90d69c5fbad57776406
https://git.kernel.org/stable/c/688fdfc458bfa651dca39c736d39c1b7520af0e8
https://git.kernel.org/stable/c/d663d93bb47e7ab45602b227701022d8aa16040a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mptcp: stricter state check in mptcp_worker As reported by Christoph, the mptcp protocol can run the worker when the relevant msk socket is in an unexpected state: connect() // incoming reset + fastclose // the mptcp worker is scheduled mptcp_disconnect() // msk is now CLOSED listen() mptcp_worker() Leading to the following splat: divide error: 0000 [#1] PREEMPT SMP CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018 RSP: 0018:ffffc900000b3c98 EFLAGS: 00010293 RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004 RBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000 R10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tcp_select_window net/ipv4/tcp_output.c:262 [inline] __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345 tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459 mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline] mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705 process_one_work+0x3bd/0x950 kernel/workqueue.c:2390 worker_thread+0x5b/0x610 kernel/workqueue.c:2537 kthread+0x138/0x170 kernel/kthread.c:376 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 </TASK> This change addresses the issue explicitly checking for bad states before running the mptcp worker. 2025-12-30 not yet calculated CVE-2023-54176 https://git.kernel.org/stable/c/f0b4a4086cf27240fc621a560da9735159049dcc
https://git.kernel.org/stable/c/aff9099e9c51f15c8def05c75b2b73e8487b5d54
https://git.kernel.org/stable/c/19ea79e87af32c2b3c6fc49bd84efeb35ca57678
https://git.kernel.org/stable/c/d6a0443733434408f2cbd4c53fea6910599bab9e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: quota: fix warning in dqgrab() There's issue as follows when do fault injection: WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 Modules linked in: CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 RIP: 0010:dquot_disable+0x13b7/0x18c0 RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dquot_load_quota_sb+0xd53/0x1060 dquot_resume+0x172/0x230 ext4_reconfigure+0x1dc6/0x27b0 reconfigure_super+0x515/0xa90 __x64_sys_fsconfig+0xb19/0xd20 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Above issue may happens as follows: ProcessA ProcessB ProcessC sys_fsconfig vfs_fsconfig_locked reconfigure_super ext4_remount dquot_suspend -> suspend all type quota sys_fsconfig vfs_fsconfig_locked reconfigure_super ext4_remount dquot_resume ret = dquot_load_quota_sb add_dquot_ref do_open -> open file O_RDWR vfs_open do_dentry_open get_write_access atomic_inc_unless_negative(&inode->i_writecount) ext4_file_open dquot_file_open dquot_initialize __dquot_initialize dqget atomic_inc(&dquot->dq_count); __dquot_initialize __dquot_initialize dqget if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) ext4_acquire_dquot -> Return error DQ_ACTIVE_B flag isn't set dquot_disable invalidate_dquots if (atomic_read(&dquot->dq_count)) dqgrab WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) -> Trigger warning In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when dqgrab(). To solve above issue just replace the dqgrab() use in invalidate_dquots() with atomic_inc(&dquot->dq_count). 2025-12-30 not yet calculated CVE-2023-54177 https://git.kernel.org/stable/c/6478eabc92274efae6269da7c515ba2b4c8e88d8
https://git.kernel.org/stable/c/965bad2bf1afef64ec16249da676dc7310cca32e
https://git.kernel.org/stable/c/3f378783c47b5749317ea008d8c931d6d3986d8f
https://git.kernel.org/stable/c/cbaebbba722cb9738c55903efce11f51cdd97bee
https://git.kernel.org/stable/c/579d814de87c3cac69c9b261efa165d07cde3357
https://git.kernel.org/stable/c/6432843debe1ec7d76c5b2f76c67f9c5df22436e
https://git.kernel.org/stable/c/6f4e543d277a12dfeff027e6ab24a170e1bfc160
https://git.kernel.org/stable/c/d6a95db3c7ad160bc16b89e36449705309b52bcb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name() when kmalloc() fail to allocate memory in kasprintf(), name or full_name will be NULL, strcmp() will cause null pointer dereference. 2025-12-30 not yet calculated CVE-2023-54178 https://git.kernel.org/stable/c/c364fa869b33ca42a263bf91c22fce7e6c61d479
https://git.kernel.org/stable/c/0b7d715511915a1b39f5fdcbe57a7922dfd66513
https://git.kernel.org/stable/c/dadf0d0dfcc81cdcb27ba5426676d13a9e4fb925
https://git.kernel.org/stable/c/f41c65f8d05be734898cbe72af59a401b97d298a
https://git.kernel.org/stable/c/ea5bc6f5aa099e3e84d037282836234ad77cba88
https://git.kernel.org/stable/c/43cc228099c514467b8074d7ede6673cef9f33b9
https://git.kernel.org/stable/c/c74ae8124f9687062dd99858f34c9d027ddd73da
https://git.kernel.org/stable/c/2dd8ee9de71ad8447f8459fb01dade7f6c7132da
https://git.kernel.org/stable/c/d6ce4f0ea19c32f10867ed93d8386924326ab474
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Array index may go out of bound Klocwork reports array 'vha->host_str' of size 16 may use index value(s) 16..19. Use snprintf() instead of sprintf(). 2025-12-30 not yet calculated CVE-2023-54179 https://git.kernel.org/stable/c/e697f466bf61280b7e996c9ea096d7ec371c31ea
https://git.kernel.org/stable/c/ea64c727f20123342020257cfa956fbfbd6d12ff
https://git.kernel.org/stable/c/bcd773969a87d9802053c0db5be84abd6594a024
https://git.kernel.org/stable/c/748d8f8698a2f48ffe32dd7b35dbab1810ed1f82
https://git.kernel.org/stable/c/2b3bdef089b920b4a19fefb4f4e6dda56a4bb583
https://git.kernel.org/stable/c/e934737e18ff069a66cd53cd7f7a0b34ae2c24fe
https://git.kernel.org/stable/c/d721b591b95cf3f290f8a7cbe90aa2ee0368388d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: handle case when repair happens with dev-replace [BUG] There is a bug report that a BUG_ON() in btrfs_repair_io_failure() (originally repair_io_failure() in v6.0 kernel) got triggered when replacing a unreliable disk: BTRFS warning (device sda1): csum failed root 257 ino 2397453 off 39624704 csum 0xb0d18c75 expected csum 0x4dae9c5e mirror 3 kernel BUG at fs/btrfs/extent_io.c:2380! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 9 PID: 3614331 Comm: kworker/u257:2 Tainted: G OE 6.0.0-5-amd64 #1 Debian 6.0.10-2 Hardware name: Micro-Star International Co., Ltd. MS-7C60/TRX40 PRO WIFI (MS-7C60), BIOS 2.70 07/01/2021 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] RIP: 0010:repair_io_failure+0x24a/0x260 [btrfs] Call Trace: <TASK> clean_io_failure+0x14d/0x180 [btrfs] end_bio_extent_readpage+0x412/0x6e0 [btrfs] ? __switch_to+0x106/0x420 process_one_work+0x1c7/0x380 worker_thread+0x4d/0x380 ? rescuer_thread+0x3a0/0x3a0 kthread+0xe9/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 [CAUSE] Before the BUG_ON(), we got some read errors from the replace target first, note the mirror number (3, which is beyond RAID1 duplication, thus it's read from the replace target device). Then at the BUG_ON() location, we are trying to writeback the repaired sectors back the failed device. The check looks like this: ret = btrfs_map_block(fs_info, BTRFS_MAP_WRITE, logical, &map_length, &bioc, mirror_num); if (ret) goto out_counter_dec; BUG_ON(mirror_num != bioc->mirror_num); But inside btrfs_map_block(), we can modify bioc->mirror_num especially for dev-replace: if (dev_replace_is_ongoing && mirror_num == map->num_stripes + 1 && !need_full_stripe(op) && dev_replace->tgtdev != NULL) { ret = get_extra_mirror_from_replace(fs_info, logical, *length, dev_replace->srcdev->devid, &mirror_num, &physical_to_patch_in_first_stripe); patch_the_first_stripe_for_dev_replace = 1; } Thus if we're repairing the replace target device, we're going to trigger that BUG_ON(). But in reality, the read failure from the replace target device may be that, our replace hasn't reached the range we're reading, thus we're reading garbage, but with replace running, the range would be properly filled later. Thus in that case, we don't need to do anything but let the replace routine to handle it. [FIX] Instead of a BUG_ON(), just skip the repair if we're repairing the device replace target device. 2025-12-30 not yet calculated CVE-2023-54180 https://git.kernel.org/stable/c/a7018b40b49c37fb55736499f790ec0d2b381ae4
https://git.kernel.org/stable/c/53e9d6851b56626885476a2966194ba994f8bb4b
https://git.kernel.org/stable/c/d73a27b86fc722c28a26ec64002e3a7dc86d1c07
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Fix issue in verifying allow_ptr_leaks After we converted the capabilities of our networking-bpf program from cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program failed to start. Because it failed the bpf verifier, and the error log is "R3 pointer comparison prohibited". A simple reproducer as follows, SEC("cls-ingress") int ingress(struct __sk_buff *skb) { struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); if ((long)(iph + 1) > (long)skb->data_end) return TC_ACT_STOLEN; return TC_ACT_OK; } Per discussion with Yonghong and Alexei [1], comparison of two packet pointers is not a pointer leak. This patch fixes it. Our local kernel is 6.1.y and we expect this fix to be backported to 6.1.y, so stable is CCed. [1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/ 2025-12-30 not yet calculated CVE-2023-54181 https://git.kernel.org/stable/c/c96c67991aac6401b4c6996093bccb704bb2ea4b
https://git.kernel.org/stable/c/5927f0172d2809d8fc09c1ba667280b0387e9f73
https://git.kernel.org/stable/c/acfdc8b77016c8e648aadc283177546c88083dd3
https://git.kernel.org/stable/c/d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to check readonly condition correctly With below case, it can mount multi-device image w/ rw option, however one of secondary device is set as ro, later update will cause panic, so let's introduce f2fs_dev_is_readonly(), and check multi-devices rw status in f2fs_remount() w/ it in order to avoid such inconsistent mount status. mkfs.f2fs -c /dev/zram1 /dev/zram0 -f blockdev --setro /dev/zram1 mount -t f2fs dev/zram0 /mnt/f2fs mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only. mount -t f2fs -o remount,rw mnt/f2fs dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=8192 kernel BUG at fs/f2fs/inline.c:258! RIP: 0010:f2fs_write_inline_data+0x23e/0x2d0 [f2fs] Call Trace: f2fs_write_single_data_page+0x26b/0x9f0 [f2fs] f2fs_write_cache_pages+0x389/0xa60 [f2fs] __f2fs_write_data_pages+0x26b/0x2d0 [f2fs] f2fs_write_data_pages+0x2e/0x40 [f2fs] do_writepages+0xd3/0x1b0 __writeback_single_inode+0x5b/0x420 writeback_sb_inodes+0x236/0x5a0 __writeback_inodes_wb+0x56/0xf0 wb_writeback+0x2a3/0x490 wb_do_writeback+0x2b2/0x330 wb_workfn+0x6a/0x260 process_one_work+0x270/0x5e0 worker_thread+0x52/0x3e0 kthread+0xf4/0x120 ret_from_fork+0x29/0x50 2025-12-30 not yet calculated CVE-2023-54182 https://git.kernel.org/stable/c/e2759a59a4cc96af712084e9db7065c858c4fe9f
https://git.kernel.org/stable/c/e05d63f8b48aad4613bd582c945bee41e2dd7255
https://git.kernel.org/stable/c/da8c535b28696017e5d1532d12ea78e836432d9e
https://git.kernel.org/stable/c/d78dfefcde9d311284434560d69c0478c55a657e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link() If fwnode_graph_get_remote_endpoint() fails, 'fwnode' is known to be NULL, so fwnode_handle_put() is a no-op. Release the reference taken from a previous fwnode_graph_get_port_parent() call instead. Also handle fwnode_graph_get_port_parent() failures. In order to fix these issues, add an error handling path to the function and the needed gotos. 2025-12-30 not yet calculated CVE-2023-54183 https://git.kernel.org/stable/c/2342942331e1f034ff58f293e10d0d9b7581601f
https://git.kernel.org/stable/c/4bc5ffaf8ac4f3e7a1fcd10a0a0e7b022b694877
https://git.kernel.org/stable/c/d8a8f75fce049bdb3144b607deefe51e996b9660
https://git.kernel.org/stable/c/caf058833b6f3fe7beabf738110f79bb987c8fff
https://git.kernel.org/stable/c/25afb3e03bf8ab02567af4b6ffbfd6250a91a9f8
https://git.kernel.org/stable/c/ed1696f7f92e8404940d51dec80a123aa18163a8
https://git.kernel.org/stable/c/e8a1cd87bb9fa3149ee112ecb8058908dc9b520e
https://git.kernel.org/stable/c/d7b13edd4cb4bfa335b6008ab867ac28582d3e5c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsit: Free cmds before session free Commands from recovery entries are freed after session has been closed. That leads to use-after-free at command free or NPE with such call trace: Time2Retain timer expired for SID: 1, cleaning up iSCSI session. BUG: kernel NULL pointer dereference, address: 0000000000000140 RIP: 0010:sbitmap_queue_clear+0x3a/0xa0 Call Trace: target_release_cmd_kref+0xd1/0x1f0 [target_core_mod] transport_generic_free_cmd+0xd1/0x180 [target_core_mod] iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod] iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod] iscsit_close_session+0x13a/0x140 [iscsi_target_mod] iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod] call_timer_fn+0x24/0x140 Move cleanup of recovery enrties to before session freeing. 2025-12-30 not yet calculated CVE-2023-54184 https://git.kernel.org/stable/c/89f5055f9b0b57c7e7f02e32df95ef401f809b71
https://git.kernel.org/stable/c/4621e24c9257c6379343bf0c11b473817cf7edcd
https://git.kernel.org/stable/c/1911cca5916b6e106de7afa3ec0a38447158216c
https://git.kernel.org/stable/c/a7a4def6c7046e090bb10c6d550fdeb487db98ba
https://git.kernel.org/stable/c/4ce221d295f53e6c6b835ab33181e735482c9aac
https://git.kernel.org/stable/c/d8990b5a4d065f38f35d69bcd627ec5a7f8330ca
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: remove BUG_ON()'s in add_new_free_space() At add_new_free_space() we have these BUG_ON()'s that are there to deal with any failure to add free space to the in memory free space cache. Such failures are mostly -ENOMEM that should be very rare. However there's no need to have these BUG_ON()'s, we can just return any error to the caller and all callers and their upper call chain are already dealing with errors. So just make add_new_free_space() return any errors, while removing the BUG_ON()'s, and returning the total amount of added free space to an optional u64 pointer argument. 2025-12-30 not yet calculated CVE-2023-54185 https://git.kernel.org/stable/c/23e72231f8281505883514b23709076e234d4f27
https://git.kernel.org/stable/c/f775ceb0cb530e4a469b718fb2a24843071087f5
https://git.kernel.org/stable/c/d8ccbd21918fd7fa6ce3226cffc22c444228e8ad
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: fix pin_assignment_show This patch fixes negative indexing of buf array in pin_assignment_show when get_current_pin_assignments returns 0 i.e. no compatible pin assignments are found. BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c ... Call trace: dump_backtrace+0x110/0x204 dump_stack_lvl+0x84/0xbc print_report+0x358/0x974 kasan_report+0x9c/0xfc __do_kernel_fault+0xd4/0x2d4 do_bad_area+0x48/0x168 do_tag_check_fault+0x24/0x38 do_mem_abort+0x6c/0x14c el1_abort+0x44/0x68 el1h_64_sync_handler+0x64/0xa4 el1h_64_sync+0x78/0x7c pin_assignment_show+0x26c/0x33c dev_attr_show+0x50/0xc0 2025-12-30 not yet calculated CVE-2023-54186 https://git.kernel.org/stable/c/0e61a7432fcd4bca06f05b7f1c7d7cb461880fe2
https://git.kernel.org/stable/c/4f9c0a7c272626cb6716ffc7800e8c73260cdce6
https://git.kernel.org/stable/c/ff466f77d0a56719979c4234abd412abd98eae8f
https://git.kernel.org/stable/c/fc0e18f95c88435bd8a1ceb540243cd7fbcd9781
https://git.kernel.org/stable/c/08bd1be1c716fd50a7df48f82dcbc59a103082b5
https://git.kernel.org/stable/c/54ee23e4ab263a495ace1eed43d3883212ece17f
https://git.kernel.org/stable/c/d8f28269dd4bf9b55c3fb376ae31512730a96fce
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: fix potential corruption when moving a directory F2FS has the same issue in ext4_rename causing crash revealed by xfstests/generic/707. See also commit 0813299c586b ("ext4: Fix possible corruption when moving a directory") 2025-12-30 not yet calculated CVE-2023-54187 https://git.kernel.org/stable/c/3e77036246123ff710fa2661dcaa12a45284f09b
https://git.kernel.org/stable/c/957904f531fd857a92743b11fbc9c9ffdf7f3207
https://git.kernel.org/stable/c/8f57f3e112cf1d16682b6ff9c31c72f40f7da9c9
https://git.kernel.org/stable/c/8a0b544b7caedfbc05065b6377fd1d8bf7ef5e70
https://git.kernel.org/stable/c/f20191100952013f0916418cdaed0ab55c7b634c
https://git.kernel.org/stable/c/0a76082a4a32a90d1ef33dee8b400efc082b4b6f
https://git.kernel.org/stable/c/d94772154e524b329a168678836745d2773a6e02
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: apple-admac: Fix 'current_tx' not getting freed In terminate_all we should queue up all submitted descriptors to be freed. We do that for the content of the 'issued' and 'submitted' lists, but the 'current_tx' descriptor falls through the cracks as it's removed from the 'issued' list once it gets assigned to be the current descriptor. Explicitly queue up freeing of the 'current_tx' descriptor to address a memory leak that is otherwise present. 2025-12-30 not yet calculated CVE-2023-54188 https://git.kernel.org/stable/c/b7abd535881a48587961c2099b1d2933ebd42c4b
https://git.kernel.org/stable/c/fd4d88e68c75caf5c6f8293a36bc3ae289e0369e
https://git.kernel.org/stable/c/d9503be5a100c553731c0e8a82c7b4201e8a970c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. 2025-12-30 not yet calculated CVE-2023-54189 https://git.kernel.org/stable/c/8430a8e8e85420d4cb51dcb08b0278ab194ea82f
https://git.kernel.org/stable/c/a14cb307267ba7a1715403e071bdc4deda77eef5
https://git.kernel.org/stable/c/38a9d7dac3ad25323145b4aaea3b5f434f50011d
https://git.kernel.org/stable/c/f57ba91a46d3fc52bfdac9cca5cf5572ec7afd6d
https://git.kernel.org/stable/c/2a764a2facd9dd88a69777200f65dfd0182765dc
https://git.kernel.org/stable/c/065c81ae5817b245bb9feb6d54e027702740b49a
https://git.kernel.org/stable/c/d97038d5ec2062733c1e016caf9baaf68cf64ea1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: leds: led-core: Fix refcount leak in of_led_get() class_find_device_by_of_node() calls class_find_device(), it will take the reference, use the put_device() to drop the reference when not need anymore. 2025-12-30 not yet calculated CVE-2023-54190 https://git.kernel.org/stable/c/1d6101d9222e1ca8c01b3fa9ebf0dcf7bcd82564
https://git.kernel.org/stable/c/690efcb5827c3bacbf1de90cd14907b91bf8cb7b
https://git.kernel.org/stable/c/d880981b82223f9bf128dfdd2424abb0c658f345
https://git.kernel.org/stable/c/ddf3e82164afd9381b1d52c9f00b3878f7b6d308
https://git.kernel.org/stable/c/da1afe8e6099980fe1e2fd7436dca284af9d3f29
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix memory leak in mt7996_mcu_exit Always purge mcu skb queues in mt7996_mcu_exit routine even if mt7996_firmware_state fails. 2025-12-30 not yet calculated CVE-2023-54191 https://git.kernel.org/stable/c/b539d35e13e5d6b3dca76271261106b2356aa64c
https://git.kernel.org/stable/c/da5b4d93e141b52c5a71d0c41a042d1bcaf70d2e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: fix null pointer panic in tracepoint in __replace_atomic_write_block We got a kernel panic if old_addr is NULL. https://bugzilla.kernel.org/show_bug.cgi?id=217266 BUG: kernel NULL pointer dereference, address: 0000000000000000 Call Trace: <TASK> f2fs_commit_atomic_write+0x619/0x990 [f2fs a1b985b80f5babd6f3ea778384908880812bfa43] __f2fs_ioctl+0xd8e/0x4080 [f2fs a1b985b80f5babd6f3ea778384908880812bfa43] ? vfs_write+0x2ae/0x3f0 ? vfs_write+0x2ae/0x3f0 __x64_sys_ioctl+0x91/0xd0 do_syscall_64+0x5c/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f69095fe53f 2025-12-30 not yet calculated CVE-2023-54192 https://git.kernel.org/stable/c/424f8cdc0ad29e4940be96dcc0b935ba497adeda
https://git.kernel.org/stable/c/1424358cd66c49460493293497b54cb72e0213cc
https://git.kernel.org/stable/c/e2bbefc1741cb0732c13652be173da02f25611d1
https://git.kernel.org/stable/c/da6ea0b050fa720302b56fbb59307e7c7531a342
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: remove block_cb from driver_list before freeing Error handler of tcf_block_bind() frees the whole bo->cb_list on error. However, by that time the flow_block_cb instances are already in the driver list because driver ndo_setup_tc() callback is called before that up the call chain in tcf_block_offload_cmd(). This leaves dangling pointers to freed objects in the list and causes use-after-free[0]. Fix it by also removing flow_block_cb instances from driver_list before deallocating them. [0]: [ 279.868433] ================================================================== [ 279.869964] BUG: KASAN: slab-use-after-free in flow_block_cb_setup_simple+0x631/0x7c0 [ 279.871527] Read of size 8 at addr ffff888147e2bf20 by task tc/2963 [ 279.873151] CPU: 6 PID: 2963 Comm: tc Not tainted 6.3.0-rc6+ #4 [ 279.874273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 279.876295] Call Trace: [ 279.876882] <TASK> [ 279.877413] dump_stack_lvl+0x33/0x50 [ 279.878198] print_report+0xc2/0x610 [ 279.878987] ? flow_block_cb_setup_simple+0x631/0x7c0 [ 279.879994] kasan_report+0xae/0xe0 [ 279.880750] ? flow_block_cb_setup_simple+0x631/0x7c0 [ 279.881744] ? mlx5e_tc_reoffload_flows_work+0x240/0x240 [mlx5_core] [ 279.883047] flow_block_cb_setup_simple+0x631/0x7c0 [ 279.884027] tcf_block_offload_cmd.isra.0+0x189/0x2d0 [ 279.885037] ? tcf_block_setup+0x6b0/0x6b0 [ 279.885901] ? mutex_lock+0x7d/0xd0 [ 279.886669] ? __mutex_unlock_slowpath.constprop.0+0x2d0/0x2d0 [ 279.887844] ? ingress_init+0x1c0/0x1c0 [sch_ingress] [ 279.888846] tcf_block_get_ext+0x61c/0x1200 [ 279.889711] ingress_init+0x112/0x1c0 [sch_ingress] [ 279.890682] ? clsact_init+0x2b0/0x2b0 [sch_ingress] [ 279.891701] qdisc_create+0x401/0xea0 [ 279.892485] ? qdisc_tree_reduce_backlog+0x470/0x470 [ 279.893473] tc_modify_qdisc+0x6f7/0x16d0 [ 279.894344] ? tc_get_qdisc+0xac0/0xac0 [ 279.895213] ? mutex_lock+0x7d/0xd0 [ 279.896005] ? __mutex_lock_slowpath+0x10/0x10 [ 279.896910] rtnetlink_rcv_msg+0x5fe/0x9d0 [ 279.897770] ? rtnl_calcit.isra.0+0x2b0/0x2b0 [ 279.898672] ? __sys_sendmsg+0xb5/0x140 [ 279.899494] ? do_syscall_64+0x3d/0x90 [ 279.900302] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 279.901337] ? kasan_save_stack+0x2e/0x40 [ 279.902177] ? kasan_save_stack+0x1e/0x40 [ 279.903058] ? kasan_set_track+0x21/0x30 [ 279.903913] ? kasan_save_free_info+0x2a/0x40 [ 279.904836] ? ____kasan_slab_free+0x11a/0x1b0 [ 279.905741] ? kmem_cache_free+0x179/0x400 [ 279.906599] netlink_rcv_skb+0x12c/0x360 [ 279.907450] ? rtnl_calcit.isra.0+0x2b0/0x2b0 [ 279.908360] ? netlink_ack+0x1550/0x1550 [ 279.909192] ? rhashtable_walk_peek+0x170/0x170 [ 279.910135] ? kmem_cache_alloc_node+0x1af/0x390 [ 279.911086] ? _copy_from_iter+0x3d6/0xc70 [ 279.912031] netlink_unicast+0x553/0x790 [ 279.912864] ? netlink_attachskb+0x6a0/0x6a0 [ 279.913763] ? netlink_recvmsg+0x416/0xb50 [ 279.914627] netlink_sendmsg+0x7a1/0xcb0 [ 279.915473] ? netlink_unicast+0x790/0x790 [ 279.916334] ? iovec_from_user.part.0+0x4d/0x220 [ 279.917293] ? netlink_unicast+0x790/0x790 [ 279.918159] sock_sendmsg+0xc5/0x190 [ 279.918938] ____sys_sendmsg+0x535/0x6b0 [ 279.919813] ? import_iovec+0x7/0x10 [ 279.920601] ? kernel_sendmsg+0x30/0x30 [ 279.921423] ? __copy_msghdr+0x3c0/0x3c0 [ 279.922254] ? import_iovec+0x7/0x10 [ 279.923041] ___sys_sendmsg+0xeb/0x170 [ 279.923854] ? copy_msghdr_from_user+0x110/0x110 [ 279.924797] ? ___sys_recvmsg+0xd9/0x130 [ 279.925630] ? __perf_event_task_sched_in+0x183/0x470 [ 279.926656] ? ___sys_sendmsg+0x170/0x170 [ 279.927529] ? ctx_sched_in+0x530/0x530 [ 279.928369] ? update_curr+0x283/0x4f0 [ 279.929185] ? perf_event_update_userpage+0x570/0x570 [ 279.930201] ? __fget_light+0x57/0x520 [ 279.931023] ? __switch_to+0x53d/0xe70 [ 27 ---truncated--- 2025-12-30 not yet calculated CVE-2023-54193 https://git.kernel.org/stable/c/cc5fe387c6294d0471cb7ed064efac97fac65ccc
https://git.kernel.org/stable/c/7311c8be3755611bf6edea4dfbeb190b4bdd489f
https://git.kernel.org/stable/c/cb145932fcf6814e7e95e467eb70e7849a845ae9
https://git.kernel.org/stable/c/55866fe3fded3ce94ac3fc1bb3dfce654282f483
https://git.kernel.org/stable/c/26aec72429a05e917d574eca0efc5306c63a8862
https://git.kernel.org/stable/c/7b7a74ed303d532fb73ae4b1697f16a0fea89cd0
https://git.kernel.org/stable/c/da94a7781fc3c92e7df7832bc2746f4d39bc624e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree The call stack shown below is a scenario in the Linux 4.19 kernel. Allocating memory failed where exfat fs use kmalloc_array due to system memory fragmentation, while the u-disk was inserted without recognition. Devices such as u-disk using the exfat file system are pluggable and may be insert into the system at any time. However, long-term running systems cannot guarantee the continuity of physical memory. Therefore, it's necessary to address this issue. Binder:2632_6: page allocation failure: order:4, mode:0x6040c0(GFP_KERNEL|__GFP_COMP), nodemask=(null) Call trace: [242178.097582] dump_backtrace+0x0/0x4 [242178.097589] dump_stack+0xf4/0x134 [242178.097598] warn_alloc+0xd8/0x144 [242178.097603] __alloc_pages_nodemask+0x1364/0x1384 [242178.097608] kmalloc_order+0x2c/0x510 [242178.097612] kmalloc_order_trace+0x40/0x16c [242178.097618] __kmalloc+0x360/0x408 [242178.097624] load_alloc_bitmap+0x160/0x284 [242178.097628] exfat_fill_super+0xa3c/0xe7c [242178.097635] mount_bdev+0x2e8/0x3a0 [242178.097638] exfat_fs_mount+0x40/0x50 [242178.097643] mount_fs+0x138/0x2e8 [242178.097649] vfs_kern_mount+0x90/0x270 [242178.097655] do_mount+0x798/0x173c [242178.097659] ksys_mount+0x114/0x1ac [242178.097665] __arm64_sys_mount+0x24/0x34 [242178.097671] el0_svc_common+0xb8/0x1b8 [242178.097676] el0_svc_handler+0x74/0x90 [242178.097681] el0_svc+0x8/0x340 By analyzing the exfat code,we found that continuous physical memory is not required here,so kvmalloc_array is used can solve this problem. 2025-12-30 not yet calculated CVE-2023-54194 https://git.kernel.org/stable/c/79d16a84ea41272dfcb0c00f9798ddd0edd8098d
https://git.kernel.org/stable/c/8a34a242cf03211cc89f68308d149b793f63c479
https://git.kernel.org/stable/c/1427a7e96fb90d0896f74f5bcd21feb03cc7c3d0
https://git.kernel.org/stable/c/0c5c3e8a2550b6b2a304b45f260296db9c09df96
https://git.kernel.org/stable/c/daf60d6cca26e50d65dac374db92e58de745ad26
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix timeout of a call that hasn't yet been granted a channel afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may get stalled in the background waiting for a connection to become available); it then calls rxrpc_kernel_set_max_life() to set the timeouts - but that starts the call timer so the call timer might then expire before we get a connection assigned - leading to the following oops if the call stalled: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701 RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157 ... Call Trace: <TASK> rxrpc_send_ACK+0x50/0x13b rxrpc_input_call_event+0x16a/0x67d rxrpc_io_thread+0x1b6/0x45f ? _raw_spin_unlock_irqrestore+0x1f/0x35 ? rxrpc_input_packet+0x519/0x519 kthread+0xe7/0xef ? kthread_complete_and_exit+0x1b/0x1b ret_from_fork+0x22/0x30 Fix this by noting the timeouts in struct rxrpc_call when the call is created. The timer will be started when the first packet is transmitted. It shouldn't be possible to trigger this directly from userspace through AF_RXRPC as sendmsg() will return EBUSY if the call is in the waiting-for-conn state if it dropped out of the wait due to a signal. 2025-12-30 not yet calculated CVE-2023-54195 https://git.kernel.org/stable/c/92128a7170a220b5126d09a1c1954a3a8d46cef3
https://git.kernel.org/stable/c/72f4a9f3f447948cf86dffe1c4a4c8a429ab9666
https://git.kernel.org/stable/c/db099c625b13a74d462521a46d98a8ce5b53af5d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode' Syzbot found the following issue: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000 [0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] pc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 lr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226 sp : ffff8000126c3800 x29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000 x26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000 x23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000 x20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0 x17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500 x14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500 x11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500 x8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744 evict+0xec/0x334 fs/inode.c:665 iput_final fs/inode.c:1748 [inline] iput+0x2c4/0x324 fs/inode.c:1774 ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660 ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278 ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100 lookup_open fs/namei.c:3413 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x804/0x11c4 fs/namei.c:3688 do_filp_open+0xdc/0x1b8 fs/namei.c:3718 do_sys_openat2+0xb8/0x22c fs/open.c:1311 do_sys_open fs/open.c:1327 [inline] __do_sys_openat fs/open.c:1343 [inline] __se_sys_openat fs/open.c:1338 [inline] __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t_64_sync+0x18c/0x190 Code: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14) ---[ end trace 0000000000000000 ]--- Above issue may happens as follows: ntfs_new_inode mi_init mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory if (!mi->mrec) return -ENOMEM; iput iput_final evict ntfs_evict_inode ni_write_inode is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref To solve above issue if new inode failed make inode bad before call 'iput()' in 'ntfs_new_inode()'. 2025-12-30 not yet calculated CVE-2023-54196 https://git.kernel.org/stable/c/6d3d3283e6b4fb3f3ee05dac30ee1461930b8103
https://git.kernel.org/stable/c/329fc4d3f73d865b25f2ee4eafafb040ace37ad5
https://git.kernel.org/stable/c/1c5cffe0d662fb2de7b63176c2582abb69b5f538
https://git.kernel.org/stable/c/db2a3cc6a3481076da6344cc62a80a4e2525f36f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work" This reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f. This patch introduces a possible null-ptr-def problem. Revert it. And the fixed bug by this patch have resolved by commit 73f7b171b7c0 ("Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition"). 2025-12-30 not yet calculated CVE-2023-54197 https://git.kernel.org/stable/c/3b4ed52009723f7dfca7a8ca95163bfb441bfb76
https://git.kernel.org/stable/c/70a104588e3131415e559c06deb834ce259a285a
https://git.kernel.org/stable/c/de0ffb5145c9f418ad76f00e58d4b91c680410b2
https://git.kernel.org/stable/c/0837d10f6c37a47a0c73bccf1e39513613a2fcc2
https://git.kernel.org/stable/c/a789192f366147a0fbb395650079906d1d04e0b9
https://git.kernel.org/stable/c/952030c914b5f2288609efe868537afcff7a3f51
https://git.kernel.org/stable/c/8f83fa62614c282dd5d1211a0dd99c6a0a515b81
https://git.kernel.org/stable/c/d8d7ce037d9a8f1f0714ece268c4c2c50845bbc3
https://git.kernel.org/stable/c/db2bf510bd5d57f064d9e1db395ed86a08320c54
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tty: fix out-of-bounds access in tty_driver_lookup_tty() When specifying an invalid console= device like console=tty3270, tty_driver_lookup_tty() returns the tty struct without checking whether index is a valid number. To reproduce: qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \ -kernel ../linux-build-x86/arch/x86/boot/bzImage \ -append "console=ttyS0 console=tty3270" This crashes with: [ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef [ 0.771265] #PF: supervisor read access in kernel mode [ 0.771773] #PF: error_code(0x0000) - not-present page [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0 [ 0.784013] chrdev_open+0xbd/0x230 [ 0.784444] ? cdev_device_add+0x80/0x80 [ 0.784920] do_dentry_open+0x1e0/0x410 [ 0.785389] path_openat+0xca9/0x1050 [ 0.785813] do_filp_open+0xaa/0x150 [ 0.786240] file_open_name+0x133/0x1b0 [ 0.786746] filp_open+0x27/0x50 [ 0.787244] console_on_rootfs+0x14/0x4d [ 0.787800] kernel_init_freeable+0x1e4/0x20d [ 0.788383] ? rest_init+0xc0/0xc0 [ 0.788881] kernel_init+0x11/0x120 [ 0.789356] ret_from_fork+0x22/0x30 2025-12-30 not yet calculated CVE-2023-54198 https://git.kernel.org/stable/c/3df6f492f500a16c231f07ccc6f6ed1302caddf9
https://git.kernel.org/stable/c/b79109d6470aaae7062998353e3a19449055829d
https://git.kernel.org/stable/c/953a4a352a0c185460ae1449e4c6e6658e55fdfc
https://git.kernel.org/stable/c/84ea44dc3e4ecb2632586238014bf6722aa5843b
https://git.kernel.org/stable/c/f9d9d25ad1f0d060eaf297a2f7f03b5855a45561
https://git.kernel.org/stable/c/765566110eb0da3cf60198b0165ecceeaafa6444
https://git.kernel.org/stable/c/fcfeaa570f7a5c2d5f4f14931909531ff18b7fde
https://git.kernel.org/stable/c/db4df8e9d79e7d37732c1a1b560958e8dadfefa1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup() Fix the below kernel panic due to null pointer access: [ 18.504431] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000048 [ 18.513464] Mem abort info: [ 18.516346] ESR = 0x0000000096000005 [ 18.520204] EC = 0x25: DABT (current EL), IL = 32 bits [ 18.525706] SET = 0, FnV = 0 [ 18.528878] EA = 0, S1PTW = 0 [ 18.532117] FSC = 0x05: level 1 translation fault [ 18.537138] Data abort info: [ 18.540110] ISV = 0, ISS = 0x00000005 [ 18.544060] CM = 0, WnR = 0 [ 18.547109] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000112826000 [ 18.553738] [0000000000000048] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 18.562690] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP **Snip** [ 18.696758] Call trace: [ 18.699278] adreno_gpu_cleanup+0x30/0x88 [ 18.703396] a6xx_destroy+0xc0/0x130 [ 18.707066] a6xx_gpu_init+0x308/0x424 [ 18.710921] adreno_bind+0x178/0x288 [ 18.714590] component_bind_all+0xe0/0x214 [ 18.718797] msm_drm_bind+0x1d4/0x614 [ 18.722566] try_to_bring_up_aggregate_device+0x16c/0x1b8 [ 18.728105] __component_add+0xa0/0x158 [ 18.732048] component_add+0x20/0x2c [ 18.735719] adreno_probe+0x40/0xc0 [ 18.739300] platform_probe+0xb4/0xd4 [ 18.743068] really_probe+0xfc/0x284 [ 18.746738] __driver_probe_device+0xc0/0xec [ 18.751129] driver_probe_device+0x48/0x110 [ 18.755421] __device_attach_driver+0xa8/0xd0 [ 18.759900] bus_for_each_drv+0x90/0xdc [ 18.763843] __device_attach+0xfc/0x174 [ 18.767786] device_initial_probe+0x20/0x2c [ 18.772090] bus_probe_device+0x40/0xa0 [ 18.776032] deferred_probe_work_func+0x94/0xd0 [ 18.780686] process_one_work+0x190/0x3d0 [ 18.784805] worker_thread+0x280/0x3d4 [ 18.788659] kthread+0x104/0x1c0 [ 18.791981] ret_from_fork+0x10/0x20 [ 18.795654] Code: f9400408 aa0003f3 aa1f03f4 91142015 (f9402516) [ 18.801913] ---[ end trace 0000000000000000 ]--- [ 18.809039] Kernel panic - not syncing: Oops: Fatal exception Patchwork: https://patchwork.freedesktop.org/patch/515605/ 2025-12-30 not yet calculated CVE-2023-54199 https://git.kernel.org/stable/c/65a8b6d129cfcf63a2b8a36a63d275479ba6a217
https://git.kernel.org/stable/c/b26bd7791f3cdf3c3318162b1d40c9d1910facca
https://git.kernel.org/stable/c/399d01375659c273fb6ad9ccfb6e92bc5b891e0d
https://git.kernel.org/stable/c/7af606b9eb11d6cdf767cabbddc326e20d0d4702
https://git.kernel.org/stable/c/5fef23c1c0edceb44d16e64e7818f27d48b5bc38
https://git.kernel.org/stable/c/dbeedbcb268d055d8895aceca427f897e12c2b50
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always release netdev hooks from notifier This reverts "netfilter: nf_tables: skip netdev events generated on netns removal". The problem is that when a veth device is released, the veth release callback will also queue the peer netns device for removal. Its possible that the peer netns is also slated for removal. In this case, the device memory is already released before the pre_exit hook of the peer netns runs: BUG: KASAN: slab-use-after-free in nf_hook_entry_head+0x1b8/0x1d0 Read of size 8 at addr ffff88812c0124f0 by task kworker/u8:1/45 Workqueue: netns cleanup_net Call Trace: nf_hook_entry_head+0x1b8/0x1d0 __nf_unregister_net_hook+0x76/0x510 nft_netdev_unregister_hooks+0xa0/0x220 __nft_release_hook+0x184/0x490 nf_tables_pre_exit_net+0x12f/0x1b0 .. Order is: 1. First netns is released, veth_dellink() queues peer netns device for removal 2. peer netns is queued for removal 3. peer netns device is released, unreg event is triggered 4. unreg event is ignored because netns is going down 5. pre_exit hook calls nft_netdev_unregister_hooks but device memory might be free'd already. 2025-12-30 not yet calculated CVE-2023-54200 https://git.kernel.org/stable/c/8d56f00c61f67b450fbbdcb874855e60ad92c560
https://git.kernel.org/stable/c/30e4b13b1bfbdf3bf3b27036d8209ea1b9f0d880
https://git.kernel.org/stable/c/94032527efbac13be702c76afb9d872c0cca7a43
https://git.kernel.org/stable/c/dc1c9fd4a8bbe1e06add9053010b652449bfe411
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix wrong resources deallocation order When trying to destroy QP or CQ, we first decrease the refcount and potentially free memory regions allocated for the object and then request the device to destroy the object. If the device fails, the object isn't fully destroyed so the user/IB core can try to destroy the object again which will lead to underflow when trying to decrease an already zeroed refcount. Deallocate resources in reverse order of allocating them to safely free them. 2025-12-30 not yet calculated CVE-2023-54201 https://git.kernel.org/stable/c/cf38960386f3cc4abf395e556af915e4babcafd2
https://git.kernel.org/stable/c/e79db2f51a564fd4daa3e508b987df5e81c34b20
https://git.kernel.org/stable/c/24f9884971f9b34915b67baacf7350a3f6f19ea4
https://git.kernel.org/stable/c/dc202c57e9a1423aed528e4b8dc949509cd32191
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/i915: fix race condition UAF in i915_perf_add_config_ioctl Userspace can guess the id value and try to race oa_config object creation with config remove, resulting in a use-after-free if we dereference the object after unlocking the metrics_lock. For that reason, unlocking the metrics_lock must be done after we are done dereferencing the object. [tursulin: Manually added stable tag.] (cherry picked from commit 49f6f6483b652108bcb73accd0204a464b922395) 2025-12-30 not yet calculated CVE-2023-54202 https://git.kernel.org/stable/c/6eeb1cba4c9dc47656ea328afa34953c28783d8c
https://git.kernel.org/stable/c/240b1502708858b5e3f10b6dc5ca3f148a322fef
https://git.kernel.org/stable/c/7eb98f5ac551863efe8be810cea1cd5411d677b1
https://git.kernel.org/stable/c/dc30c011469165d57af9adac5baff7d767d20e5c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr When smb1 mount fails, KASAN detect slab-out-of-bounds in init_smb2_rsp_hdr like the following one. For smb1 negotiate(56bytes) , init_smb2_rsp_hdr() for smb2 is called. The issue occurs while handling smb1 negotiate as smb2 server operations. Add smb server operations for smb1 (get_cmd_val, init_rsp_hdr, allocate_rsp_buf, check_user_session) to handle smb1 negotiate so that smb2 server operation does not handle it. [ 411.400423] CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers [ 411.400452] CIFS: Attempting to mount \\192.168.45.139\homes [ 411.479312] ksmbd: init_smb2_rsp_hdr : 492 [ 411.479323] ================================================================== [ 411.479327] BUG: KASAN: slab-out-of-bounds in init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479369] Read of size 16 at addr ffff888488ed0734 by task kworker/14:1/199 [ 411.479379] CPU: 14 PID: 199 Comm: kworker/14:1 Tainted: G OE 6.1.21 #3 [ 411.479386] Hardware name: ASUSTeK COMPUTER INC. Z10PA-D8 Series/Z10PA-D8 Series, BIOS 3801 08/23/2019 [ 411.479390] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 411.479425] Call Trace: [ 411.479428] <TASK> [ 411.479432] dump_stack_lvl+0x49/0x63 [ 411.479444] print_report+0x171/0x4a8 [ 411.479452] ? kasan_complete_mode_report_info+0x3c/0x200 [ 411.479463] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479497] kasan_report+0xb4/0x130 [ 411.479503] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479537] kasan_check_range+0x149/0x1e0 [ 411.479543] memcpy+0x24/0x70 [ 411.479550] init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479585] handle_ksmbd_work+0x109/0x760 [ksmbd] [ 411.479616] ? _raw_spin_unlock_irqrestore+0x50/0x50 [ 411.479624] ? smb3_encrypt_resp+0x340/0x340 [ksmbd] [ 411.479656] process_one_work+0x49c/0x790 [ 411.479667] worker_thread+0x2b1/0x6e0 [ 411.479674] ? process_one_work+0x790/0x790 [ 411.479680] kthread+0x177/0x1b0 [ 411.479686] ? kthread_complete_and_exit+0x30/0x30 [ 411.479692] ret_from_fork+0x22/0x30 [ 411.479702] </TASK> 2025-12-30 not yet calculated CVE-2023-54203 https://git.kernel.org/stable/c/921536046bd165efeb07beef5630aff35cd6a489
https://git.kernel.org/stable/c/a8334a0c535d0f0b4d64926c8fe0922ed98f7d43
https://git.kernel.org/stable/c/99a51c673b1d2d0b5a972353401b77612d9cc713
https://git.kernel.org/stable/c/dc8289f912387c3bcfbc5d2db29c8947fa207c11
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mmc: sunplus: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, 1. the memory allocated in mmc_alloc_host() will be leaked 2. null-ptr-deref will happen when calling mmc_remove_host() in remove function spmmc_drv_remove() because deleting not added device. Fix this by checking the return value of mmc_add_host(). Moreover, I fixed the error handling path of spmmc_drv_probe() to clean up. 2025-12-30 not yet calculated CVE-2023-54204 https://git.kernel.org/stable/c/741a951f41929f39cae70c66d86d0754d3129d0a
https://git.kernel.org/stable/c/dce6d8f985fa1ef5c2af47f4f86ea65511b78656
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain of_irq_find_parent() returns a node pointer with refcount incremented, We should use of_node_put() on it when not needed anymore. Add missing of_node_put() to avoid refcount leak. 2025-12-30 not yet calculated CVE-2023-54205 https://git.kernel.org/stable/c/95ab6d7905ebb52dc2ed6357c38e536753824068
https://git.kernel.org/stable/c/8ab860dd8717a7e4a143988885fea0d7e5a9412e
https://git.kernel.org/stable/c/af54707c0ccab52b3d532402436ea101011a9299
https://git.kernel.org/stable/c/601be03fa8b81747a154bdef9b559411a5b921e8
https://git.kernel.org/stable/c/9ae053d1eb87875d56f95b6a123a69827225a70e
https://git.kernel.org/stable/c/dcef18c8ac40aa85bb339f64c1dd31dd458b06fb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: fix filter idr initialization The cited commit moved idr initialization too early in fl_change() which allows concurrent users to access the filter that is still being initialized and is in inconsistent state, which, in turn, can cause NULL pointer dereference [0]. Since there is no obvious way to fix the ordering without reverting the whole cited commit, alternative approach taken to first insert NULL pointer into idr in order to allocate the handle but still cause fl_get() to return NULL and prevent concurrent users from seeing the filter while providing miss-to-action infrastructure with valid handle id early in fl_change(). [ 152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN [ 152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5 [ 152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower] [ 152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 <0f> b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57 [ 152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246 [ 152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900 [ 152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240 [ 152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900 [ 152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738 [ 152.448756] FS: 00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000 [ 152.449888] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0 [ 152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 152.453588] Call Trace: [ 152.454032] <TASK> [ 152.454447] ? netlink_sendmsg+0x7a1/0xcb0 [ 152.455109] ? sock_sendmsg+0xc5/0x190 [ 152.455689] ? ____sys_sendmsg+0x535/0x6b0 [ 152.456320] ? ___sys_sendmsg+0xeb/0x170 [ 152.456916] ? do_syscall_64+0x3d/0x90 [ 152.457529] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 152.458321] ? ___sys_sendmsg+0xeb/0x170 [ 152.458958] ? __sys_sendmsg+0xb5/0x140 [ 152.459564] ? do_syscall_64+0x3d/0x90 [ 152.460122] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 152.460852] ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower] [ 152.461710] ? _raw_spin_lock+0x7a/0xd0 [ 152.462299] ? _raw_read_lock_irq+0x30/0x30 [ 152.462924] ? nla_put+0x15e/0x1c0 [ 152.463480] fl_dump+0x228/0x650 [cls_flower] [ 152.464112] ? fl_tmplt_dump+0x210/0x210 [cls_flower] [ 152.464854] ? __kmem_cache_alloc_node+0x1a7/0x330 [ 152.465592] ? nla_put+0x15e/0x1c0 [ 152.466160] tcf_fill_node+0x515/0x9a0 [ 152.466766] ? tc_setup_offload_action+0xf0/0xf0 [ 152.467463] ? __alloc_skb+0x13c/0x2a0 [ 152.468067] ? __build_skb_around+0x330/0x330 [ 152.468814] ? fl_get+0x107/0x1a0 [cls_flower] [ 152.469503] tc_del_tfilter+0x718/0x1330 [ 152.470115] ? is_bpf_text_address+0xa/0x20 [ 152.470765] ? tc_ctl_chain+0xee0/0xee0 [ 152.471335] ? __kernel_text_address+0xe/0x30 [ 152.471948] ? unwind_get_return_address+0x56/0xa0 [ 152.472639] ? __thaw_task+0x150/0x150 [ 152.473218] ? arch_stack_walk+0x98/0xf0 [ 152.473839] ? __stack_depot_save+0x35/0x4c0 [ 152.474501] ? stack_trace_save+0x91/0xc0 [ 152.475119] ? security_capable+0x51/0x90 [ 152.475741] rtnetlink_rcv_msg+0x2c1/0x9d0 [ 152.476387] ? rtnl_calcit.isra.0+0x2b0/0x2b0 [ 152.477042] ---truncated--- 2025-12-30 not yet calculated CVE-2023-54206 https://git.kernel.org/stable/c/253a3a324e0ebc2825de76a0f5f17b8383b2023d
https://git.kernel.org/stable/c/dd4f6bbfa646f258e5bcdfac57a5c413d687f588
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Correct devm device reference for hidinput input_dev name Reference the HID device rather than the input device for the devm allocation of the input_dev name. Referencing the input_dev would lead to a use-after-free when the input_dev was unregistered and subsequently fires a uevent that depends on the name. At the point of firing the uevent, the name would be freed by devres management. Use devm_kasprintf to simplify the logic for allocating memory and formatting the input_dev name string. 2025-12-30 not yet calculated CVE-2023-54207 https://git.kernel.org/stable/c/f283805d984343b2f216e2f4c6c7af265b9542ae
https://git.kernel.org/stable/c/4c2707dfee5847dc0b5ecfbe512c29c93832fdc4
https://git.kernel.org/stable/c/58f0d1c0e494a88f301bf455da7df4366f179bbb
https://git.kernel.org/stable/c/dd613a4e45f8d35f49a63a2064e5308fa5619e29
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: ov5675: Fix memleak in ov5675_init_controls() There is a kmemleak when testing the media/i2c/ov5675.c with bpf mock device: AssertionError: unreferenced object 0xffff888107362160 (size 16): comm "python3", pid 277, jiffies 4294832798 (age 20.722s) hex dump (first 16 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000abe7d67c>] __kmalloc_node+0x44/0x1b0 [<000000008a725aac>] kvmalloc_node+0x34/0x180 [<000000009a53cd11>] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev] [<0000000055b46db0>] ov5675_probe+0x38b/0x897 [ov5675] [<00000000153d886c>] i2c_device_probe+0x28d/0x680 [<000000004afb7e8f>] really_probe+0x17c/0x3f0 [<00000000ff2f18e4>] __driver_probe_device+0xe3/0x170 [<000000000a001029>] driver_probe_device+0x49/0x120 [<00000000e39743c7>] __device_attach_driver+0xf7/0x150 [<00000000d32fd070>] bus_for_each_drv+0x114/0x180 [<000000009083ac41>] __device_attach+0x1e5/0x2d0 [<0000000015b4a830>] bus_probe_device+0x126/0x140 [<000000007813deaf>] device_add+0x810/0x1130 [<000000007becb867>] i2c_new_client_device+0x386/0x540 [<000000007f9cf4b4>] of_i2c_register_device+0xf1/0x110 [<00000000ebfdd032>] of_i2c_notify+0xfc/0x1f0 ov5675_init_controls() won't clean all the allocated resources in fail path, which may causes the memleaks. Add v4l2_ctrl_handler_free() to prevent memleak. 2025-12-30 not yet calculated CVE-2023-54208 https://git.kernel.org/stable/c/086a80b842bcb621d6c4eedad20683f1f674d0c2
https://git.kernel.org/stable/c/bcae9115a163198dce9126aa8bedc1c007ec30ed
https://git.kernel.org/stable/c/ba54908ae8225d58f1830edb394d4153bcb7d0aa
https://git.kernel.org/stable/c/49b849824b9862f177fc77fc92ef95ec54566ecf
https://git.kernel.org/stable/c/7a36a6be694df87d019663863b922913947b42af
https://git.kernel.org/stable/c/dd74ed6c213003533e3abf4c204374ef01d86978
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: block: fix blktrace debugfs entries leakage Commit 99d055b4fd4b ("block: remove per-disk debugfs files in blk_unregister_queue") moves blk_trace_shutdown() from blk_release_queue() to blk_unregister_queue(), this is safe if blktrace is created through sysfs, however, there is a regression in corner case. blktrace can still be enabled after del_gendisk() through ioctl if the disk is opened before del_gendisk(), and if blktrace is not shutdown through ioctl before closing the disk, debugfs entries will be leaked. Fix this problem by shutdown blktrace in disk_release(), this is safe because blk_trace_remove() is reentrant. 2025-12-30 not yet calculated CVE-2023-54209 https://git.kernel.org/stable/c/aa07e56c6a9c7558165690d14eed4fe8babf34fb
https://git.kernel.org/stable/c/7149e57cf01184fba175589f8fbe9fbf33be02e1
https://git.kernel.org/stable/c/942e81650b81b4ca62f1d8c61de455c9e7c7e6ca
https://git.kernel.org/stable/c/dd7de3704af9989b780693d51eaea49a665bd9c2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor() KASAN reports that there's a use-after-free in hci_remove_adv_monitor(). Trawling through the disassembly, you can see that the complaint is from the access in bt_dev_dbg() under the HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because msft_remove_monitor() can end up freeing the monitor structure. Specifically: hci_remove_adv_monitor() -> msft_remove_monitor() -> msft_remove_monitor_sync() -> msft_le_cancel_monitor_advertisement_cb() -> hci_free_adv_monitor() Let's fix the problem by just stashing the relevant data when it's still valid. 2025-12-30 not yet calculated CVE-2023-54210 https://git.kernel.org/stable/c/0d4d6b083da9b033ddccef72d77f373c819ae3ea
https://git.kernel.org/stable/c/bf00c2c8f6254f44ac041aa9a311ae9e0caf692b
https://git.kernel.org/stable/c/de6dfcefd107667ce2dbedf4d9337f5ed557a4a1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tracing: Fix warning in trace_buffered_event_disable() Warning happened in trace_buffered_event_disable() at WARN_ON_ONCE(!trace_buffered_event_ref) Call Trace: ? __warn+0xa5/0x1b0 ? trace_buffered_event_disable+0x189/0x1b0 __ftrace_event_enable_disable+0x19e/0x3e0 free_probe_data+0x3b/0xa0 unregister_ftrace_function_probe_func+0x6b8/0x800 event_enable_func+0x2f0/0x3d0 ftrace_process_regex.isra.0+0x12d/0x1b0 ftrace_filter_write+0xe6/0x140 vfs_write+0x1c9/0x6f0 [...] The cause of the warning is in __ftrace_event_enable_disable(), trace_buffered_event_enable() was called once while trace_buffered_event_disable() was called twice. Reproduction script show as below, for analysis, see the comments: ``` #!/bin/bash cd /sys/kernel/tracing/ # 1. Register a 'disable_event' command, then: # 1) SOFT_DISABLED_BIT was set; # 2) trace_buffered_event_enable() was called first time; echo 'cmdline_proc_show:disable_event:initcall:initcall_finish' > \ set_ftrace_filter # 2. Enable the event registered, then: # 1) SOFT_DISABLED_BIT was cleared; # 2) trace_buffered_event_disable() was called first time; echo 1 > events/initcall/initcall_finish/enable # 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was # set again!!! cat /proc/cmdline # 4. Unregister the 'disable_event' command, then: # 1) SOFT_DISABLED_BIT was cleared again; # 2) trace_buffered_event_disable() was called second time!!! echo '!cmdline_proc_show:disable_event:initcall:initcall_finish' > \ set_ftrace_filter ``` To fix it, IIUC, we can change to call trace_buffered_event_enable() at fist time soft-mode enabled, and call trace_buffered_event_disable() at last time soft-mode disabled. 2025-12-30 not yet calculated CVE-2023-54211 https://git.kernel.org/stable/c/1488d782c9e43087a3f341b8186cd25f3cf75583
https://git.kernel.org/stable/c/b4f4ab423107dc1ba8e9cc6488c645be6403d3f5
https://git.kernel.org/stable/c/cdcc35e6454133feb61561b4e0d0c80e52cbc2ba
https://git.kernel.org/stable/c/a6d2fd1703cdc8ecfc3e73987e0fb7474ae2b074
https://git.kernel.org/stable/c/813cede7b2f5a4b1b75d2d4bb4e705cc8e063b20
https://git.kernel.org/stable/c/a3a3c7bddab9b6c5690b20796ef5e332b8c48afb
https://git.kernel.org/stable/c/528c9d73153754defb748f0b96ad33308668d817
https://git.kernel.org/stable/c/dea499781a1150d285c62b26659f62fb00824fce
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: USB: sisusbvga: Add endpoint checks The syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver: ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Code: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 <0f> 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7 RSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95 RBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003 R13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600 FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline] sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379 sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline] sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline] sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177 sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869 ... The problem was caused by the fact that the driver does not check whether the endpoints it uses are actually present and have the appropriate types. This can be fixed by adding a simple check of the endpoints. 2025-12-30 not yet calculated CVE-2023-54213 https://git.kernel.org/stable/c/bccb2ccb65515dc66a8001f99f4dcba8a45987f9
https://git.kernel.org/stable/c/a8f980ecb0112100366c64e0404d9dd1dcbd2fcd
https://git.kernel.org/stable/c/a730feb672c7d7c5f7414c3715f8e3fa844e5a9b
https://git.kernel.org/stable/c/ccef03c5113506d27dd6530d3a9ef5715c068e13
https://git.kernel.org/stable/c/43f569fd0699c4240a5c96e5ba1a0844a595afca
https://git.kernel.org/stable/c/d5dba4b7bf904143702fb4be641802ee2e9c95aa
https://git.kernel.org/stable/c/0f9028b6ffaa98bff7c479cccf2558247e295534
https://git.kernel.org/stable/c/df05a9b05e466a46725564528b277d0c570d0104
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix potential user-after-free This fixes all instances of which requires to allocate a buffer calling alloc_skb which may release the chan lock and reacquire later which makes it possible that the chan is disconnected in the meantime. 2025-12-30 not yet calculated CVE-2023-54214 https://git.kernel.org/stable/c/b2fde8cb2a25125111f2144604e0e7c0ebcc4bba
https://git.kernel.org/stable/c/a6a7d1541fefddf7ca0cfb34c1bff63ff809cc49
https://git.kernel.org/stable/c/60aaccf16d1e099c16bebfb96428ae762cb528f7
https://git.kernel.org/stable/c/b8ed41cc04fb74005aa51d17865ca3d022760335
https://git.kernel.org/stable/c/31a288a4df7f6a28e65da22a4ab2add4a963738e
https://git.kernel.org/stable/c/64e28ecf44e46de9f01915a4146706a21c3469d2
https://git.kernel.org/stable/c/994e3e18908f5c4a12d07b44018e6aa85f071048
https://git.kernel.org/stable/c/df5703348813235874d851934e957c3723d71644
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: virtio-vdpa: Fix cpumask memory leak in virtio_vdpa_find_vqs() Free the cpumask allocated by create_affinity_masks() before returning from the function. 2025-12-30 not yet calculated CVE-2023-54215 https://git.kernel.org/stable/c/fa450621efab58121fe8e57f7a7b80fee6e0bae1
https://git.kernel.org/stable/c/df9557046440b0a62250fee3169a8f6a139f55a6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, Fix using eswitch mapping in nic mode Cited patch is using the eswitch object mapping pool while in nic mode where it isn't initialized. This results in the trace below [0]. Fix that by using either nic or eswitch object mapping pool depending if eswitch is enabled or not. [0]: [ 826.446057] ================================================================== [ 826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233 [ 826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G W 6.3.0-rc6+ #1 [ 826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 826.449785] Call Trace: [ 826.450052] <TASK> [ 826.450302] dump_stack_lvl+0x33/0x50 [ 826.450650] print_report+0xc2/0x610 [ 826.450998] ? __virt_addr_valid+0xb1/0x130 [ 826.451385] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.451935] kasan_report+0xae/0xe0 [ 826.452276] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.452829] mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.453368] ? __kmalloc_node+0x5a/0x120 [ 826.453733] esw_add_restore_rule+0x20f/0x270 [mlx5_core] [ 826.454288] ? mlx5_eswitch_add_send_to_vport_meta_rule+0x260/0x260 [mlx5_core] [ 826.455011] ? mutex_unlock+0x80/0xd0 [ 826.455361] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210 [ 826.455862] ? mapping_add+0x2cb/0x440 [mlx5_core] [ 826.456425] mlx5e_tc_action_miss_mapping_get+0x139/0x180 [mlx5_core] [ 826.457058] ? mlx5e_tc_update_skb_nic+0xb0/0xb0 [mlx5_core] [ 826.457636] ? __kasan_kmalloc+0x77/0x90 [ 826.458000] ? __kmalloc+0x57/0x120 [ 826.458336] mlx5_tc_ct_flow_offload+0x325/0xe40 [mlx5_core] [ 826.458916] ? ct_kernel_enter.constprop.0+0x48/0xa0 [ 826.459360] ? mlx5_tc_ct_parse_action+0xf0/0xf0 [mlx5_core] [ 826.459933] ? mlx5e_mod_hdr_attach+0x491/0x520 [mlx5_core] [ 826.460507] ? mlx5e_mod_hdr_get+0x12/0x20 [mlx5_core] [ 826.461046] ? mlx5e_tc_attach_mod_hdr+0x154/0x170 [mlx5_core] [ 826.461635] mlx5e_configure_flower+0x969/0x2110 [mlx5_core] [ 826.462217] ? _raw_spin_lock_bh+0x85/0xe0 [ 826.462597] ? __mlx5e_add_fdb_flow+0x750/0x750 [mlx5_core] [ 826.463163] ? kasan_save_stack+0x2e/0x40 [ 826.463534] ? down_read+0x115/0x1b0 [ 826.463878] ? down_write_killable+0x110/0x110 [ 826.464288] ? tc_setup_action.part.0+0x9f/0x3b0 [ 826.464701] ? mlx5e_is_uplink_rep+0x4c/0x90 [mlx5_core] [ 826.465253] ? mlx5e_tc_reoffload_flows_work+0x130/0x130 [mlx5_core] [ 826.465878] tc_setup_cb_add+0x112/0x250 [ 826.466247] fl_hw_replace_filter+0x230/0x310 [cls_flower] [ 826.466724] ? fl_hw_destroy_filter+0x1a0/0x1a0 [cls_flower] [ 826.467212] fl_change+0x14e1/0x2030 [cls_flower] [ 826.467636] ? sock_def_readable+0x89/0x120 [ 826.468019] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower] [ 826.468509] ? kasan_unpoison+0x23/0x50 [ 826.468873] ? get_random_u16+0x180/0x180 [ 826.469244] ? __radix_tree_lookup+0x2b/0x130 [ 826.469640] ? fl_get+0x7b/0x140 [cls_flower] [ 826.470042] ? fl_mask_put+0x200/0x200 [cls_flower] [ 826.470478] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210 [ 826.470973] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower] [ 826.471427] tc_new_tfilter+0x644/0x1050 [ 826.471795] ? tc_get_tfilter+0x860/0x860 [ 826.472170] ? __thaw_task+0x130/0x130 [ 826.472525] ? arch_stack_walk+0x98/0xf0 [ 826.472892] ? cap_capable+0x9f/0xd0 [ 826.473235] ? security_capable+0x47/0x60 [ 826.473608] rtnetlink_rcv_msg+0x1d5/0x550 [ 826.473985] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 826.474383] ? __stack_depot_save+0x35/0x4c0 [ 826.474779] ? kasan_save_stack+0x2e/0x40 [ 826.475149] ? kasan_save_stack+0x1e/0x40 [ 826.475518] ? __kasan_record_aux_stack+0x9f/0xb0 [ 826.475939] ? task_work_add+0x77/0x1c0 [ 826.476305] netlink_rcv_skb+0xe0/0x210 ---truncated--- 2025-12-30 not yet calculated CVE-2023-54216 https://git.kernel.org/stable/c/4150441c010dec36abc389828e2e4758bd8ad4b3
https://git.kernel.org/stable/c/dfa1e46d6093831b9d49f0f350227a1d13644a2f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Revert "drm/msm: Add missing check and destroy for alloc_ordered_workqueue" This reverts commit 643b7d0869cc7f1f7a5ac7ca6bd25d88f54e31d0. A recent patch that tried to fix up the msm_drm_init() paths with respect to the workqueue but only ended up making things worse: First, the newly added calls to msm_drm_uninit() on early errors would trigger NULL-pointer dereferences, for example, as the kms pointer would not have been initialised. (Note that these paths were also modified by a second broken error handling patch which in effect cancelled out this part when merged.) Second, the newly added allocation sanity check would still leak the previously allocated drm device. Instead of trying to salvage what was badly broken (and clearly not tested), let's revert the bad commit so that clean and backportable fixes can be added in its place. Patchwork: https://patchwork.freedesktop.org/patch/525107/ 2025-12-30 not yet calculated CVE-2023-54217 https://git.kernel.org/stable/c/9078b434587722a6f2958dc1d536af6e39634db9
https://git.kernel.org/stable/c/dfa70344d1b5f5ff08525a8c872c8dd5e82fc5d9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs(). KCSAN found a data race in sock_recv_cmsgs() where the read access to sk->sk_stamp needs READ_ONCE(). BUG: KCSAN: data-race in packet_recvmsg / packet_recvmsg write (marked) to 0xffff88803c81f258 of 8 bytes by task 19171 on cpu 0: sock_write_timestamp include/net/sock.h:2670 [inline] sock_recv_cmsgs include/net/sock.h:2722 [inline] packet_recvmsg+0xb97/0xd00 net/packet/af_packet.c:3489 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg+0x11a/0x130 net/socket.c:1040 sock_read_iter+0x176/0x220 net/socket.c:1118 call_read_iter include/linux/fs.h:1845 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x5e0/0x630 fs/read_write.c:470 ksys_read+0x163/0x1a0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x41/0x50 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffff88803c81f258 of 8 bytes by task 19183 on cpu 1: sock_recv_cmsgs include/net/sock.h:2721 [inline] packet_recvmsg+0xb64/0xd00 net/packet/af_packet.c:3489 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg+0x11a/0x130 net/socket.c:1040 sock_read_iter+0x176/0x220 net/socket.c:1118 call_read_iter include/linux/fs.h:1845 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x5e0/0x630 fs/read_write.c:470 ksys_read+0x163/0x1a0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x41/0x50 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0xffffffffc4653600 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 19183 Comm: syz-executor.5 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 2025-12-30 not yet calculated CVE-2023-54218 https://git.kernel.org/stable/c/fd28692fa182d25e8d26bc1db506648839fde245
https://git.kernel.org/stable/c/564c3150ad357d571a0de7d8b644aa1f7e6e21b7
https://git.kernel.org/stable/c/d7343f8de019ebb55b2b6ef79b971f6ceb361a99
https://git.kernel.org/stable/c/d06f67b2b8dcd00d995c468428b6bccebc5762d8
https://git.kernel.org/stable/c/de260d1e02cde39d317066835ee6e5234fc9f5a8
https://git.kernel.org/stable/c/7145f2309d649ad6273b9f66448321b9b4c523c8
https://git.kernel.org/stable/c/8319220054e5ea5f506d8d4c4b5e234f668ffc3b
https://git.kernel.org/stable/c/dfd9248c071a3710c24365897459538551cb7167
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Revert "IB/isert: Fix incorrect release of isert connection" Commit: 699826f4e30a ("IB/isert: Fix incorrect release of isert connection") is causing problems on OPA when DEVICE_REMOVAL is happening. ------------[ cut here ]------------ WARNING: CPU: 52 PID: 2117247 at drivers/infiniband/core/cq.c:359 ib_cq_pool_cleanup+0xac/0xb0 [ib_core] Modules linked in: nfsd nfs_acl target_core_user uio tcm_fc libfc scsi_transport_fc tcm_loop target_core_pscsi target_core_iblock target_core_file rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill rpcrdma rdma_ucm ib_srpt sunrpc ib_isert iscsi_target_mod target_core_mod opa_vnic ib_iser libiscsi ib_umad scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm hfi1(-) rdmavt ib_uverbs intel_rapl_msr intel_rapl_common sb_edac ib_core x86_pkg_temp_thermal intel_powerclamp coretemp i2c_i801 mxm_wmi rapl iTCO_wdt ipmi_si iTCO_vendor_support mei_me ipmi_devintf mei intel_cstate ioatdma intel_uncore i2c_smbus joydev pcspkr lpc_ich ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel drm_kms_helper drm_shmem_helper ahci libahci ghash_clmulni_intel igb drm libata dca i2c_algo_bit wmi fuse CPU: 52 PID: 2117247 Comm: modprobe Not tainted 6.5.0-rc1+ #1 Hardware name: Intel Corporation S2600CWR/S2600CW, BIOS SE5C610.86B.01.01.0014.121820151719 12/18/2015 RIP: 0010:ib_cq_pool_cleanup+0xac/0xb0 [ib_core] Code: ff 48 8b 43 40 48 8d 7b 40 48 83 e8 40 4c 39 e7 75 b3 49 83 c4 10 4d 39 fc 75 94 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc <0f> 0b eb a1 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f RSP: 0018:ffffc10bea13fc80 EFLAGS: 00010206 RAX: 000000000000010c RBX: ffff9bf5c7e66c00 RCX: 000000008020001d RDX: 000000008020001e RSI: fffff175221f9900 RDI: ffff9bf5c7e67640 RBP: ffff9bf5c7e67600 R08: ffff9bf5c7e64400 R09: 000000008020001d R10: 0000000040000000 R11: 0000000000000000 R12: ffff9bee4b1e8a18 R13: dead000000000122 R14: dead000000000100 R15: ffff9bee4b1e8a38 FS: 00007ff1e6d38740(0000) GS:ffff9bfd9fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005652044ecc68 CR3: 0000000889b5c005 CR4: 00000000001706e0 Call Trace: <TASK> ? __warn+0x80/0x130 ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] ? report_bug+0x195/0x1a0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] disable_device+0x9d/0x160 [ib_core] __ib_unregister_device+0x42/0xb0 [ib_core] ib_unregister_device+0x22/0x30 [ib_core] rvt_unregister_device+0x20/0x90 [rdmavt] hfi1_unregister_ib_device+0x16/0xf0 [hfi1] remove_one+0x55/0x1a0 [hfi1] pci_device_remove+0x36/0xa0 device_release_driver_internal+0x193/0x200 driver_detach+0x44/0x90 bus_remove_driver+0x69/0xf0 pci_unregister_driver+0x2a/0xb0 hfi1_mod_cleanup+0xc/0x3c [hfi1] __do_sys_delete_module.constprop.0+0x17a/0x2f0 ? exit_to_user_mode_prepare+0xc4/0xd0 ? syscall_trace_enter.constprop.0+0x126/0x1a0 do_syscall_64+0x5c/0x90 ? syscall_exit_to_user_mode+0x12/0x30 ? do_syscall_64+0x69/0x90 ? syscall_exit_work+0x103/0x130 ? syscall_exit_to_user_mode+0x12/0x30 ? do_syscall_64+0x69/0x90 ? exc_page_fault+0x65/0x150 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7ff1e643f5ab Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007ffec9103cc8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 00005615267fdc50 RCX: 00007ff1e643f5ab RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615267fdcb8 RBP: 00005615267fdc50 R08: 0000000000000000 R09: 0000000000000000 R10: 00007ff1e659eac0 R11: 0000000000000206 R12: 00005615267fdcb8 R13: 00000000000 ---truncated--- 2025-12-30 not yet calculated CVE-2023-54219 https://git.kernel.org/stable/c/77e90bd53019d4d4c9e25552b5efb06dfd8c3c82
https://git.kernel.org/stable/c/a277b736309f923d9baff0ef166d694d348a5b96
https://git.kernel.org/stable/c/9b6296861a5a9d58aacd72c249a68b073c78bfb4
https://git.kernel.org/stable/c/aa950b9835f2d004b071fd220459edd3cd0a3603
https://git.kernel.org/stable/c/1bb42aca7a9611c1991a790834e2a65f3345c5e8
https://git.kernel.org/stable/c/3f39698e7e842abc9bd2bd97bf5eeda4543db758
https://git.kernel.org/stable/c/4082b59705ee9e3912eaa9e15abda8e76039b681
https://git.kernel.org/stable/c/a3189341e2f609d48f730b18c8bbbf6783233477
https://git.kernel.org/stable/c/dfe261107c080709459c32695847eec96238852b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: serial: 8250: Fix oops for port->pm on uart_change_pm() Unloading a hardware specific 8250 driver can produce error "Unable to handle kernel paging request at virtual address" about ten seconds after unloading the driver. This happens on uart_hangup() calling uart_change_pm(). Turns out commit 04e82793f068 ("serial: 8250: Reinit port->pm on port specific driver unbind") was only a partial fix. If the hardware specific driver has initialized port->pm function, we need to clear port->pm too. Just reinitializing port->ops does not do this. Otherwise serial8250_pm() will call port->pm() instead of serial8250_do_pm(). 2025-12-30 not yet calculated CVE-2023-54220 https://git.kernel.org/stable/c/66f3e55960698c874b0598277913b478ecd29573
https://git.kernel.org/stable/c/720a297b334e85d34099e83d1f375b92c3efedd6
https://git.kernel.org/stable/c/b653289ca6460a6552c8590b75dfa84a0140a46b
https://git.kernel.org/stable/c/bd70d0b28010d560a8be96b44fea86fe2ba016ae
https://git.kernel.org/stable/c/18e27df4f2b4e257c317ba8076f31a888f6cc64b
https://git.kernel.org/stable/c/0c05493341d6f2097f75f0a5dbb7b53a9e8c5f6c
https://git.kernel.org/stable/c/375806616f8c772c33d40e112530887b37c1a816
https://git.kernel.org/stable/c/dfe2aeb226fd5e19b0ee795f4f6ed8bc494c1534
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe In function probe(), it returns directly without unregistered hws when error occurs. Fix this by adding 'goto unregister_hws;' on line 295 and line 310. Use devm_kzalloc() instead of kzalloc() to automatically free the memory using devm_kfree() when error occurs. Replace of_iomap() with devm_of_iomap() to automatically handle the unused ioremap region and delete 'iounmap(anatop_base);' in unregister_hws. 2025-12-30 not yet calculated CVE-2023-54221 https://git.kernel.org/stable/c/280a5ff665e12d1e0c54c20cedc9c5008aa686a5
https://git.kernel.org/stable/c/fac9c624138c4bc021d7a8ee3b974c9e10926d92
https://git.kernel.org/stable/c/d17c16a2b2a6589c45b0bfb1b9914da80b72d89e
https://git.kernel.org/stable/c/e02ba11b457647050cb16e7cad16cec3c252fade
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: hte: tegra-194: Fix off by one in tegra_hte_map_to_line_id() The "map_sz" is the number of elements in the "m" array so the > comparison needs to be changed to >= to prevent an out of bounds read. 2025-12-30 not yet calculated CVE-2023-54222 https://git.kernel.org/stable/c/fed87ce073c7b9f4f255105f90bd930df06d18a7
https://git.kernel.org/stable/c/aedc364a7c9cd2fb45b4f7c0a41c98365369ff46
https://git.kernel.org/stable/c/2a488602e3f09ef9e50feb5448ae46515a6fa789
https://git.kernel.org/stable/c/e078180d66848a6a890daf0a3ce28dc43cc66790
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix invalid buffer access for legacy rq The below crash can be encountered when using xdpsock in rx mode for legacy rq: the buffer gets released in the XDP_REDIRECT path, and then once again in the driver. This fix sets the flag to avoid releasing on the driver side. XSK handling of buffers for legacy rq was relying on the caller to set the skip release flag. But the referenced fix started using fragment counts for pages instead of the skip flag. Crash log: general protection fault, probably for non-canonical address 0xffff8881217e3a: 0000 [#1] SMP CPU: 0 PID: 14 Comm: ksoftirqd/0 Not tainted 6.5.0-rc1+ #31 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:bpf_prog_03b13f331978c78c+0xf/0x28 Code: ... RSP: 0018:ffff88810082fc98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888138404901 RCX: c0ffffc900027cbc RDX: ffffffffa000b514 RSI: 00ffff8881217e32 RDI: ffff888138404901 RBP: ffff88810082fc98 R08: 0000000000091100 R09: 0000000000000006 R10: 0000000000000800 R11: 0000000000000800 R12: ffffc9000027a000 R13: ffff8881217e2dc0 R14: ffff8881217e2910 R15: ffff8881217e2f00 FS: 0000000000000000(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564cb2e2cde0 CR3: 000000010e603004 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? die_addr+0x32/0x80 ? exc_general_protection+0x192/0x390 ? asm_exc_general_protection+0x22/0x30 ? 0xffffffffa000b514 ? bpf_prog_03b13f331978c78c+0xf/0x28 mlx5e_xdp_handle+0x48/0x670 [mlx5_core] ? dev_gro_receive+0x3b5/0x6e0 mlx5e_xsk_skb_from_cqe_linear+0x6e/0x90 [mlx5_core] mlx5e_handle_rx_cqe+0x55/0x100 [mlx5_core] mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core] mlx5e_napi_poll+0x45e/0x6b0 [mlx5_core] __napi_poll+0x25/0x1a0 net_rx_action+0x28a/0x300 __do_softirq+0xcd/0x279 ? sort_range+0x20/0x20 run_ksoftirqd+0x1a/0x20 smpboot_thread_fn+0xa2/0x130 kthread+0xc9/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> Modules linked in: mlx5_ib mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay zram zsmalloc fuse [last unloaded: mlx5_core] ---[ end trace 0000000000000000 ]--- 2025-12-30 not yet calculated CVE-2023-54223 https://git.kernel.org/stable/c/58a113a35846d9a5bd759beb332e551e28451f09
https://git.kernel.org/stable/c/e0f52298fee449fec37e3e3c32df60008b509b16
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix lockdep splat and potential deadlock after failure running delayed items When running delayed items we are holding a delayed node's mutex and then we will attempt to modify a subvolume btree to insert/update/delete the delayed items. However if have an error during the insertions for example, btrfs_insert_delayed_items() may return with a path that has locked extent buffers (a leaf at the very least), and then we attempt to release the delayed node at __btrfs_run_delayed_items(), which requires taking the delayed node's mutex, causing an ABBA type of deadlock. This was reported by syzbot and the lockdep splat is the following: WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted ------------------------------------------------------ syz-executor.2/13257 is trying to acquire lock: ffff88801835c0c0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 but task is already holding lock: ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{3:3}: __lock_release kernel/locking/lockdep.c:5475 [inline] lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781 up_write+0x79/0x580 kernel/locking/rwsem.c:1625 btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline] btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239 search_leaf fs/btrfs/ctree.c:1986 [inline] btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230 btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376 btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline] btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline] __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111 __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153 flush_space+0x269/0xe70 fs/btrfs/space-info.c:723 btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078 process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600 worker_thread+0xa63/0x1210 kernel/workqueue.c:2751 kthread+0x2b8/0x350 kernel/kthread.c:389 ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 -> #0 (&delayed_node->mutex){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603 __mutex_lock kernel/locking/mutex.c:747 [inline] mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799 __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline] __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156 btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276 btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988 vfs_fsync_range fs/sync.c:188 [inline] vfs_fsync fs/sync.c:202 [inline] do_fsync fs/sync.c:212 [inline] __do_sys_fsync fs/sync.c:220 [inline] __se_sys_fsync fs/sync.c:218 [inline] __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info that ---truncated--- 2025-12-30 not yet calculated CVE-2023-54224 https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6
https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92
https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca
https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: ipa: only reset hashed tables when supported Last year, the code that manages GSI channel transactions switched from using spinlock-protected linked lists to using indexes into the ring buffer used for a channel. Recently, Google reported seeing transaction reference count underflows occasionally during shutdown. Doug Anderson found a way to reproduce the issue reliably, and bisected the issue to the commit that eliminated the linked lists and the lock. The root cause was ultimately determined to be related to unused transactions being committed as part of the modem shutdown cleanup activity. Unused transactions are not normally expected (except in error cases). The modem uses some ranges of IPA-resident memory, and whenever it shuts down we zero those ranges. In ipa_filter_reset_table() a transaction is allocated to zero modem filter table entries. If hashing is not supported, hashed table memory should not be zeroed. But currently nothing prevents that, and the result is an unused transaction. Something similar occurs when we zero routing table entries for the modem. By preventing any attempt to clear hashed tables when hashing is not supported, the reference count underflow is avoided in this case. Note that there likely remains an issue with properly freeing unused transactions (if they occur due to errors). This patch addresses only the underflows that Google originally reported. 2025-12-30 not yet calculated CVE-2023-54225 https://git.kernel.org/stable/c/50c24f0c940728792c8bdf65c1eaf6b91b3b0dcd
https://git.kernel.org/stable/c/c00af3a818cc573e10100cc6770f0e47befa1fa4
https://git.kernel.org/stable/c/e11ec2b868af2b351c6c1e2e50eb711cc5423a10
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data races around sk->sk_shutdown. KCSAN found a data race around sk->sk_shutdown where unix_release_sock() and unix_shutdown() update it under unix_state_lock(), OTOH unix_poll() and unix_dgram_poll() read it locklessly. We need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE(). BUG: KCSAN: data-race in unix_poll / unix_release_sock write to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0: unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631 unix_release+0x59/0x80 net/unix/af_unix.c:1042 __sock_release+0x7d/0x170 net/socket.c:653 sock_close+0x19/0x30 net/socket.c:1397 __fput+0x179/0x5e0 fs/file_table.c:321 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x116/0x1a0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1: unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170 sock_poll+0xcf/0x2b0 net/socket.c:1385 vfs_poll include/linux/poll.h:88 [inline] ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855 ep_send_events fs/eventpoll.c:1694 [inline] ep_poll fs/eventpoll.c:1823 [inline] do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258 __do_sys_epoll_wait fs/eventpoll.c:2270 [inline] __se_sys_epoll_wait fs/eventpoll.c:2265 [inline] __x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0x00 -> 0x03 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 2025-12-30 not yet calculated CVE-2023-54226 https://git.kernel.org/stable/c/1c488f4e95b498c977fbeae784983eb4cf6085e8
https://git.kernel.org/stable/c/196528ad484443627779540697f4fb0ef0e01c52
https://git.kernel.org/stable/c/8307e372e7445ec7d3cd2ff107ce5078eaa02815
https://git.kernel.org/stable/c/a41559ae3681975f1ced815d8d4c983b6b938499
https://git.kernel.org/stable/c/e410895892f99700ce54347d42c8dbe962eea9f4
https://git.kernel.org/stable/c/f237f79b63c9242450e6869adcd2c10445859f28
https://git.kernel.org/stable/c/e1d09c2c2f5793474556b60f83900e088d0d366d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix tags leak when shrink nr_hw_queues Although we don't need to realloc set->tags[] when shrink nr_hw_queues, we need to free them. Or these tags will be leaked. How to reproduce: 1. mount -t configfs configfs /mnt 2. modprobe null_blk nr_devices=0 submit_queues=8 3. mkdir /mnt/nullb/nullb0 4. echo 1 > /mnt/nullb/nullb0/power 5. echo 4 > /mnt/nullb/nullb0/submit_queues 6. rmdir /mnt/nullb/nullb0 In step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then in step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue). At last in step 6, only these 5 tags are freed, the other 4 tags leaked. 2025-12-30 not yet calculated CVE-2023-54227 https://git.kernel.org/stable/c/c0ef7493e68b8896806a2f598fcffbaa97333405
https://git.kernel.org/stable/c/e1dd7bc93029024af5688253b0c05181d6e01f8e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: regulator: raa215300: Fix resource leak in case of error The clk_register_clkdev() allocates memory by calling vclkdev_alloc() and this memory is not freed in the error path. Similarly, resources allocated by clk_register_fixed_rate() are not freed in the error path. Fix these issues by using devm_clk_hw_register_fixed_rate() and devm_clk_hw_register_clkdev(). After this, the static variable clk is not needed. Replace it with  local variable hw in probe() and drop calling clk_unregister_fixed_rate() from raa215300_rtc_unregister_device(). 2025-12-30 not yet calculated CVE-2023-54228 https://git.kernel.org/stable/c/2bf2d2ac9e67184dc99275875a6452ca6e3027ff
https://git.kernel.org/stable/c/e21ac64e669e960688e79bf5babeed63132dac8a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix registration of 6Ghz-only phy without the full channel range Because of what seems to be a typo, a 6Ghz-only phy for which the BDF does not allow the 7115Mhz channel will fail to register: WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954 Modules linked in: ath11k_pci sbsa_gwdt CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9 Hardware name: Freebox V7R Board (DT) Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : wiphy_register+0x914/0x954 lr : ieee80211_register_hw+0x67c/0xc10 sp : ffffff800b123aa0 x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418 x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168 x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014 x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718 x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006 x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284 x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: wiphy_register+0x914/0x954 ieee80211_register_hw+0x67c/0xc10 ath11k_mac_register+0x7c4/0xe10 ath11k_core_qmi_firmware_ready+0x1f4/0x570 ath11k_qmi_driver_event_work+0x198/0x590 process_one_work+0x1b8/0x328 worker_thread+0x6c/0x414 kthread+0x100/0x104 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22 ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22 ath11k_pci 0002:01:00.0: failed to create pdev core: -22 2025-12-30 not yet calculated CVE-2023-54229 https://git.kernel.org/stable/c/532f8bac60419eb28158770470b9bb655de207c8
https://git.kernel.org/stable/c/f97832620d7f320bea81707f34631371e87a419b
https://git.kernel.org/stable/c/8d1342108c2bf11aaaf293becfc010ecdb6170d9
https://git.kernel.org/stable/c/32ca096e712a78b2f0d2e48d33dc0caaba9f9866
https://git.kernel.org/stable/c/e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: amba: bus: fix refcount leak commit 5de1540b7bc4 ("drivers/amba: create devices from device tree") increases the refcount of of_node, but not releases it in amba_device_release, so there is refcount leak. By using of_node_put to avoid refcount leak. 2025-12-30 not yet calculated CVE-2023-54230 https://git.kernel.org/stable/c/94e398df32e850f26828690ee62f7441979583cc
https://git.kernel.org/stable/c/9062ce0ccbd82fbe81cc839a512c0ad90847e01c
https://git.kernel.org/stable/c/03db4fe7917bb160eeccf3968835475fa32b7e10
https://git.kernel.org/stable/c/9baf2278b3eed2c50112169121257d8a6ee0606c
https://git.kernel.org/stable/c/4f1807fddd9bf175ee5e14fffc6b6106e4b297ef
https://git.kernel.org/stable/c/81ff633a88be2482c163d3acd2801d501261ce6a
https://git.kernel.org/stable/c/206fadb7278ceac7593dd0b945a77b9df856a674
https://git.kernel.org/stable/c/8b60a706166de5de82314494704c2419e7657bf8
https://git.kernel.org/stable/c/e312cbdc11305568554a9e18a2ea5c2492c183f3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix memory leak in wx_setup_rx_resources When wx_alloc_page_pool() failed in wx_setup_rx_resources(), it doesn't release DMA buffer. Add dma_free_coherent() in the error path to release the DMA buffer. 2025-12-30 not yet calculated CVE-2023-54231 https://git.kernel.org/stable/c/2371e1ecd445baf793a74db00ea6b2a2bc13c4c0
https://git.kernel.org/stable/c/e315e7b83a22043bffee450437d7089ef373cbf6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: m68k: Only force 030 bus error if PC not in exception table __get_kernel_nofault() does copy data in supervisor mode when forcing a task backtrace log through /proc/sysrq_trigger. This is expected cause a bus error exception on e.g. NULL pointer dereferencing when logging a kernel task has no workqueue associated. This bus error ought to be ignored. Our 030 bus error handler is ill equipped to deal with this: Whenever ssw indicates a kernel mode access on a data fault, we don't even attempt to handle the fault and instead always send a SEGV signal (or panic). As a result, the check for exception handling at the fault PC (buried in send_sig_fault() which gets called from do_page_fault() eventually) is never used. In contrast, both 040 and 060 access error handlers do not care whether a fault happened on supervisor mode access, and will call do_page_fault() on those, ultimately honoring the exception table. Add a check in bus_error030 to call do_page_fault() in case we do have an entry for the fault PC in our exception table. I had attempted a fix for this earlier in 2019 that did rely on testing pagefault_disabled() (see link below) to achieve the same thing, but this patch should be more generic. Tested on 030 Atari Falcon. 2025-12-30 not yet calculated CVE-2023-54232 https://git.kernel.org/stable/c/1a6059f5ed57f48edfe7159404ff7d538d9d405b
https://git.kernel.org/stable/c/f55cb52ec98b22125f5bda36391edb8894f7e8cf
https://git.kernel.org/stable/c/2100e374251a8fc00cce1916cfc50f3cb652cbe3
https://git.kernel.org/stable/c/df1da53a7e98f0b2a0eb2241c154f148f2f2c1d8
https://git.kernel.org/stable/c/8bf8d5dade4c5e1d8a2386f29253ed28b5d87735
https://git.kernel.org/stable/c/54fa25ffab2b700df5abd58c136d64a912c53953
https://git.kernel.org/stable/c/ec15405b80fc15ffc87a23d01378ae061c1aba07
https://git.kernel.org/stable/c/e36a82bebbf7da814530d5a179bef9df5934b717
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: avoid a NULL dereference with unsupported widgets If an IPC4 topology contains an unsupported widget, its .module_info field won't be set, then sof_ipc4_route_setup() will cause a kernel Oops trying to dereference it. Add a check for such cases. 2025-12-30 not yet calculated CVE-2023-54233 https://git.kernel.org/stable/c/170818974e9732506195c6302743856cc8bdfd6f
https://git.kernel.org/stable/c/e3720f92e0237921da537e47a0b24e27899203f8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix missing mrioc->evtack_cmds initialization Commit c1af985d27da ("scsi: mpi3mr: Add Event acknowledgment logic") introduced an array mrioc->evtack_cmds but initialization of the array elements was missed. They are just zero cleared. The function mpi3mr_complete_evt_ack() refers host_tag field of the elements. Due to the zero value of the host_tag field, the function calls clear_bit() for mrico->evtack_cmds_bitmap with wrong bit index. This results in memory access to invalid address and "BUG: KASAN: use-after-free". This BUG was observed at eHBA-9600 firmware update to version 8.3.1.0. To fix it, add the missing initialization of mrioc->evtack_cmds. 2025-12-30 not yet calculated CVE-2023-54234 https://git.kernel.org/stable/c/4e0dfdb48a824deac3dfbc67fb856ef2aee13529
https://git.kernel.org/stable/c/67989091e11a974003ddf2ec39bc613df8eadd83
https://git.kernel.org/stable/c/e39ea831ebad4ab15c4748cb62a397a8abcca36e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: PCI/DOE: Fix destroy_work_on_stack() race The following debug object splat was observed in testing: ODEBUG: free active (active state 0) object: 0000000097d23782 object type: work_struct hint: doe_statemachine_work+0x0/0x510 WARNING: CPU: 1 PID: 71 at lib/debugobjects.c:514 debug_print_object+0x7d/0xb0 ... Workqueue: pci 0000:36:00.0 DOE [1 doe_statemachine_work RIP: 0010:debug_print_object+0x7d/0xb0 ... Call Trace: ? debug_print_object+0x7d/0xb0 ? __pfx_doe_statemachine_work+0x10/0x10 debug_object_free.part.0+0x11b/0x150 doe_statemachine_work+0x45e/0x510 process_one_work+0x1d4/0x3c0 This occurs because destroy_work_on_stack() was called after signaling the completion in the calling thread. This creates a race between destroy_work_on_stack() and the task->work struct going out of scope in pci_doe(). Signal the work complete after destroying the work struct. This is safe because signal_task_complete() is the final thing the work item does and the workqueue code is careful not to access the work struct after. 2025-12-30 not yet calculated CVE-2023-54235 https://git.kernel.org/stable/c/d96799ee3b78962c80e4b6653734f488f999ca09
https://git.kernel.org/stable/c/c4f9c0a3a6df143f2e1092823b7fa9e07d6ab57f
https://git.kernel.org/stable/c/19cf3ba16dcc2ef059dcf010072d4f96d76486e0
https://git.kernel.org/stable/c/e3a3a097eaebaf234a482b4d2f9f18fe989208c1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/net_failover: fix txq exceeding warning The failover txq is inited as 16 queues. when a packet is transmitted from the failover device firstly, the failover device will select the queue which is returned from the primary device if the primary device is UP and running. If the primary device txq is bigger than the default 16, it can lead to the following warning: eth0 selects TX queue 18, but real number of TX queues is 16 The warning backtrace is: [ 32.146376] CPU: 18 PID: 9134 Comm: chronyd Tainted: G E 6.2.8-1.el7.centos.x86_64 #1 [ 32.147175] Hardware name: Red Hat KVM, BIOS 1.10.2-3.el7_4.1 04/01/2014 [ 32.147730] Call Trace: [ 32.147971] <TASK> [ 32.148183] dump_stack_lvl+0x48/0x70 [ 32.148514] dump_stack+0x10/0x20 [ 32.148820] netdev_core_pick_tx+0xb1/0xe0 [ 32.149180] __dev_queue_xmit+0x529/0xcf0 [ 32.149533] ? __check_object_size.part.0+0x21c/0x2c0 [ 32.149967] ip_finish_output2+0x278/0x560 [ 32.150327] __ip_finish_output+0x1fe/0x2f0 [ 32.150690] ip_finish_output+0x2a/0xd0 [ 32.151032] ip_output+0x7a/0x110 [ 32.151337] ? __pfx_ip_finish_output+0x10/0x10 [ 32.151733] ip_local_out+0x5e/0x70 [ 32.152054] ip_send_skb+0x19/0x50 [ 32.152366] udp_send_skb.isra.0+0x163/0x3a0 [ 32.152736] udp_sendmsg+0xba8/0xec0 [ 32.153060] ? __folio_memcg_unlock+0x25/0x60 [ 32.153445] ? __pfx_ip_generic_getfrag+0x10/0x10 [ 32.153854] ? sock_has_perm+0x85/0xa0 [ 32.154190] inet_sendmsg+0x6d/0x80 [ 32.154508] ? inet_sendmsg+0x6d/0x80 [ 32.154838] sock_sendmsg+0x62/0x70 [ 32.155152] ____sys_sendmsg+0x134/0x290 [ 32.155499] ___sys_sendmsg+0x81/0xc0 [ 32.155828] ? _get_random_bytes.part.0+0x79/0x1a0 [ 32.156240] ? ip4_datagram_release_cb+0x5f/0x1e0 [ 32.156649] ? get_random_u16+0x69/0xf0 [ 32.156989] ? __fget_light+0xcf/0x110 [ 32.157326] __sys_sendmmsg+0xc4/0x210 [ 32.157657] ? __sys_connect+0xb7/0xe0 [ 32.157995] ? __audit_syscall_entry+0xce/0x140 [ 32.158388] ? syscall_trace_enter.isra.0+0x12c/0x1a0 [ 32.158820] __x64_sys_sendmmsg+0x24/0x30 [ 32.159171] do_syscall_64+0x38/0x90 [ 32.159493] entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix that by reducing txq number as the non-existent primary-dev does. 2025-12-30 not yet calculated CVE-2023-54236 https://git.kernel.org/stable/c/105cc268328231d5c2bfcbd03f265cec444a3492
https://git.kernel.org/stable/c/f032e125149d914e542548c17ebd613851031368
https://git.kernel.org/stable/c/2d5cebf57296f0189a61482035ad420384eedead
https://git.kernel.org/stable/c/c942f5cd63b7c2e73fe06744185a34b03267595b
https://git.kernel.org/stable/c/44d250c22209c680f61befbc2ac326da5452da01
https://git.kernel.org/stable/c/e3cbdcb0fbb61045ef3ce0e072927cc41737f787
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/smc: fix potential panic dues to unprotected smc_llc_srv_add_link() There is a certain chance to trigger the following panic: PID: 5900 TASK: ffff88c1c8af4100 CPU: 1 COMMAND: "kworker/1:48" #0 [ffff9456c1cc79a0] machine_kexec at ffffffff870665b7 #1 [ffff9456c1cc79f0] __crash_kexec at ffffffff871b4c7a #2 [ffff9456c1cc7ab0] crash_kexec at ffffffff871b5b60 #3 [ffff9456c1cc7ac0] oops_end at ffffffff87026ce7 #4 [ffff9456c1cc7ae0] page_fault_oops at ffffffff87075715 #5 [ffff9456c1cc7b58] exc_page_fault at ffffffff87ad0654 #6 [ffff9456c1cc7b80] asm_exc_page_fault at ffffffff87c00b62 [exception RIP: ib_alloc_mr+19] RIP: ffffffffc0c9cce3 RSP: ffff9456c1cc7c38 RFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000004 RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88c1ea281d00 R8: 000000020a34ffff R9: ffff88c1350bbb20 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000010 R14: ffff88c1ab040a50 R15: ffff88c1ea281d00 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffff9456c1cc7c60] smc_ib_get_memory_region at ffffffffc0aff6df [smc] #8 [ffff9456c1cc7c88] smcr_buf_map_link at ffffffffc0b0278c [smc] #9 [ffff9456c1cc7ce0] __smc_buf_create at ffffffffc0b03586 [smc] The reason here is that when the server tries to create a second link, smc_llc_srv_add_link() has no protection and may add a new link to link group. This breaks the security environment protected by llc_conf_mutex. 2025-12-30 not yet calculated CVE-2023-54237 https://git.kernel.org/stable/c/f2f46de98c11d41ac8d22765f47ba54ce5480a5b
https://git.kernel.org/stable/c/0c764cc271d3aa6528ae1b3394babf34ac01f775
https://git.kernel.org/stable/c/e40b801b3603a8f90b46acbacdea3505c27f01c0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mlx5: fix skb leak while fifo resync and push During ptp resync operation SKBs were poped from the fifo but were never freed neither by napi_consume nor by dev_kfree_skb_any. Add call to napi_consume_skb to properly free SKBs. Another leak was happening because mlx5e_skb_fifo_has_room() had an error in the check. Comparing free running counters works well unless C promotes the types to something wider than the counter. In this case counters are u16 but the result of the substraction is promouted to int and it causes wrong result (negative value) of the check when producer have already overlapped but consumer haven't yet. Explicit cast to u16 fixes the issue. 2025-12-30 not yet calculated CVE-2023-54238 https://git.kernel.org/stable/c/234cffda95e1049f58e8ec136ef105c633f0ed19
https://git.kernel.org/stable/c/68504c66d08c70fb92799722e25a932d311d74fd
https://git.kernel.org/stable/c/e435941b1da1a0be4ff8a7ae425774c76a5ac514
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iommufd: Check for uptr overflow syzkaller found that setting up a map with a user VA that wraps past zero can trigger WARN_ONs, particularly from pin_user_pages weirdly returning 0 due to invalid arguments. Prevent creating a pages with a uptr and size that would math overflow. WARNING: CPU: 0 PID: 518 at drivers/iommu/iommufd/pages.c:793 pfn_reader_user_pin+0x2e6/0x390 Modules linked in: CPU: 0 PID: 518 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:pfn_reader_user_pin+0x2e6/0x390 Code: b1 11 e9 25 fe ff ff e8 28 e4 0f ff 31 ff 48 89 de e8 2e e6 0f ff 48 85 db 74 0a e8 14 e4 0f ff e9 4d ff ff ff e8 0a e4 0f ff <0f> 0b bb f2 ff ff ff e9 3c ff ff ff e8 f9 e3 0f ff ba 01 00 00 00 RSP: 0018:ffffc90000f9fa30 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff821e2b72 RDX: 0000000000000000 RSI: ffff888014184680 RDI: 0000000000000002 RBP: ffffc90000f9fa78 R08: 00000000000000ff R09: 0000000079de6f4e R10: ffffc90000f9f790 R11: ffff888014185418 R12: ffffc90000f9fc60 R13: 0000000000000002 R14: ffff888007879800 R15: 0000000000000000 FS: 00007f4227555740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000043 CR3: 000000000e748005 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> pfn_reader_next+0x14a/0x7b0 ? interval_tree_double_span_iter_update+0x11a/0x140 pfn_reader_first+0x140/0x1b0 iopt_pages_rw_slow+0x71/0x280 ? __this_cpu_preempt_check+0x20/0x30 iopt_pages_rw_access+0x2b2/0x5b0 iommufd_access_rw+0x19f/0x2f0 iommufd_test+0xd11/0x16f0 ? write_comp_data+0x2f/0x90 iommufd_fops_ioctl+0x206/0x330 __x64_sys_ioctl+0x10e/0x160 ? __pfx_iommufd_fops_ioctl+0x10/0x10 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc 2025-12-30 not yet calculated CVE-2023-54239 https://git.kernel.org/stable/c/800963e7eb001ada8cf2418f159fb649694467f1
https://git.kernel.org/stable/c/e4395701330fc4aee530905039516fe770b81417
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all() rule_locs is allocated in ethtool_get_rxnfc and the size is determined by rule_cnt from user space. So rule_cnt needs to be check before using rule_locs to avoid NULL pointer dereference. 2025-12-30 not yet calculated CVE-2023-54240 https://git.kernel.org/stable/c/7776591e5ae2befff86579f68916a171971c6aab
https://git.kernel.org/stable/c/751b2e22a188b0c306029d094da29b6b8de31430
https://git.kernel.org/stable/c/653fbddbdfc6673bba01b13dae5a4384ad8f92ec
https://git.kernel.org/stable/c/75f2de75c1182e80708c932418e4895dbc88b68f
https://git.kernel.org/stable/c/072324cfab9b96071c0782f51f53cc5aea1e9d5b
https://git.kernel.org/stable/c/ff5faed5f5487b0fd2b640ba1304f82a5ebaab42
https://git.kernel.org/stable/c/fe0195fe48f85182bc7e7eabcad925bd3cbc10f5
https://git.kernel.org/stable/c/e4c79810755f66c9a933ca810da2724133b1165a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: MIPS: KVM: Fix NULL pointer dereference After commit 45c7e8af4a5e3f0bea4ac209 ("MIPS: Remove KVM_TE support") we get a NULL pointer dereference when creating a KVM guest: [ 146.243409] Starting KVM with MIPS VZ extensions [ 149.849151] CPU 3 Unable to handle kernel paging request at virtual address 0000000000000300, epc == ffffffffc06356ec, ra == ffffffffc063568c [ 149.849177] Oops[#1]: [ 149.849182] CPU: 3 PID: 2265 Comm: qemu-system-mip Not tainted 6.4.0-rc3+ #1671 [ 149.849188] Hardware name: THTF CX TL630 Series/THTF-LS3A4000-7A1000-ML4A, BIOS KL4.1F.TF.D.166.201225.R 12/25/2020 [ 149.849192] $ 0 : 0000000000000000 000000007400cce0 0000000000400004 ffffffff8119c740 [ 149.849209] $ 4 : 000000007400cce1 000000007400cce1 0000000000000000 0000000000000000 [ 149.849221] $ 8 : 000000240058bb36 ffffffff81421ac0 0000000000000000 0000000000400dc0 [ 149.849233] $12 : 9800000102a07cc8 ffffffff80e40e38 0000000000000001 0000000000400dc0 [ 149.849245] $16 : 0000000000000000 9800000106cd0000 9800000106cd0000 9800000100cce000 [ 149.849257] $20 : ffffffffc0632b28 ffffffffc05b31b0 9800000100ccca00 0000000000400000 [ 149.849269] $24 : 9800000106cd09ce ffffffff802f69d0 [ 149.849281] $28 : 9800000102a04000 9800000102a07cd0 98000001106a8000 ffffffffc063568c [ 149.849293] Hi : 00000335b2111e66 [ 149.849295] Lo : 6668d90061ae0ae9 [ 149.849298] epc : ffffffffc06356ec kvm_vz_vcpu_setup+0xc4/0x328 [kvm] [ 149.849324] ra : ffffffffc063568c kvm_vz_vcpu_setup+0x64/0x328 [kvm] [ 149.849336] Status: 7400cce3 KX SX UX KERNEL EXL IE [ 149.849351] Cause : 1000000c (ExcCode 03) [ 149.849354] BadVA : 0000000000000300 [ 149.849357] PrId : 0014c004 (ICT Loongson-3) [ 149.849360] Modules linked in: kvm nfnetlink_queue nfnetlink_log nfnetlink fuse sha256_generic libsha256 cfg80211 rfkill binfmt_misc vfat fat snd_hda_codec_hdmi input_leds led_class snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_pcm snd_timer snd serio_raw xhci_pci radeon drm_suballoc_helper drm_display_helper xhci_hcd ip_tables x_tables [ 149.849432] Process qemu-system-mip (pid: 2265, threadinfo=00000000ae2982d2, task=0000000038e09ad4, tls=000000ffeba16030) [ 149.849439] Stack : 9800000000000003 9800000100ccca00 9800000100ccc000 ffffffffc062cef4 [ 149.849453] 9800000102a07d18 c89b63a7ab338e00 0000000000000000 ffffffff811a0000 [ 149.849465] 0000000000000000 9800000106cd0000 ffffffff80e59938 98000001106a8920 [ 149.849476] ffffffff80e57f30 ffffffffc062854c ffffffff811a0000 9800000102bf4240 [ 149.849488] ffffffffc05b0000 ffffffff80e3a798 000000ff78000000 000000ff78000010 [ 149.849500] 0000000000000255 98000001021f7de0 98000001023f0078 ffffffff81434000 [ 149.849511] 0000000000000000 0000000000000000 9800000102ae0000 980000025e92ae28 [ 149.849523] 0000000000000000 c89b63a7ab338e00 0000000000000001 ffffffff8119dce0 [ 149.849535] 000000ff78000010 ffffffff804f3d3c 9800000102a07eb0 0000000000000255 [ 149.849546] 0000000000000000 ffffffff8049460c 000000ff78000010 0000000000000255 [ 149.849558] ... [ 149.849565] Call Trace: [ 149.849567] [<ffffffffc06356ec>] kvm_vz_vcpu_setup+0xc4/0x328 [kvm] [ 149.849586] [<ffffffffc062cef4>] kvm_arch_vcpu_create+0x184/0x228 [kvm] [ 149.849605] [<ffffffffc062854c>] kvm_vm_ioctl+0x64c/0xf28 [kvm] [ 149.849623] [<ffffffff805209c0>] sys_ioctl+0xc8/0x118 [ 149.849631] [<ffffffff80219eb0>] syscall_common+0x34/0x58 The root cause is the deletion of kvm_mips_commpage_init() leaves vcpu ->arch.cop0 NULL. So fix it by making cop0 from a pointer to an embedded object. 2025-12-30 not yet calculated CVE-2023-54241 https://git.kernel.org/stable/c/cd517f9a9d07d41f4f3593b1da3982261e09d162
https://git.kernel.org/stable/c/bd9cf2a5f9e1b2229ad22f21de6f6ad1a9c8858e
https://git.kernel.org/stable/c/6b9fb255d53759e3ea9b30067cb55091df1caf06
https://git.kernel.org/stable/c/e4de2057698636c0ee709e545d19b169d2069fa3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: block, bfq: Fix division by zero error on zero wsum When the weighted sum is zero the calculation of limit causes a division by zero error. Fix this by continuing to the next level. This was discovered by running as root: stress-ng --ioprio 0 Fixes divison by error oops: [ 521.450556] divide error: 0000 [#1] SMP NOPTI [ 521.450766] CPU: 2 PID: 2684464 Comm: stress-ng-iopri Not tainted 6.2.1-1280.native #1 [ 521.451117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 [ 521.451627] RIP: 0010:bfqq_request_over_limit+0x207/0x400 [ 521.451875] Code: 01 48 8d 0c c8 74 0b 48 8b 82 98 00 00 00 48 8d 0c c8 8b 85 34 ff ff ff 48 89 ca 41 0f af 41 50 48 d1 ea 48 98 48 01 d0 31 d2 <48> f7 f1 41 39 41 48 89 85 34 ff ff ff 0f 8c 7b 01 00 00 49 8b 44 [ 521.452699] RSP: 0018:ffffb1af84eb3948 EFLAGS: 00010046 [ 521.452938] RAX: 000000000000003c RBX: 0000000000000000 RCX: 0000000000000000 [ 521.453262] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb1af84eb3978 [ 521.453584] RBP: ffffb1af84eb3a30 R08: 0000000000000001 R09: ffff8f88ab8a4ba0 [ 521.453905] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f88ab8a4b18 [ 521.454224] R13: ffff8f8699093000 R14: 0000000000000001 R15: ffffb1af84eb3970 [ 521.454549] FS: 00005640b6b0b580(0000) GS:ffff8f88b3880000(0000) knlGS:0000000000000000 [ 521.454912] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 521.455170] CR2: 00007ffcbcae4e38 CR3: 00000002e46de001 CR4: 0000000000770ee0 [ 521.455491] PKRU: 55555554 [ 521.455619] Call Trace: [ 521.455736] <TASK> [ 521.455837] ? bfq_request_merge+0x3a/0xc0 [ 521.456027] ? elv_merge+0x115/0x140 [ 521.456191] bfq_limit_depth+0xc8/0x240 [ 521.456366] __blk_mq_alloc_requests+0x21a/0x2c0 [ 521.456577] blk_mq_submit_bio+0x23c/0x6c0 [ 521.456766] __submit_bio+0xb8/0x140 [ 521.457236] submit_bio_noacct_nocheck+0x212/0x300 [ 521.457748] submit_bio_noacct+0x1a6/0x580 [ 521.458220] submit_bio+0x43/0x80 [ 521.458660] ext4_io_submit+0x23/0x80 [ 521.459116] ext4_do_writepages+0x40a/0xd00 [ 521.459596] ext4_writepages+0x65/0x100 [ 521.460050] do_writepages+0xb7/0x1c0 [ 521.460492] __filemap_fdatawrite_range+0xa6/0x100 [ 521.460979] file_write_and_wait_range+0xbf/0x140 [ 521.461452] ext4_sync_file+0x105/0x340 [ 521.461882] __x64_sys_fsync+0x67/0x100 [ 521.462305] ? syscall_exit_to_user_mode+0x2c/0x1c0 [ 521.462768] do_syscall_64+0x3b/0xc0 [ 521.463165] entry_SYSCALL_64_after_hwframe+0x5a/0xc4 [ 521.463621] RIP: 0033:0x5640b6c56590 [ 521.464006] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 71 70 0e 00 00 74 17 b8 4a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 2025-12-30 not yet calculated CVE-2023-54242 https://git.kernel.org/stable/c/1655cfc85250a224b0d9486c8136baeea33b9b5c
https://git.kernel.org/stable/c/c0346a59d719461248c6dc6f21c9e55ef836b66f
https://git.kernel.org/stable/c/e53413f8deedf738a6782cc14cc00bd5852ccf18
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: netfilter: ebtables: fix table blob use-after-free We are not allowed to return an error at this point. Looking at the code it looks like ret is always 0 at this point, but its not. t = find_table_lock(net, repl->name, &ret, &ebt_mutex); ... this can return a valid table, with ret != 0. This bug causes update of table->private with the new blob, but then frees the blob right away in the caller. Syzbot report: BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74 Workqueue: netns cleanup_net Call Trace: kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613 ... ip(6)tables appears to be ok (ret should be 0 at this point) but make this more obvious. 2025-12-30 not yet calculated CVE-2023-54243 https://git.kernel.org/stable/c/9060abce3305ab2354c892c09d5689df51486df5
https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb390fabec357f1e4638004f5
https://git.kernel.org/stable/c/3dd6ac973351308d4117eda32298a9f1d68764fd
https://git.kernel.org/stable/c/cda0e0243bd3c04008fcd37a46b0269fb3c49249
https://git.kernel.org/stable/c/e58a171d35e32e6e8c37cfe0e8a94406732a331f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: Fix oops when removing custom query handlers When removing custom query handlers, the handler might still be used inside the EC query workqueue, causing a kernel oops if the module holding the callback function was already unloaded. Fix this by flushing the EC query workqueue when removing custom query handlers. Tested on a Acer Travelmate 4002WLMi 2025-12-30 not yet calculated CVE-2023-54244 https://git.kernel.org/stable/c/130e3eac51912f2c866e7d035992ede25f8feac0
https://git.kernel.org/stable/c/0d528a7c421b1f1772fc1d29370b3b5fc0f42b19
https://git.kernel.org/stable/c/ccae2233e9935a038a35fe8cfd703df905f700e7
https://git.kernel.org/stable/c/066b90bca755f0b876e7b027b75d1796861d6db0
https://git.kernel.org/stable/c/f4a573eed6377d356f835a4b00099d5dacee0da0
https://git.kernel.org/stable/c/86a159fd5bdb01ec34b160cfda1a313b616d9302
https://git.kernel.org/stable/c/fd2c99e81ae0dbdd62a154ef9c77fc01715cc020
https://git.kernel.org/stable/c/e5b492c6bb900fcf9722e05f4a10924410e170c1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds When we run syzkaller we get below Out of Bound. "KASAN: slab-out-of-bounds Read in regcache_flat_read" Below is the backtrace of the issue: dump_backtrace+0x0/0x4c8 show_stack+0x34/0x44 dump_stack_lvl+0xd8/0x118 print_address_description+0x30/0x2d8 kasan_report+0x158/0x198 __asan_report_load4_noabort+0x44/0x50 regcache_flat_read+0x10c/0x110 regcache_read+0xf4/0x180 _regmap_read+0xc4/0x278 _regmap_update_bits+0x130/0x290 regmap_update_bits_base+0xc0/0x15c snd_soc_component_update_bits+0xa8/0x22c snd_soc_component_write_field+0x68/0xd4 tx_macro_digital_mute+0xec/0x140 Actually There is no need to have decimator with 32 bits. By limiting the variable with short type u8 issue is resolved. 2025-12-30 not yet calculated CVE-2023-54245 https://git.kernel.org/stable/c/da35a4e6eee5d73886312e85322a6e97df901987
https://git.kernel.org/stable/c/57f9a9a232bde7abfe49c3072b29a255da9ba891
https://git.kernel.org/stable/c/b0cd740a31412340fead50e69e4fe9bc3781c754
https://git.kernel.org/stable/c/e5e7e398f6bb7918dab0612eb6991f7bae95520d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle() The rcuscale.holdoff module parameter can be used to delay the start of rcu_scale_writer() kthread. However, the hung-task timeout will trigger when the timeout specified by rcuscale.holdoff is greater than hung_task_timeout_secs: runqemu kvm nographic slirp qemuparams="-smp 4 -m 2048M" bootparams="rcuscale.shutdown=0 rcuscale.holdoff=300" [ 247.071753] INFO: task rcu_scale_write:59 blocked for more than 122 seconds. [ 247.072529] Not tainted 6.4.0-rc1-00134-gb9ed6de8d4ff #7 [ 247.073400] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 247.074331] task:rcu_scale_write state:D stack:30144 pid:59 ppid:2 flags:0x00004000 [ 247.075346] Call Trace: [ 247.075660] <TASK> [ 247.075965] __schedule+0x635/0x1280 [ 247.076448] ? __pfx___schedule+0x10/0x10 [ 247.076967] ? schedule_timeout+0x2dc/0x4d0 [ 247.077471] ? __pfx_lock_release+0x10/0x10 [ 247.078018] ? enqueue_timer+0xe2/0x220 [ 247.078522] schedule+0x84/0x120 [ 247.078957] schedule_timeout+0x2e1/0x4d0 [ 247.079447] ? __pfx_schedule_timeout+0x10/0x10 [ 247.080032] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.080591] ? __pfx_process_timeout+0x10/0x10 [ 247.081163] ? __pfx_sched_set_fifo_low+0x10/0x10 [ 247.081760] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.082287] rcu_scale_writer+0x6b1/0x7f0 [ 247.082773] ? mark_held_locks+0x29/0xa0 [ 247.083252] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.083865] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.084412] kthread+0x179/0x1c0 [ 247.084759] ? __pfx_kthread+0x10/0x10 [ 247.085098] ret_from_fork+0x2c/0x50 [ 247.085433] </TASK> This commit therefore replaces schedule_timeout_uninterruptible() with schedule_timeout_idle(). 2025-12-30 not yet calculated CVE-2023-54246 https://git.kernel.org/stable/c/55887adc76e19aec9763186e2c1d0a3481d20e96
https://git.kernel.org/stable/c/4f03fba096bfded90e0d71eba8839a46922164d1
https://git.kernel.org/stable/c/83ed0cdb6ae0383dd14b02375c353773836884ed
https://git.kernel.org/stable/c/9416dccb31fdb190d25d57e97674f232651f6560
https://git.kernel.org/stable/c/e60c122a1614b4f65b29a7bef9d83b9fd30e937a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Silence a warning in btf_type_id_size() syzbot reported a warning in [1] with the following stacktrace: WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... Call Trace: <TASK> map_check_btf kernel/bpf/syscall.c:1024 [inline] map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198 __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040 __do_sys_bpf kernel/bpf/syscall.c:5162 [inline] __se_sys_bpf kernel/bpf/syscall.c:5160 [inline] __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd With the following btf [1] DECL_TAG 'a' type_id=4 component_idx=-1 [2] PTR '(anon)' type_id=0 [3] TYPE_TAG 'a' type_id=2 [4] VAR 'a' type_id=3, linkage=static and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG), the following WARN_ON_ONCE in btf_type_id_size() is triggered: if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) && !btf_type_is_var(size_type))) return NULL; Note that 'return NULL' is the correct behavior as we don't want a DECL_TAG type to be used as a btf_{key,value}_type_id even for the case like 'DECL_TAG -> STRUCT'. So there is no correctness issue here, we just want to silence warning. To silence the warning, I added DECL_TAG as one of kinds in btf_type_nosize() which will cause btf_type_id_size() returning NULL earlier without the warning. [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/ 2025-12-30 not yet calculated CVE-2023-54247 https://git.kernel.org/stable/c/61f4bd46a03a81865aca3bcbad2f7b7032fb3160
https://git.kernel.org/stable/c/7c4f5ab63e7962812505cbd38cc765168a223acb
https://git.kernel.org/stable/c/e6c2f594ed961273479505b42040782820190305
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add check for kmemdup Since the kmemdup may return NULL pointer, it should be better to add check for the return value in order to avoid NULL pointer dereference. 2025-12-30 not yet calculated CVE-2023-54248 https://git.kernel.org/stable/c/952bbfcedbf895963509861e55a6e4fc105eb842
https://git.kernel.org/stable/c/7898db22ed6cee909513cf4935b5f9f0298b74f0
https://git.kernel.org/stable/c/9f36704a58adade3b0216f8a3fa5503db4517208
https://git.kernel.org/stable/c/cdcdfd57f4c701f832787da1309cc6687917d783
https://git.kernel.org/stable/c/e6c3cef24cb0d045f99d5cb039b344874e3cfd74
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bus: mhi: ep: Only send -ENOTCONN status if client driver is available For the STOP and RESET commands, only send the channel disconnect status -ENOTCONN if client driver is available. Otherwise, it will result in null pointer dereference. 2025-12-30 not yet calculated CVE-2023-54249 https://git.kernel.org/stable/c/353aea15d6edbd4e69e039356a1bd3e641f7d952
https://git.kernel.org/stable/c/860ad591056d7e4dc30bc130b6ec6e6d70930c85
https://git.kernel.org/stable/c/e6cebcc27519dcf1652e604c73b9fd4f416987c0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: avoid out of bounds access in decode_preauth_ctxt() Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within the SMB request boundary; deassemble_neg_contexts() only checks that the eight byte smb2_neg_context header + (client controlled) DataLength are within the packet boundary, which is insufficient. Checking for sizeof(struct smb2_preauth_neg_context) is overkill given that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt. 2025-12-30 not yet calculated CVE-2023-54250 https://git.kernel.org/stable/c/39f5b4b313b445c980a2a295bed28228c29228ed
https://git.kernel.org/stable/c/a2f6ded41bec1d3be643c80a5eb97f1680309001
https://git.kernel.org/stable/c/f02edb9debbd36f44efa7567031485892c7df60d
https://git.kernel.org/stable/c/e7067a446264a7514fa1cfaa4052cdb6803bc6a2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX. syzkaller found zero division error [0] in div_s64_rem() called from get_cycle_time_elapsed(), where sched->cycle_time is the divisor. We have tests in parse_taprio_schedule() so that cycle_time will never be 0, and actually cycle_time is not 0 in get_cycle_time_elapsed(). The problem is that the types of divisor are different; cycle_time is s64, but the argument of div_s64_rem() is s32. syzkaller fed this input and 0x100000000 is cast to s32 to be 0. @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000} We use s64 for cycle_time to cast it to ktime_t, so let's keep it and set max for cycle_time. While at it, we prevent overflow in setup_txtime() and add another test in parse_taprio_schedule() to check if cycle_time overflows. Also, we add a new tdc test case for this issue. [0]: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:div_s64_rem include/linux/math64.h:42 [inline] RIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline] RIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344 Code: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10 RSP: 0018:ffffc90000acf260 EFLAGS: 00010206 RAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000 RBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934 R10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800 R13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> get_packet_txtime net/sched/sch_taprio.c:508 [inline] taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577 taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658 dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732 __dev_xmit_skb net/core/dev.c:3821 [inline] __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169 dev_queue_xmit include/linux/netdevice.h:3088 [inline] neigh_resolve_output net/core/neighbour.c:1552 [inline] neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532 neigh_output include/net/neighbour.h:544 [inline] ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135 __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196 ip6_finish_output net/ipv6/ip6_output.c:207 [inline] NF_HOOK_COND include/linux/netfilter.h:292 [inline] ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228 dst_output include/net/dst.h:458 [inline] NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303 ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508 ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666 addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175 process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597 worker_thread+0x60f/0x1240 kernel/workqueue.c:2748 kthread+0x2fe/0x3f0 kernel/kthread.c:389 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 </TASK> Modules linked in: 2025-12-30 not yet calculated CVE-2023-54251 https://git.kernel.org/stable/c/f04f6d9b3b060f7e11219a65a76da65f1489e391
https://git.kernel.org/stable/c/0b45af982a4df0b14fb8669ee2a871cfdfa6a39c
https://git.kernel.org/stable/c/57b3fe08ae06ef11af007b4a182629b12a961e30
https://git.kernel.org/stable/c/e739718444f7bf2fa3d70d101761ad83056ca628
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings My previous commit introduced a memory leak where the item allocated from tlmi_setting was not freed. This commit also renames it to avoid confusion with the similarly name variable in the same function. 2025-12-30 not yet calculated CVE-2023-54252 https://git.kernel.org/stable/c/cccdb30935c82be805d3362a15680b95d5cb3ee0
https://git.kernel.org/stable/c/081da7b1c881828244b93b3befb7c18389f696bb
https://git.kernel.org/stable/c/43fc0342bac1808fda2b76184e43414727111c6b
https://git.kernel.org/stable/c/e7d796fccdc8d17c2d21817ebe4c7bf5bbfe5433
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: set page extent mapped after read_folio in relocate_one_page One of the CI runs triggered the following panic assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 ------------[ cut here ]------------ kernel BUG at fs/btrfs/subpage.c:229! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 0 PID: 923660 Comm: btrfs Not tainted 6.5.0-rc3+ #1 pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : btrfs_subpage_assert+0xbc/0xf0 lr : btrfs_subpage_assert+0xbc/0xf0 sp : ffff800093213720 x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000 x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880 x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028 x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000 x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8 x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f Call trace: btrfs_subpage_assert+0xbc/0xf0 btrfs_subpage_set_dirty+0x38/0xa0 btrfs_page_set_dirty+0x58/0x88 relocate_one_page+0x204/0x5f0 relocate_file_extent_cluster+0x11c/0x180 relocate_data_extent+0xd0/0xf8 relocate_block_group+0x3d0/0x4e8 btrfs_relocate_block_group+0x2d8/0x490 btrfs_relocate_chunk+0x54/0x1a8 btrfs_balance+0x7f4/0x1150 btrfs_ioctl+0x10f0/0x20b8 __arm64_sys_ioctl+0x120/0x11d8 invoke_syscall.constprop.0+0x80/0xd8 do_el0_svc+0x6c/0x158 el0_svc+0x50/0x1b0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x194/0x198 Code: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000) This is the same problem outlined in 17b17fcd6d44 ("btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand") , and the fix is the same. I originally looked for the same pattern elsewhere in our code, but mistakenly skipped over this code because I saw the page cache readahead before we set_page_extent_mapped, not realizing that this was only in the !page case, that we can still end up with a !uptodate page and then do the btrfs_read_folio further down. The fix here is the same as the above mentioned patch, move the set_page_extent_mapped call to after the btrfs_read_folio() block to make sure that we have the subpage blocksize stuff setup properly before using the page. 2025-12-30 not yet calculated CVE-2023-54253 https://git.kernel.org/stable/c/08daa38ca212d87f77beae839bc9be71079c7abf
https://git.kernel.org/stable/c/9d1e020ed9649cf140fcfafd052cfdcce9e9d67d
https://git.kernel.org/stable/c/e7f1326cc24e22b38afc3acd328480a1183f9e79
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Don't leak a resource on eviction error On eviction errors other than -EMULTIHOP we were leaking a resource. Fix. v2: - Avoid yet another goto (Andi Shyti) 2025-12-30 not yet calculated CVE-2023-54254 https://git.kernel.org/stable/c/7738335d73d0686ec8995e0448e5d1b48cffb2a4
https://git.kernel.org/stable/c/e9c44738cb1f537b177cc1beabcf6913690460cd
https://git.kernel.org/stable/c/6aea0032380bbb1efebd598ad733d16925167921
https://git.kernel.org/stable/c/e8188c461ee015ba0b9ab2fc82dbd5ebca5a5532
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: sh: dma: Fix DMA channel offset calculation Various SoCs of the SH3, SH4 and SH4A family, which use this driver, feature a differing number of DMA channels, which can be distributed between up to two DMAC modules. The existing implementation fails to correctly accommodate for all those variations, resulting in wrong channel offset calculations and leading to kernel panics. Rewrite dma_base_addr() in order to properly calculate channel offsets in a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that the correct DMAC module base is selected for the DMAOR register. 2025-12-30 not yet calculated CVE-2023-54255 https://git.kernel.org/stable/c/bca700b48c72f4ffeee977a2ed0eb4a6b4b7b8ad
https://git.kernel.org/stable/c/479380acfa63247b5ac62476138f847aefc62692
https://git.kernel.org/stable/c/4989627157735c1f1619f08e5bc1592418e7c878
https://git.kernel.org/stable/c/d1c946552af299f4fa85bf7da15e328123771128
https://git.kernel.org/stable/c/196f6c71905aa384c0177acf194a1144d480333b
https://git.kernel.org/stable/c/8fb11fa4805699c6b73a9c8a9d45807f9874abe3
https://git.kernel.org/stable/c/e9e33faea104381bac80ac79328f0540fc2969f2
https://git.kernel.org/stable/c/e82e47584847129a20b8c9f4a1dcde09374fb0e0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: macb: fix a memory corruption in extended buffer descriptor mode For quite some time we were chasing a bug which looked like a sudden permanent failure of networking and mmc on some of our devices. The bug was very sensitive to any software changes and even more to any kernel debug options. Finally we got a setup where the problem was reproducible with CONFIG_DMA_API_DEBUG=y and it revealed the issue with the rx dma: [ 16.992082] ------------[ cut here ]------------ [ 16.996779] DMA-API: macb ff0b0000.ethernet: device driver tries to free DMA memory it has not allocated [device address=0x0000000875e3e244] [size=1536 bytes] [ 17.011049] WARNING: CPU: 0 PID: 85 at kernel/dma/debug.c:1011 check_unmap+0x6a0/0x900 [ 17.018977] Modules linked in: xxxxx [ 17.038823] CPU: 0 PID: 85 Comm: irq/55-8000f000 Not tainted 5.4.0 #28 [ 17.045345] Hardware name: xxxxx [ 17.049528] pstate: 60000005 (nZCv daif -PAN -UAO) [ 17.054322] pc : check_unmap+0x6a0/0x900 [ 17.058243] lr : check_unmap+0x6a0/0x900 [ 17.062163] sp : ffffffc010003c40 [ 17.065470] x29: ffffffc010003c40 x28: 000000004000c03c [ 17.070783] x27: ffffffc010da7048 x26: ffffff8878e38800 [ 17.076095] x25: ffffff8879d22810 x24: ffffffc010003cc8 [ 17.081407] x23: 0000000000000000 x22: ffffffc010a08750 [ 17.086719] x21: ffffff8878e3c7c0 x20: ffffffc010acb000 [ 17.092032] x19: 0000000875e3e244 x18: 0000000000000010 [ 17.097343] x17: 0000000000000000 x16: 0000000000000000 [ 17.102647] x15: ffffff8879e4a988 x14: 0720072007200720 [ 17.107959] x13: 0720072007200720 x12: 0720072007200720 [ 17.113261] x11: 0720072007200720 x10: 0720072007200720 [ 17.118565] x9 : 0720072007200720 x8 : 000000000000022d [ 17.123869] x7 : 0000000000000015 x6 : 0000000000000098 [ 17.129173] x5 : 0000000000000000 x4 : 0000000000000000 [ 17.134475] x3 : 00000000ffffffff x2 : ffffffc010a1d370 [ 17.139778] x1 : b420c9d75d27bb00 x0 : 0000000000000000 [ 17.145082] Call trace: [ 17.147524] check_unmap+0x6a0/0x900 [ 17.151091] debug_dma_unmap_page+0x88/0x90 [ 17.155266] gem_rx+0x114/0x2f0 [ 17.158396] macb_poll+0x58/0x100 [ 17.161705] net_rx_action+0x118/0x400 [ 17.165445] __do_softirq+0x138/0x36c [ 17.169100] irq_exit+0x98/0xc0 [ 17.172234] __handle_domain_irq+0x64/0xc0 [ 17.176320] gic_handle_irq+0x5c/0xc0 [ 17.179974] el1_irq+0xb8/0x140 [ 17.183109] xiic_process+0x5c/0xe30 [ 17.186677] irq_thread_fn+0x28/0x90 [ 17.190244] irq_thread+0x208/0x2a0 [ 17.193724] kthread+0x130/0x140 [ 17.196945] ret_from_fork+0x10/0x20 [ 17.200510] ---[ end trace 7240980785f81d6f ]--- [ 237.021490] ------------[ cut here ]------------ [ 237.026129] DMA-API: exceeded 7 overlapping mappings of cacheline 0x0000000021d79e7b [ 237.033886] WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:499 add_dma_entry+0x214/0x240 [ 237.041802] Modules linked in: xxxxx [ 237.061637] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.4.0 #28 [ 237.068941] Hardware name: xxxxx [ 237.073116] pstate: 80000085 (Nzcv daIf -PAN -UAO) [ 237.077900] pc : add_dma_entry+0x214/0x240 [ 237.081986] lr : add_dma_entry+0x214/0x240 [ 237.086072] sp : ffffffc010003c30 [ 237.089379] x29: ffffffc010003c30 x28: ffffff8878a0be00 [ 237.094683] x27: 0000000000000180 x26: ffffff8878e387c0 [ 237.099987] x25: 0000000000000002 x24: 0000000000000000 [ 237.105290] x23: 000000000000003b x22: ffffffc010a0fa00 [ 237.110594] x21: 0000000021d79e7b x20: ffffffc010abe600 [ 237.115897] x19: 00000000ffffffef x18: 0000000000000010 [ 237.121201] x17: 0000000000000000 x16: 0000000000000000 [ 237.126504] x15: ffffffc010a0fdc8 x14: 0720072007200720 [ 237.131807] x13: 0720072007200720 x12: 0720072007200720 [ 237.137111] x11: 0720072007200720 x10: 0720072007200720 [ 237.142415] x9 : 0720072007200720 x8 : 0000000000000259 [ 237.147718] x7 : 0000000000000001 x6 : 0000000000000000 [ 237.15302 ---truncated--- 2025-12-30 not yet calculated CVE-2023-54257 https://git.kernel.org/stable/c/dd7a49a3eaf723a01b2fdf153f98450a82b0b0fe
https://git.kernel.org/stable/c/82e626af24683e01211abe66cec27a387f8f17c9
https://git.kernel.org/stable/c/7169d1638824c4bf7e0fe0baad381ddec861fa70
https://git.kernel.org/stable/c/1bec9da233f779e7b6954ee07ad7e6d8f2a4dd83
https://git.kernel.org/stable/c/7ccc58a1a75601c936069d4a0741940623990ade
https://git.kernel.org/stable/c/9412a9bf5952cdf5d0f736cc1e8c68fd366c2d47
https://git.kernel.org/stable/c/5dcf3a6843d0d7cc76960fbe8511d425f217744c
https://git.kernel.org/stable/c/e8b74453555872851bdd7ea43a7c0ec39659834f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential oops in cifs_oplock_break With deferred close we can have closes that race with lease breaks, and so with the current checks for whether to send the lease response, oplock_response(), this can mean that an unmount (kill_sb) can occur just before we were checking if the tcon->ses is valid. See below: [Fri Aug 4 04:12:50 2023] RIP: 0010:cifs_oplock_break+0x1f7/0x5b0 [cifs] [Fri Aug 4 04:12:50 2023] Code: 7d a8 48 8b 7d c0 c0 e9 02 48 89 45 b8 41 89 cf e8 3e f5 ff ff 4c 89 f7 41 83 e7 01 e8 82 b3 03 f2 49 8b 45 50 48 85 c0 74 5e <48> 83 78 60 00 74 57 45 84 ff 75 52 48 8b 43 98 48 83 eb 68 48 39 [Fri Aug 4 04:12:50 2023] RSP: 0018:ffffb30607ddbdf8 EFLAGS: 00010206 [Fri Aug 4 04:12:50 2023] RAX: 632d223d32612022 RBX: ffff97136944b1e0 RCX: 0000000080100009 [Fri Aug 4 04:12:50 2023] RDX: 0000000000000001 RSI: 0000000080100009 RDI: ffff97136944b188 [Fri Aug 4 04:12:50 2023] RBP: ffffb30607ddbe58 R08: 0000000000000001 R09: ffffffffc08e0900 [Fri Aug 4 04:12:50 2023] R10: 0000000000000001 R11: 000000000000000f R12: ffff97136944b138 [Fri Aug 4 04:12:50 2023] R13: ffff97149147c000 R14: ffff97136944b188 R15: 0000000000000000 [Fri Aug 4 04:12:50 2023] FS: 0000000000000000(0000) GS:ffff9714f7c00000(0000) knlGS:0000000000000000 [Fri Aug 4 04:12:50 2023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [Fri Aug 4 04:12:50 2023] CR2: 00007fd8de9c7590 CR3: 000000011228e000 CR4: 0000000000350ef0 [Fri Aug 4 04:12:50 2023] Call Trace: [Fri Aug 4 04:12:50 2023] <TASK> [Fri Aug 4 04:12:50 2023] process_one_work+0x225/0x3d0 [Fri Aug 4 04:12:50 2023] worker_thread+0x4d/0x3e0 [Fri Aug 4 04:12:50 2023] ? process_one_work+0x3d0/0x3d0 [Fri Aug 4 04:12:50 2023] kthread+0x12a/0x150 [Fri Aug 4 04:12:50 2023] ? set_kthread_struct+0x50/0x50 [Fri Aug 4 04:12:50 2023] ret_from_fork+0x22/0x30 [Fri Aug 4 04:12:50 2023] </TASK> To fix this change the ordering of the checks before sending the oplock_response to first check if the openFileList is empty. 2025-12-30 not yet calculated CVE-2023-54258 https://git.kernel.org/stable/c/b99f490ea87ebcca3a429fd8837067feb56a4c7c
https://git.kernel.org/stable/c/5ee28bcfbaacf289eb25c662a2862542ea6ce6a7
https://git.kernel.org/stable/c/6b67a6d2e50634fe127e656147c81915955e9f5e
https://git.kernel.org/stable/c/e8f5f849ffce24490eb9449e98312b66c0dba76f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: soundwire: bus: Fix unbalanced pm_runtime_put() causing usage count underflow This reverts commit 443a98e649b4 ("soundwire: bus: use pm_runtime_resume_and_get()") Change calls to pm_runtime_resume_and_get() back to pm_runtime_get_sync(). This fixes a usage count underrun caused by doing a pm_runtime_put() even though pm_runtime_resume_and_get() returned an error. The three affected functions ignore -EACCES error from trying to get pm_runtime, and carry on, including a put at the end of the function. But pm_runtime_resume_and_get() does not increment the usage count if it returns an error. So in the -EACCES case you must not call pm_runtime_put(). The documentation for pm_runtime_get_sync() says: "Consider using pm_runtime_resume_and_get() ... as this is likely to result in cleaner code." In this case I don't think it results in cleaner code because the pm_runtime_put() at the end of the function would have to be conditional on the return value from pm_runtime_resume_and_get() at the top of the function. pm_runtime_get_sync() doesn't have this problem because it always increments the count, so always needs a put. The code can just flow through and do the pm_runtime_put() unconditionally. 2025-12-30 not yet calculated CVE-2023-54259 https://git.kernel.org/stable/c/4e5e9da139c007dfc397a159093b4c4187ee67fa
https://git.kernel.org/stable/c/203aa4374c433159f163acde2d0bd4118f23bbaf
https://git.kernel.org/stable/c/e9537962519e88969f5f69cd0571eb4f6984403c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: cifs: Fix lost destroy smbd connection when MR allocate failed If the MR allocate failed, the smb direct connection info is NULL, then smbd_destroy() will directly return, then the connection info will be leaked. Let's set the smb direct connection info to the server before call smbd_destroy(). 2025-12-30 not yet calculated CVE-2023-54260 https://git.kernel.org/stable/c/d303e25887127364a6765eaf7ac68aa2bac518a9
https://git.kernel.org/stable/c/324c0c34fff1affd436e509325cb46739209704e
https://git.kernel.org/stable/c/caac205e0d5b44c4c23a10c6c0976d50ebe16ac2
https://git.kernel.org/stable/c/46cd6c639cddba2bd2d810ceb16bb20374ad75b0
https://git.kernel.org/stable/c/c51ae01104b318bf15f3c5097faba5c72addba7a
https://git.kernel.org/stable/c/04b7e13b8a13264282f874db5378fc3d3253cfac
https://git.kernel.org/stable/c/e9d3401d95d62a9531082cd2453ed42f2740e3fd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Add missing gfx11 MQD manager callbacks mqd_stride function was introduced in commit 2f77b9a242a2 ("drm/amdkfd: Update MQD management on multi XCC setup") but not assigned for gfx11. Fixes a NULL dereference in debugfs. 2025-12-30 not yet calculated CVE-2023-54261 https://git.kernel.org/stable/c/399b73d6b7720a9eae68a333193b53ed4f432fe5
https://git.kernel.org/stable/c/e9dca969b2426702a73719ab9207e43c6d80b581
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't clone flow post action attributes second time The code already clones post action attributes in mlx5e_clone_flow_attr_for_post_act(). Creating another copy in mlx5e_tc_post_act_add() is a erroneous leftover from original implementation. Instead, assign handle->attribute to post_attr provided by the caller. Note that cloning the attribute second time is not just wasteful but also causes issues like second copy not being properly updated in neigh update code which leads to following use-after-free: Feb 21 09:02:00 c-237-177-40-045 kernel: BUG: KASAN: use-after-free in mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_free_info+0x2a/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: ____kasan_slab_free+0x11a/0x1b0 Feb 21 09:02:00 c-237-177-40-045 kernel: page dumped because: kasan: bad access detected Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 8833): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0xf2ff71), err(-22) Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0 enp8s0f0: Failed to add post action rule Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5e_tc_encap_flows_add:190:(pid 8833): Failed to update flow post acts, -22 Feb 21 09:02:00 c-237-177-40-045 kernel: Call Trace: Feb 21 09:02:00 c-237-177-40-045 kernel: <TASK> Feb 21 09:02:00 c-237-177-40-045 kernel: dump_stack_lvl+0x57/0x7d Feb 21 09:02:00 c-237-177-40-045 kernel: print_report+0x170/0x471 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: ? __module_address.part.0+0x62/0x200 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_stub_create_flow_table+0xd0/0xd0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: ? __raw_spin_lock_init+0x3b/0x110 Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_create_fte+0x80/0xb0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: add_rule_fg+0xe80/0x19c0 [mlx5_core] -- Feb 21 09:02:00 c-237-177-40-045 kernel: Allocated by task 13476: Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90 Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_packet_reformat_alloc+0x7b/0x230 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_tun_create_header_ipv4+0x977/0xf10 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_attach_encap+0x15b4/0x1e10 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: post_process_attr+0x305/0xa30 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_add_fdb_flow+0x4c0/0xcf0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_configure_flower+0xcaa/0x4b90 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cls_flower+0x99/0x1b0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cb+0x133/0x1e0 [mlx5_core] -- Feb 21 09:02:00 c-237-177-40-045 kernel: Freed by task 8833: Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_s ---truncated--- 2025-12-30 not yet calculated CVE-2023-54262 https://git.kernel.org/stable/c/c382b693ffcb1f1ebf60d76ab9dedfe9ea13eedf
https://git.kernel.org/stable/c/8fd1dac646e6b08d03e3f1ad3c5b34255b1e08e8
https://git.kernel.org/stable/c/2d57a514f9ab7d2d40f49b02d93edfcec8c78a9e
https://git.kernel.org/stable/c/e9fce818fe003b6c527f25517b9ac08eb4661b5d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP Fixes OOPS on boards with ANX9805 DP encoders. 2025-12-30 not yet calculated CVE-2023-54263 https://git.kernel.org/stable/c/92d48ce21645267c574268678131cd2b648dad0f
https://git.kernel.org/stable/c/ea293f823a8805735d9e00124df81a8f448ed1ae
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/sysv: Null check to prevent null-ptr-deref bug sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on that leads to the null-ptr-deref bug. 2025-12-30 not yet calculated CVE-2023-54264 https://git.kernel.org/stable/c/e976988bc245ec3768cc0f76bed7d05488a7dd0f
https://git.kernel.org/stable/c/baa60c66a310c50785289b0ede6fdce8ec3219c7
https://git.kernel.org/stable/c/0a44ceba77c3267f8505dda102a59367dc24caee
https://git.kernel.org/stable/c/7f740bc696d4617f8ee44565e8ac0d36278a1e91
https://git.kernel.org/stable/c/afd9a31b5aa4b3747f382d44a7b03b7b5d0b7635
https://git.kernel.org/stable/c/1416eebaad80bdc85ad9f97f27242011b031e2a9
https://git.kernel.org/stable/c/e28f376dd8dfcc4e880ac101184132bc08703f6e
https://git.kernel.org/stable/c/ea2b62f305893992156a798f665847e0663c9f41
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix an uninit variable access bug in __ip6_make_skb() Syzbot reported a bug as following: ===================================================== BUG: KMSAN: uninit-value in arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] BUG: KMSAN: uninit-value in arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] BUG: KMSAN: uninit-value in atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] BUG: KMSAN: uninit-value in __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 ip6_finish_skb include/net/ipv6.h:1122 [inline] ip6_push_pending_frames+0x10e/0x550 net/ipv6/ip6_output.c:1987 rawv6_push_pending_frames+0xb12/0xb90 net/ipv6/raw.c:579 rawv6_sendmsg+0x297e/0x2e60 net/ipv6/raw.c:922 inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 __sys_sendmsg net/socket.c:2559 [inline] __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook mm/slab.h:766 [inline] slab_alloc_node mm/slub.c:3452 [inline] __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491 __do_kmalloc_node mm/slab_common.c:967 [inline] __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988 kmalloc_reserve net/core/skbuff.c:492 [inline] __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 alloc_skb include/linux/skbuff.h:1270 [inline] __ip6_append_data+0x51c1/0x6bb0 net/ipv6/ip6_output.c:1684 ip6_append_data+0x411/0x580 net/ipv6/ip6_output.c:1854 rawv6_sendmsg+0x2882/0x2e60 net/ipv6/raw.c:915 inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 __sys_sendmsg net/socket.c:2559 [inline] __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd It is because icmp6hdr does not in skb linear region under the scenario of SOCK_RAW socket. Access icmp6_hdr(skb)->icmp6_type directly will trigger the uninit variable access bug. Use a local variable icmp6_type to carry the correct value in different scenarios. 2025-12-30 not yet calculated CVE-2023-54265 https://git.kernel.org/stable/c/165370522cc48127da564a08584a7391e6341908
https://git.kernel.org/stable/c/f394f690a30a5ec0413c62777a058eaf3d6e10d5
https://git.kernel.org/stable/c/0cf600ca1bdf1d52df977516ee6cee0cadb1f6b1
https://git.kernel.org/stable/c/605b056d63302ae84eb136e88d4df49124bd5e0d
https://git.kernel.org/stable/c/d65ff2fe877c471aa6e79efa7bd8ff66e147c317
https://git.kernel.org/stable/c/2c9cefc142c1dc2759e19a92d3b2b3715e985beb
https://git.kernel.org/stable/c/02ed5700f40445af02d1c97db25ffc2d04971d9f
https://git.kernel.org/stable/c/ea30388baebcce37fd594d425a65037ca35e59e8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer() 'read' is freed when it is known to be NULL, but not when a read error occurs. Revert the logic to avoid a small leak, should a m920x_read() call fail. 2025-12-30 not yet calculated CVE-2023-54266 https://git.kernel.org/stable/c/809623fedc31f4e74039d93bb75a8993635d7534
https://git.kernel.org/stable/c/c0178e938f110cdf6937f26975c0c951dbb1d9db
https://git.kernel.org/stable/c/75d6ef197c488cd852493b4a419274e3489da79d
https://git.kernel.org/stable/c/d13a84874a2e0236c9325b3adc8e126d0888ad6b
https://git.kernel.org/stable/c/7ca7cd02114ac8caa6b0a64734b9af6be1559353
https://git.kernel.org/stable/c/2b6e20ef0585a467c24c7e4fde28518e5b33225a
https://git.kernel.org/stable/c/4feed3dfca722c6d74865a37cab853c58e6aa190
https://git.kernel.org/stable/c/2cc9f11aeae2887a4db25c27323fc445f4b49e86
https://git.kernel.org/stable/c/ea9ef6c2e001c5dc94bee35ebd1c8a98621cf7b8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT lppaca_shared_proc() takes a pointer to the lppaca which is typically accessed through get_lppaca(). With DEBUG_PREEMPT enabled, this leads to checking if preemption is enabled, for example: BUG: using smp_processor_id() in preemptible [00000000] code: grep/10693 caller is lparcfg_data+0x408/0x19a0 CPU: 4 PID: 10693 Comm: grep Not tainted 6.5.0-rc3 #2 Call Trace: dump_stack_lvl+0x154/0x200 (unreliable) check_preemption_disabled+0x214/0x220 lparcfg_data+0x408/0x19a0 ... This isn't actually a problem however, as it does not matter which lppaca is accessed, the shared proc state will be the same. vcpudispatch_stats_procfs_init() already works around this by disabling preemption, but the lparcfg code does not, erroring any time /proc/powerpc/lparcfg is accessed with DEBUG_PREEMPT enabled. Instead of disabling preemption on the caller side, rework lppaca_shared_proc() to not take a pointer and instead directly access the lppaca, bypassing any potential preemption checks. [mpe: Rework to avoid needing a definition in paca.h and lppaca.h] 2025-12-30 not yet calculated CVE-2023-54267 https://git.kernel.org/stable/c/953c54dfdc5d3eb7243ed902b50acb5ea1db4355
https://git.kernel.org/stable/c/2935443dc9c28499223d8c881474259e4b998f2a
https://git.kernel.org/stable/c/4c8568cf4c45b415854195c8832b557cdefba57a
https://git.kernel.org/stable/c/3c5e8e666794d7dde6d14ea846c6c04f2bb34900
https://git.kernel.org/stable/c/f45ee5c074013a0fbfce77a5af5efddb01f5d4f4
https://git.kernel.org/stable/c/eac030b22ea12cdfcbb2e941c21c03964403c63f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: debugobjects: Don't wake up kswapd from fill_pool() syzbot is reporting a lockdep warning in fill_pool() because the allocation from debugobjects is using GFP_ATOMIC, which is (__GFP_HIGH | __GFP_KSWAPD_RECLAIM) and therefore tries to wake up kswapd, which acquires kswapd_wait::lock. Since fill_pool() might be called with arbitrary locks held, fill_pool() should not assume that acquiring kswapd_wait::lock is safe. Use __GFP_HIGH instead and remove __GFP_NORETRY as it is pointless for !__GFP_DIRECT_RECLAIM allocation. 2025-12-30 not yet calculated CVE-2023-54268 https://git.kernel.org/stable/c/be646802b3dc408c4dc72a3ac32c3f4a0282414d
https://git.kernel.org/stable/c/fd673079749bac97bb30f1461df079e6c8e86511
https://git.kernel.org/stable/c/aee97eec77029270866c704f66cdf2881cbd2fe1
https://git.kernel.org/stable/c/d7fff52c99d52f180d8bef95d8ed8fec6343889c
https://git.kernel.org/stable/c/4c088d30a72d9b8f9c6ae9362222942e4075cb00
https://git.kernel.org/stable/c/eb799279fb1f9c63c520fe8c1c41cb9154252db6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: SUNRPC: double free xprt_ctxt while still in use When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out of the svc_rqst into the svc_deferred_req. When the deferred request is revisited, the pointer is copied into the new svc_rqst - and also remains in the svc_deferred_req. In the (rare?) case that the request is deferred a second time, the old svc_deferred_req is reused - it still has all the correct content. However in that case the rq_xprt_ctxt pointer is NOT cleared so that when xpo_release_xprt is called, the ctxt is freed (UDP) or possible added to a free list (RDMA). When the deferred request is revisited for a second time, it will reference this ctxt which may be invalid, and the free the object a second time which is likely to oops. So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that the value is now stored in the svc_deferred_req. 2025-12-30 not yet calculated CVE-2023-54269 https://git.kernel.org/stable/c/7851771789e87108a92697194105ef0c9307dc5e
https://git.kernel.org/stable/c/fd86534872f445f54dc01e7db001e25eadf063a8
https://git.kernel.org/stable/c/e0c648627322a4c7e018e5c7f837c3c03e297dbb
https://git.kernel.org/stable/c/eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: usb: siano: Fix use after free bugs caused by do_submit_urb There are UAF bugs caused by do_submit_urb(). One of the KASan reports is shown below: [ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] <TASK> [ 36.419320] dump_stack_lvl+0x96/0xd0 [ 36.420522] print_address_description+0x75/0x350 [ 36.421992] print_report+0x11b/0x250 [ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 [ 36.424806] ? __virt_addr_valid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasan_report+0x131/0x160 [ 36.428556] ? worker_thread+0x4a2/0x890 [ 36.430053] worker_thread+0x4a2/0x890 [ 36.431297] ? worker_clr_flags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthread_blkcg+0x50/0x50 [ 36.434669] ret_from_fork+0x22/0x30 [ 36.435923] </TASK> [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasan_set_track+0x50/0x80 [ 36.439436] __kasan_kmalloc+0x89/0xa0 [ 36.440566] smsusb_probe+0x374/0xc90 [ 36.441920] usb_probe_interface+0x2d1/0x4c0 [ 36.443253] really_probe+0x1d5/0x580 [ 36.444539] __driver_probe_device+0xe3/0x130 [ 36.446085] driver_probe_device+0x49/0x220 [ 36.447423] __device_attach_driver+0x19e/0x1b0 [ 36.448931] bus_for_each_drv+0xcb/0x110 [ 36.450217] __device_attach+0x132/0x1f0 [ 36.451470] bus_probe_device+0x59/0xf0 [ 36.452563] device_add+0x4ec/0x7b0 [ 36.453830] usb_set_configuration+0xc63/0xe10 [ 36.455230] usb_generic_driver_probe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usb_probe_device+0x90/0x110 [ 36.459523] really_probe+0x1d5/0x580 [ 36.461027] __driver_probe_device+0xe3/0x130 [ 36.462465] driver_probe_device+0x49/0x220 [ 36.463847] __device_attach_driver+0x19e/0x1b0 [ 36.465229] bus_for_each_drv+0xcb/0x110 [ 36.466466] __device_attach+0x132/0x1f0 [ 36.467799] bus_probe_device+0x59/0xf0 [ 36.469010] device_add+0x4ec/0x7b0 [ 36.470125] usb_new_device+0x863/0xa00 [ 36.471374] hub_event+0x18c7/0x2220 [ 36.472746] process_one_work+0x34c/0x5b0 [ 36.474041] worker_thread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] ret_from_fork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasan_set_track+0x50/0x80 [ 36.480512] kasan_save_free_info+0x2b/0x40 [ 36.481808] ____kasan_slab_free+0x122/0x1a0 [ 36.483173] __kmem_cache_free+0xc4/0x200 [ 36.484563] smsusb_term_device+0xcd/0xf0 [ 36.485896] smsusb_probe+0xc85/0xc90 [ 36.486976] usb_probe_interface+0x2d1/0x4c0 [ 36.488303] really_probe+0x1d5/0x580 [ 36.489498] __driver_probe_device+0xe3/0x130 [ 36.491140] driver_probe_device+0x49/0x220 [ 36.492475] __device_attach_driver+0x19e/0x1b0 [ 36.493988] bus_for_each_drv+0xcb/0x110 [ 36.495171] __device_attach+0x132/0x1f0 [ 36.496617] bus_probe_device+0x59/0xf0 [ 36.497875] device_add+0x4ec/0x7b0 [ 36.498972] usb_set_configuration+0xc63/0xe10 [ 36.500264] usb_generic_driver_probe+0x3b/0x80 [ 36.501740] usb_probe_device+0x90/0x110 [ 36.503084] really_probe+0x1d5/0x580 [ 36.504241] __driver_probe_device+0xe3/0x130 [ 36.505548] driver_probe_device+0x49/0x220 [ 36.506766] __device_attach_driver+0x19e/0x1b0 [ 36.508368] bus_for_each_drv+0xcb/0x110 [ 36.509646] __device_attach+0x132/0x1f0 [ 36.510911] bus_probe_device+0x59/0xf0 [ 36.512103] device_add+0x4ec/0x7b0 [ 36.513215] usb_new_device+0x863/0xa00 [ 36.514736] hub_event+0x18c7/0x2220 [ 36.516130] process_one_work+ ---truncated--- 2025-12-30 not yet calculated CVE-2023-54270 https://git.kernel.org/stable/c/c379272ea9c2ee36f0a1327b0fb8889c975093f7
https://git.kernel.org/stable/c/1477b00ff582970df110fc9e15a5e2021acb9222
https://git.kernel.org/stable/c/a41bb59eff7a58a6772f84a5b70ad7ec26dad074
https://git.kernel.org/stable/c/42f8ba8355682f6c4125b75503cac0cef4ac91d3
https://git.kernel.org/stable/c/114f768e7314ca9e1fdbebe11267c4403e89e7f2
https://git.kernel.org/stable/c/479796534a450fd44189080d51bebefa3b42c6fc
https://git.kernel.org/stable/c/19aadf0eb70edae7180285dbb9bfa237d1ddb34d
https://git.kernel.org/stable/c/ebad8e731c1c06adf04621d6fd327b860c0861b5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init blk-iocost sometimes causes the following crash: BUG: kernel NULL pointer dereference, address: 00000000000000e0 ... RIP: 0010:_raw_spin_lock+0x17/0x30 Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 <f0> 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00 RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001 RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0 RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003 R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000 R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600 FS: 00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0 Call Trace: <TASK> ioc_weight_write+0x13d/0x410 cgroup_file_write+0x7a/0x130 kernfs_fop_write_iter+0xf5/0x170 vfs_write+0x298/0x370 ksys_write+0x5f/0xb0 __x64_sys_write+0x1b/0x20 do_syscall_64+0x3d/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This happens because iocg->ioc is NULL. The field is initialized by ioc_pd_init() and never cleared. The NULL deref is caused by blkcg_activate_policy() installing blkg_policy_data before initializing it. blkcg_activate_policy() was doing the following: 1. Allocate pd's for all existing blkg's and install them in blkg->pd[]. 2. Initialize all pd's. 3. Online all pd's. blkcg_activate_policy() only grabs the queue_lock and may release and re-acquire the lock as allocation may need to sleep. ioc_weight_write() grabs blkcg->lock and iterates all its blkg's. The two can race and if ioc_weight_write() runs during #1 or between #1 and #2, it can encounter a pd which is not initialized yet, leading to crash. The crash can be reproduced with the following script: #!/bin/bash echo +io > /sys/fs/cgroup/cgroup.subtree_control systemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct echo 100 > /sys/fs/cgroup/system.slice/io.weight bash -c "echo '8:0 enable=1' > /sys/fs/cgroup/io.cost.qos" & sleep .2 echo 100 > /sys/fs/cgroup/system.slice/io.weight with the following patch applied: > diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c > index fc49be622e05..38d671d5e10c 100644 > --- a/block/blk-cgroup.c > +++ b/block/blk-cgroup.c > @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol) > pd->online = false; > } > > + if (system_state == SYSTEM_RUNNING) { > + spin_unlock_irq(&q->queue_lock); > + ssleep(1); > + spin_lock_irq(&q->queue_lock); > + } > + > /* all allocated, init in the same order */ > if (pol->pd_init_fn) > list_for_each_entry_reverse(blkg, &q->blkg_list, q_node) I don't see a reason why all pd's should be allocated, initialized and onlined together. The only ordering requirement is that parent blkgs to be initialized and onlined before children, which is guaranteed from the walking order. Let's fix the bug by allocating, initializing and onlining pd for each blkg and holding blkcg->lock over initialization and onlining. This ensures that an installed blkg is always fully initialized and onlined removing the the race window. 2025-12-30 not yet calculated CVE-2023-54271 https://git.kernel.org/stable/c/e39ef7880d1057b2ebcdb013405f4d84a257db23
https://git.kernel.org/stable/c/7d63c6f9765339dcfc34b7365ced7c518012e4fe
https://git.kernel.org/stable/c/ec14a87ee1999b19d8b7ed0fa95fea80644624ae
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix a possible null-pointer dereference in ni_clear() In a previous commit c1006bd13146, ni->mi.mrec in ni_write_inode() could be NULL, and thus a NULL check is added for this variable. However, in the same call stack, ni->mi.mrec can be also dereferenced in ni_clear(): ntfs_evict_inode(inode) ni_write_inode(inode, ...) ni = ntfs_i(inode); is_rec_inuse(ni->mi.mrec) -> Add a NULL check by previous commit ni_clear(ntfs_i(inode)) is_rec_inuse(ni->mi.mrec) -> No check Thus, a possible null-pointer dereference may exist in ni_clear(). To fix it, a NULL check is added in this function. 2025-12-30 not yet calculated CVE-2023-54272 https://git.kernel.org/stable/c/20f9bfc664d6a478f9a5bbc0c380f80f7a1a06c6
https://git.kernel.org/stable/c/39c6312009574ca73865354133ca222e7753a71b
https://git.kernel.org/stable/c/e7675f85a92233136c630000a0b7cf97826705da
https://git.kernel.org/stable/c/ec275bf9693d19cc0fdce8436f4c425ced86f6e7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix leak of dev tracker At the stage of direction checks, the netdev reference tracker is already initialized, but released with wrong *_put() call. 2025-12-30 not yet calculated CVE-2023-54273 https://git.kernel.org/stable/c/7d16c515059b3746f2d6a24a74c3ba786a68c2a1
https://git.kernel.org/stable/c/ec8f32ad9a65a8cbb465b69e154aaec9d2fe45c4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Add a check for valid 'mad_agent' pointer When unregistering MAD agent, srpt module has a non-null check for 'mad_agent' pointer before invoking ib_unregister_mad_agent(). This check can pass if 'mad_agent' variable holds an error value. The 'mad_agent' can have an error value for a short window when srpt_add_one() and srpt_remove_one() is executed simultaneously. In srpt module, added a valid pointer check for 'sport->mad_agent' before unregistering MAD agent. This issue can hit when RoCE driver unregisters ib_device Stack Trace: ------------ BUG: kernel NULL pointer dereference, address: 000000000000004d PGD 145003067 P4D 145003067 PUD 2324fe067 PMD 0 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 4459 Comm: kworker/u80:0 Kdump: loaded Tainted: P Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.5.4 01/13/2020 Workqueue: bnxt_re bnxt_re_task [bnxt_re] RIP: 0010:_raw_spin_lock_irqsave+0x19/0x40 Call Trace: ib_unregister_mad_agent+0x46/0x2f0 [ib_core] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready ? __schedule+0x20b/0x560 srpt_unregister_mad_agent+0x93/0xd0 [ib_srpt] srpt_remove_one+0x20/0x150 [ib_srpt] remove_client_context+0x88/0xd0 [ib_core] bond0: (slave p2p1): link status definitely up, 100000 Mbps full duplex disable_device+0x8a/0x160 [ib_core] bond0: active interface up! ? kernfs_name_hash+0x12/0x80 (NULL device *): Bonding Info Received: rdev: 000000006c0b8247 __ib_unregister_device+0x42/0xb0 [ib_core] (NULL device *): Master: mode: 4 num_slaves:2 ib_unregister_device+0x22/0x30 [ib_core] (NULL device *): Slave: id: 105069936 name:p2p1 link:0 state:0 bnxt_re_stopqps_and_ib_uninit+0x83/0x90 [bnxt_re] bnxt_re_alloc_lag+0x12e/0x4e0 [bnxt_re] 2025-12-30 not yet calculated CVE-2023-54274 https://git.kernel.org/stable/c/8ec6acdb9b6a80eeb13e778dfedb5d72a88f14fe
https://git.kernel.org/stable/c/00cc21e32ea1b8ebbabf5d645da9378d986bf8ba
https://git.kernel.org/stable/c/4323aaedeba32076e652aad056afd7885bb96bb7
https://git.kernel.org/stable/c/5f6ef2a574b0e0e0ea46ed0022575442df9d0bf9
https://git.kernel.org/stable/c/b713623bfef8cb1df9c769a3887fa10db63d1c54
https://git.kernel.org/stable/c/eca5cd9474cd26d62f9756f536e2e656d3f62f3a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Fix memory leak in ath11k_peer_rx_frag_setup crypto_alloc_shash() allocates resources, which should be released by crypto_free_shash(). When ath11k_peer_find() fails, there has memory leak. Add missing crypto_free_shash() to fix this. 2025-12-30 not yet calculated CVE-2023-54275 https://git.kernel.org/stable/c/137963e3b95776f1d57c62f249a93fe47e019a22
https://git.kernel.org/stable/c/53c8a256e5d3f31d80186de03a3d2a7f747b2aa0
https://git.kernel.org/stable/c/e596b36e15a7158b0bb2d55077b6b381ee41020c
https://git.kernel.org/stable/c/64a78ec4f4579798d8e885aca9bdd707bca6b16b
https://git.kernel.org/stable/c/ed3f83b3459a67a3ab9d806490ac304b567b1c2d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net Commit f5f9d4a314da ("nfsd: move reply cache initialization into nfsd startup") moved the initialization of the reply cache into nfsd startup, but didn't account for the stats counters, which can be accessed before nfsd is ever started. The result can be a NULL pointer dereference when someone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still shut down. This is a regression and a user-triggerable oops in the right situation: - non-x86_64 arch - /proc/fs/nfsd is mounted in the namespace - nfsd is not started in the namespace - unprivileged user calls "cat /proc/fs/nfsd/reply_cache_stats" Although this is easy to trigger on some arches (like aarch64), on x86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the fixed_percpu_data. That struct looks just enough like a newly initialized percpu var to allow nfsd_reply_cache_stats_show to access it without Oopsing. Move the initialization of the per-net+per-cpu reply-cache counters back into nfsd_init_net, while leaving the rest of the reply cache allocations to be done at nfsd startup time. Kudos to Eirik who did most of the legwork to track this down. 2025-12-30 not yet calculated CVE-2023-54276 https://git.kernel.org/stable/c/3025d489f9c8984d1bf5916c4a20097ed80fca5c
https://git.kernel.org/stable/c/8549384d0f65981761fe2077d04fa2a8d37b54e0
https://git.kernel.org/stable/c/66a178177b2b3bb1d71e854c5e7bbb320eb0e566
https://git.kernel.org/stable/c/768c408594b52d8531e1a8ab62e5620c19213e73
https://git.kernel.org/stable/c/ed9ab7346e908496816cffdecd46932035f66e2e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: Fix endpoint check The syzbot fuzzer detected a problem in the udlfb driver, caused by an endpoint not having the expected type: usb 1-1: Read EDID byte 0 failed: -71 usb 1-1: Unable to get valid EDID from device/display ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980 dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315 dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111 dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743 The current approach for this issue failed to catch the problem because it only checks for the existence of a bulk-OUT endpoint; it doesn't check whether this endpoint is the one that the driver will actually use. We can fix the problem by instead checking that the endpoint used by the driver does exist and is bulk-OUT. 2025-12-30 not yet calculated CVE-2023-54277 https://git.kernel.org/stable/c/1522dc58bff87af79461b96d90ec122e9e726004
https://git.kernel.org/stable/c/58ecc165abdaed85447455e6dc396758e8c6f219
https://git.kernel.org/stable/c/9e12c58a5ece41be72157cef348576b135c9fc72
https://git.kernel.org/stable/c/c8fdf7feca77cd99e25ef0a1e9e72dfc83add8ef
https://git.kernel.org/stable/c/e19383e5dee5adbf3d19f3f210f440a88d1b7dde
https://git.kernel.org/stable/c/ed9de4ed39875706607fb08118a58344ae6c5f42
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: s390/vmem: split pages when debug pagealloc is enabled Since commit bb1520d581a3 ("s390/mm: start kernel with DAT enabled") the kernel crashes early during boot when debug pagealloc is enabled: mem auto-init: stack:off, heap alloc:off, heap free:off addressing exception: 0005 ilc:2 [#1] SMP DEBUG_PAGEALLOC Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0-rc3-09759-gc5666c912155 #630 [..] Krnl Code: 00000000001325f6: ec5600248064 cgrj %r5,%r6,8,000000000013263e 00000000001325fc: eb880002000c srlg %r8,%r8,2 #0000000000132602: b2210051 ipte %r5,%r1,%r0,0 >0000000000132606: b90400d1 lgr %r13,%r1 000000000013260a: 41605008 la %r6,8(%r5) 000000000013260e: a7db1000 aghi %r13,4096 0000000000132612: b221006d ipte %r6,%r13,%r0,0 0000000000132616: e3d0d0000171 lay %r13,4096(%r13) Call Trace: __kernel_map_pages+0x14e/0x320 __free_pages_ok+0x23a/0x5a8) free_low_memory_core_early+0x214/0x2c8 memblock_free_all+0x28/0x58 mem_init+0xb6/0x228 mm_core_init+0xb6/0x3b0 start_kernel+0x1d2/0x5a8 startup_continue+0x36/0x40 Kernel panic - not syncing: Fatal exception: panic_on_oops This is caused by using large mappings on machines with EDAT1/EDAT2. Add the code to split the mappings into 4k pages if debug pagealloc is enabled by CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT or the debug_pagealloc kernel command line option. 2025-12-30 not yet calculated CVE-2023-54278 https://git.kernel.org/stable/c/601e467e29a960f7ab7ec4075afc6a68c3532a65
https://git.kernel.org/stable/c/edc1e4b6e26536868ef819a735e04a5b32c10589
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: MIPS: fw: Allow firmware to pass a empty env fw_getenv will use env entry to determine style of env, however it is legal for firmware to just pass a empty list. Check if first entry exist before running strchr to avoid null pointer dereference. 2025-12-30 not yet calculated CVE-2023-54279 https://git.kernel.org/stable/c/f334b31625683418aaa2a335470eec950a95a254
https://git.kernel.org/stable/c/830181ddced5a05a711dc9da8043203b1f33a77e
https://git.kernel.org/stable/c/0f91290774c798199ba4b8df93de5c3156b5163d
https://git.kernel.org/stable/c/47e61cadc7a5f3dffd42d2d6fda81be163f1ab82
https://git.kernel.org/stable/c/3ef93b7bd9e042db240843f24a80e14da38c6830
https://git.kernel.org/stable/c/a6b54af407873227caef6262e992f5422cdcb6ae
https://git.kernel.org/stable/c/ad79828f133e98585ab2236cad04a55eb7141bbe
https://git.kernel.org/stable/c/aeed787bbbbe1b842beec9a065a36c915226f704
https://git.kernel.org/stable/c/ee1809ed7bc456a72dc8410b475b73021a3a68d5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential race when tree connecting ipc Protect access of TCP_Server_Info::hostname when building the ipc tree name as it might get freed in cifsd thread and thus causing an use-after-free bug in __tree_connect_dfs_target(). Also, while at it, update status of IPC tcon on success and then avoid any extra tree connects. 2025-12-30 not yet calculated CVE-2023-54280 https://git.kernel.org/stable/c/536ec71ba060a02fabe8e22cecb82fe7b3a8708b
https://git.kernel.org/stable/c/553476df55a111e6a66ad9155256aec0ec1b7ad0
https://git.kernel.org/stable/c/ee20d7c6100752eaf2409d783f4f1449c29ea33d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before inode lookup during the ino lookup ioctl During the ino lookup ioctl we can end up calling btrfs_iget() to get an inode reference while we are holding on a root's btree. If btrfs_iget() needs to lookup the inode from the root's btree, because it's not currently loaded in memory, then it will need to lock another or the same path in the same root btree. This may result in a deadlock and trigger the following lockdep splat: WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted ------------------------------------------------------ syz-executor277/5012 is trying to acquire lock: ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 but task is already holding lock: ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{3:3}: down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302 btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955 btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline] btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338 btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline] open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494 btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154 btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 fc_mount fs/namespace.c:1112 [inline] vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142 btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 do_new_mount+0x28f/0xae0 fs/namespace.c:3335 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd -> #0 (btrfs-tree-01){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline] btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281 btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline] btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412 btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline] btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716 btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline] btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105 btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info ---truncated--- 2025-12-30 not yet calculated CVE-2023-54281 https://git.kernel.org/stable/c/7390bb377b5fb3be23cb021e0f184d1f576be7d6
https://git.kernel.org/stable/c/380bbd46d61c894a8dcaace09e54bc7426d81014
https://git.kernel.org/stable/c/50e385d98b2a52480836ea41c142b81eeeb277af
https://git.kernel.org/stable/c/6fdce81e425be112f1ca129776f4041afeaad413
https://git.kernel.org/stable/c/ee34a82e890a7babb5585daf1a6dd7d4d1cf142a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: tuners: qt1010: replace BUG_ON with a regular error BUG_ON is unnecessary here, and in addition it confuses smatch. Replacing this with an error return help resolve this smatch warning: drivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow 'i2c_data' 34 <= 34 2025-12-30 not yet calculated CVE-2023-54282 https://git.kernel.org/stable/c/6cae780862d221106626b2b5fb21a197f398c6ec
https://git.kernel.org/stable/c/f844bc3a47d8d1c55a4a9cfca38c538e9df7e678
https://git.kernel.org/stable/c/641e60223971e95472a2a9646b1e7f94d441de45
https://git.kernel.org/stable/c/2ae53dd15eef90d34fc084b5b2305a67bb675a26
https://git.kernel.org/stable/c/48bb6a9fa5cb150ac2a22b3c779c96bc0ed21071
https://git.kernel.org/stable/c/257092cb544c7843376b3e161f789e666ef06c98
https://git.kernel.org/stable/c/1a6bf53fffe0b7ebe2a0f402b44f14f90cffd164
https://git.kernel.org/stable/c/ee630b29ea44d1851bb6c903f400956604834463
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Address KCSAN report on bpf_lru_list KCSAN reported a data-race when accessing node->ref. Although node->ref does not have to be accurate, take this chance to use a more common READ_ONCE() and WRITE_ONCE() pattern instead of data_race(). There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). This patch also adds bpf_lru_node_clear_ref() to do the WRITE_ONCE(node->ref, 0) also. ================================================================== BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: __bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] __bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] __bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] __htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] __htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x01 -> 0x00 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 ================================================================== 2025-12-30 not yet calculated CVE-2023-54283 https://git.kernel.org/stable/c/6eaef1b1d8720053eb1b6e7a3ff8b2ff0716bb90
https://git.kernel.org/stable/c/a89d14410ea0352420f03cddc67e0002dcc8f9a5
https://git.kernel.org/stable/c/e09a285ea1e859d4cc6cb689d8d5d7c1f7c7c0d5
https://git.kernel.org/stable/c/b6d9a4062c944ad095b34dc112bf646a84156f60
https://git.kernel.org/stable/c/819ca25444b377935faa2dbb0aa3547519b5c80f
https://git.kernel.org/stable/c/c006fe361cfd947f51a56793deddf891e5cbfef8
https://git.kernel.org/stable/c/6e5e83b56f50fbd1c8f7dca7df7d72c67be25571
https://git.kernel.org/stable/c/ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: av7110: prevent underflow in write_ts_to_decoder() The buf[4] value comes from the user via ts_play(). It is a value in the u8 range. The final length we pass to av7110_ipack_instant_repack() is "len - (buf[4] + 1) - 4" so add a check to ensure that the length is not negative. It's not clear that passing a negative len value does anything bad necessarily, but it's not best practice. With the new bounds checking the "if (!len)" condition is no longer possible or required so remove that. 2025-12-30 not yet calculated CVE-2023-54284 https://git.kernel.org/stable/c/6680af5be9f08d830567e9118f76d3e64684db8f
https://git.kernel.org/stable/c/6606e2404ee9e20a3ae5b42fc3660d41b739ed3e
https://git.kernel.org/stable/c/620b983589e0223876bf1463b01100a9c67b56ba
https://git.kernel.org/stable/c/86ba65e5357bfbb6c082f68b265a292ee1bdde1d
https://git.kernel.org/stable/c/ca4ce92e3ec9fd3c7c936b912b95c53331d5159c
https://git.kernel.org/stable/c/423350af9e27f005611bd881b1df2cab66de943d
https://git.kernel.org/stable/c/77eeb4732135c18c2fdfab80839645b393f3e774
https://git.kernel.org/stable/c/7b93ab60fe9ed04be0ff155bc30ad39dea23e22b
https://git.kernel.org/stable/c/eed9496a0501357aa326ddd6b71408189ed872eb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iomap: Fix possible overflow condition in iomap_write_delalloc_scan folio_next_index() returns an unsigned long value which left shifted by PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead use folio_pos(folio) + folio_size(folio), which does this correctly. 2025-12-30 not yet calculated CVE-2023-54285 https://git.kernel.org/stable/c/5c281b0c5d18c8eeb1cfd5023f4adb153e6d1240
https://git.kernel.org/stable/c/eee2d2e6ea5550118170dbd5bb1316ceb38455fb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace A received TKIP key may be up to 32 bytes because it may contain MIC rx/tx keys too. These are not used by iwl and copying these over overflows the iwl_keyinfo.key field. Add a check to not copy more data to iwl_keyinfo.key then will fit. This fixes backtraces like this one: memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16) WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm] <snip> Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017 RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm] <snip> Call Trace: <TASK> iwl_set_dynamic_key+0x1f0/0x220 [iwldvm] iwlagn_mac_set_key+0x1e4/0x280 [iwldvm] drv_set_key+0xa4/0x1b0 [mac80211] ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211] ieee80211_key_replace+0x22d/0x8e0 [mac80211] <snip> 2025-12-30 not yet calculated CVE-2023-54286 https://git.kernel.org/stable/c/76b5ea43ad2fb4f726ddfaff839430a706e7d7c2
https://git.kernel.org/stable/c/3ed3c1c2fc3482b72e755820261779cd2e2c5a3e
https://git.kernel.org/stable/c/fa57021262e998e2229d6383b1081638df2fe238
https://git.kernel.org/stable/c/91ad1ab3cc7e981cb6d6ee100686baed64e1277e
https://git.kernel.org/stable/c/87940e4030e4705e1f3fd2bbb1854eae8308314b
https://git.kernel.org/stable/c/57189c885149825be8eb8c3524b5af017fdeb941
https://git.kernel.org/stable/c/6cd644f66b43709816561d63e0173cb0c7aab159
https://git.kernel.org/stable/c/ef16799640865f937719f0771c93be5dca18adc6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tty: serial: imx: disable Ageing Timer interrupt request irq There maybe pending USR interrupt before requesting irq, however uart_add_one_port has not executed, so there will be kernel panic: [ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre ss 0000000000000080 [ 0.802701] Mem abort info: [ 0.805367] ESR = 0x0000000096000004 [ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.814033] SET = 0, FnV = 0 [ 0.816950] EA = 0, S1PTW = 0 [ 0.819950] FSC = 0x04: level 0 translation fault [ 0.824617] Data abort info: [ 0.827367] ISV = 0, ISS = 0x00000004 [ 0.831033] CM = 0, WnR = 0 [ 0.833866] [0000000000000080] user address but active_mm is swapper [ 0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.845953] Modules linked in: [ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1 [ 0.855617] Hardware name: Freescale i.MX8MP EVK (DT) [ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0 [ 0.872283] lr : imx_uart_int+0xf8/0x1ec The issue only happends in the inmate linux when Jailhouse hypervisor enabled. The test procedure is: while true; do jailhouse enable imx8mp.cell jailhouse cell linux xxxx sleep 10 jailhouse cell destroy 1 jailhouse disable sleep 5 done And during the upper test, press keys to the 2nd linux console. When `jailhouse cell destroy 1`, the 2nd linux has no chance to put the uart to a quiese state, so USR1/2 may has pending interrupts. Then when `jailhosue cell linux xx` to start 2nd linux again, the issue trigger. In order to disable irqs before requesting them, both UCR1 and UCR2 irqs should be disabled, so here fix that, disable the Ageing Timer interrupt in UCR2 as UCR1 does. 2025-12-30 not yet calculated CVE-2023-54287 https://git.kernel.org/stable/c/3d41d9b256ae626c0dc434427c8e32450358d3b4
https://git.kernel.org/stable/c/9795ece3a85ba9238191e97665586e2d79703ff3
https://git.kernel.org/stable/c/963875b0655197281775b0ea614aab8b6b3eb001
https://git.kernel.org/stable/c/ef25e16ea9674b713a68c3bda821556ce9901254
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fortify the spinlock against deadlock by interrupt In the function ieee80211_tx_dequeue() there is a particular locking sequence: begin: spin_lock(&local->queue_stop_reason_lock); q_stopped = local->queue_stop_reasons[q]; spin_unlock(&local->queue_stop_reason_lock); However small the chance (increased by ftracetest), an asynchronous interrupt can occur in between of spin_lock() and spin_unlock(), and the interrupt routine will attempt to lock the same &local->queue_stop_reason_lock again. This will cause a costly reset of the CPU and the wifi device or an altogether hang in the single CPU and single core scenario. The only remaining spin_lock(&local->queue_stop_reason_lock) that did not disable interrupts was patched, which should prevent any deadlocks on the same CPU/core and the same wifi device. This is the probable trace of the deadlock: kernel: ================================ kernel: WARNING: inconsistent lock state kernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G W kernel: -------------------------------- kernel: inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. kernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes: kernel: ffff9d6190779478 (&local->queue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40 kernel: {IN-SOFTIRQ-W} state was registered at: kernel: lock_acquire+0xc7/0x2d0 kernel: _raw_spin_lock+0x36/0x50 kernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211] kernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm] kernel: iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm] kernel: ieee80211_queue_skb+0x450/0x730 [mac80211] kernel: __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211] kernel: __ieee80211_subif_start_xmit+0x217/0x530 [mac80211] kernel: ieee80211_subif_start_xmit+0x60/0x580 [mac80211] kernel: dev_hard_start_xmit+0xb5/0x260 kernel: __dev_queue_xmit+0xdbe/0x1200 kernel: neigh_resolve_output+0x166/0x260 kernel: ip_finish_output2+0x216/0xb80 kernel: __ip_finish_output+0x2a4/0x4d0 kernel: ip_finish_output+0x2d/0xd0 kernel: ip_output+0x82/0x2b0 kernel: ip_local_out+0xec/0x110 kernel: igmpv3_sendpack+0x5c/0x90 kernel: igmp_ifc_timer_expire+0x26e/0x4e0 kernel: call_timer_fn+0xa5/0x230 kernel: run_timer_softirq+0x27f/0x550 kernel: __do_softirq+0xb4/0x3a4 kernel: irq_exit_rcu+0x9b/0xc0 kernel: sysvec_apic_timer_interrupt+0x80/0xa0 kernel: asm_sysvec_apic_timer_interrupt+0x1f/0x30 kernel: _raw_spin_unlock_irqrestore+0x3f/0x70 kernel: free_to_partial_list+0x3d6/0x590 kernel: __slab_free+0x1b7/0x310 kernel: kmem_cache_free+0x52d/0x550 kernel: putname+0x5d/0x70 kernel: do_sys_openat2+0x1d7/0x310 kernel: do_sys_open+0x51/0x80 kernel: __x64_sys_openat+0x24/0x30 kernel: do_syscall_64+0x5c/0x90 kernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc kernel: irq event stamp: 5120729 kernel: hardirqs last enabled at (5120729): [<ffffffff9d149936>] trace_graph_return+0xd6/0x120 kernel: hardirqs last disabled at (5120728): [<ffffffff9d149950>] trace_graph_return+0xf0/0x120 kernel: softirqs last enabled at (5069900): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40 kernel: softirqs last disabled at (5067555): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40 kernel: other info that might help us debug this: kernel: Possible unsafe locking scenario: kernel: CPU0 kernel: ---- kernel: lock(&local->queue_stop_reason_lock); kernel: <Interrupt> kernel: lock(&local->queue_stop_reason_lock); kernel: *** DEADLOCK *** kernel: 8 locks held by kworker/5:0/25656: kernel: #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530 kernel: #1: ffffb1ef4637fe68 ((work_completion)(&local->restart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530 kernel: #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 kernel: #3: ffff9d619 ---truncated--- 2025-12-30 not yet calculated CVE-2023-54288 https://git.kernel.org/stable/c/c79d794a2cd76eca47b2491c5030be9a6418c5d6
https://git.kernel.org/stable/c/6df3eafa31b3ee4f0cba601ca857019964355034
https://git.kernel.org/stable/c/ef6e1997da63ad0ac3fe33153fec9524c9ae56c9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix NULL dereference in error handling Smatch reported: drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues() warn: missing unwind goto? At this point in the function, nothing has been allocated so we can return directly. In particular the "qedf->global_queues" have not been allocated so calling qedf_free_global_queues() will lead to a NULL dereference when we check if (!gl[i]) and "gl" is NULL. 2025-12-30 not yet calculated CVE-2023-54289 https://git.kernel.org/stable/c/961c8370c5f7e80a267680476e1bcff34bffe71a
https://git.kernel.org/stable/c/ac64019e4d4b08c23edb117e0b2590985e33de1d
https://git.kernel.org/stable/c/b1de5105d29b145b727b797e2d5de071ab3a7ca1
https://git.kernel.org/stable/c/c316bde418af4c2a9df51149ed01d1bd8ca5bebf
https://git.kernel.org/stable/c/08c001c1e9444a3046c79a99aa93ac48073b18cc
https://git.kernel.org/stable/c/271c9b2eb60149afbeab28cb39e52f73bde9900c
https://git.kernel.org/stable/c/f025312b089474a54e4859f3453771314d9e3d4f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vduse: fix NULL pointer dereference vduse_vdpa_set_vq_affinity callback can be called with NULL value as cpu_mask when deleting the vduse device. This patch resets virtqueue's IRQ affinity mask value to set all CPUs instead of dereferencing NULL cpu_mask. [ 4760.952149] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 4760.959110] #PF: supervisor read access in kernel mode [ 4760.964247] #PF: error_code(0x0000) - not-present page [ 4760.969385] PGD 0 P4D 0 [ 4760.971927] Oops: 0000 [#1] PREEMPT SMP PTI [ 4760.976112] CPU: 13 PID: 2346 Comm: vdpa Not tainted 6.4.0-rc6+ #4 [ 4760.982291] Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.8.1 06/26/2020 [ 4760.989769] RIP: 0010:memcpy_orig+0xc5/0x130 [ 4760.994049] Code: 16 f8 4c 89 07 4c 89 4f 08 4c 89 54 17 f0 4c 89 5c 17 f8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 fa 08 72 1b <4c> 8b 06 4c 8b 4c 16 f8 4c 89 07 4c 89 4c 17 f8 c3 cc cc cc cc 66 [ 4761.012793] RSP: 0018:ffffb1d565abb830 EFLAGS: 00010246 [ 4761.018020] RAX: ffff9f4bf6b27898 RBX: ffff9f4be23969c0 RCX: ffff9f4bcadf6400 [ 4761.025152] RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffff9f4bf6b27898 [ 4761.032286] RBP: 0000000000000000 R08: 0000000000000008 R09: 0000000000000000 [ 4761.039416] R10: 0000000000000000 R11: 0000000000000600 R12: 0000000000000000 [ 4761.046549] R13: 0000000000000000 R14: 0000000000000080 R15: ffffb1d565abbb10 [ 4761.053680] FS: 00007f64c2ec2740(0000) GS:ffff9f635f980000(0000) knlGS:0000000000000000 [ 4761.061765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4761.067513] CR2: 0000000000000000 CR3: 0000001875270006 CR4: 00000000007706e0 [ 4761.074645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4761.081775] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4761.088909] PKRU: 55555554 [ 4761.091620] Call Trace: [ 4761.094074] <TASK> [ 4761.096180] ? __die+0x1f/0x70 [ 4761.099238] ? page_fault_oops+0x171/0x4f0 [ 4761.103340] ? exc_page_fault+0x7b/0x180 [ 4761.107265] ? asm_exc_page_fault+0x22/0x30 [ 4761.111460] ? memcpy_orig+0xc5/0x130 [ 4761.115126] vduse_vdpa_set_vq_affinity+0x3e/0x50 [vduse] [ 4761.120533] virtnet_clean_affinity.part.0+0x3d/0x90 [virtio_net] [ 4761.126635] remove_vq_common+0x1a4/0x250 [virtio_net] [ 4761.131781] virtnet_remove+0x5d/0x70 [virtio_net] [ 4761.136580] virtio_dev_remove+0x3a/0x90 [ 4761.140509] device_release_driver_internal+0x19b/0x200 [ 4761.145742] bus_remove_device+0xc2/0x130 [ 4761.149755] device_del+0x158/0x3e0 [ 4761.153245] ? kernfs_find_ns+0x35/0xc0 [ 4761.157086] device_unregister+0x13/0x60 [ 4761.161010] unregister_virtio_device+0x11/0x20 [ 4761.165543] device_release_driver_internal+0x19b/0x200 [ 4761.170770] bus_remove_device+0xc2/0x130 [ 4761.174782] device_del+0x158/0x3e0 [ 4761.178276] ? __pfx_vdpa_name_match+0x10/0x10 [vdpa] [ 4761.183336] device_unregister+0x13/0x60 [ 4761.187260] vdpa_nl_cmd_dev_del_set_doit+0x63/0xe0 [vdpa] 2025-12-30 not yet calculated CVE-2023-54291 https://git.kernel.org/stable/c/f9d46429de2a251e1e4962e1bf86c344d6336562
https://git.kernel.org/stable/c/f06cf1e1a503169280467d12d2ec89bf2c30ace7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix data race on CQP request done KCSAN detects a data race on cqp_request->request_done memory location which is accessed locklessly in irdma_handle_cqp_op while being updated in irdma_cqp_ce_handler. Annotate lockless intent with READ_ONCE/WRITE_ONCE to avoid any compiler optimizations like load fusing and/or KCSAN warning. [222808.417128] BUG: KCSAN: data-race in irdma_cqp_ce_handler [irdma] / irdma_wait_event [irdma] [222808.417532] write to 0xffff8e44107019dc of 1 bytes by task 29658 on cpu 5: [222808.417610] irdma_cqp_ce_handler+0x21e/0x270 [irdma] [222808.417725] cqp_compl_worker+0x1b/0x20 [irdma] [222808.417827] process_one_work+0x4d1/0xa40 [222808.417835] worker_thread+0x319/0x700 [222808.417842] kthread+0x180/0x1b0 [222808.417852] ret_from_fork+0x22/0x30 [222808.417918] read to 0xffff8e44107019dc of 1 bytes by task 29688 on cpu 1: [222808.417995] irdma_wait_event+0x1e2/0x2c0 [irdma] [222808.418099] irdma_handle_cqp_op+0xae/0x170 [irdma] [222808.418202] irdma_cqp_cq_destroy_cmd+0x70/0x90 [irdma] [222808.418308] irdma_puda_dele_rsrc+0x46d/0x4d0 [irdma] [222808.418411] irdma_rt_deinit_hw+0x179/0x1d0 [irdma] [222808.418514] irdma_ib_dealloc_device+0x11/0x40 [irdma] [222808.418618] ib_dealloc_device+0x2a/0x120 [ib_core] [222808.418823] __ib_unregister_device+0xde/0x100 [ib_core] [222808.418981] ib_unregister_device+0x22/0x40 [ib_core] [222808.419142] irdma_ib_unregister_device+0x70/0x90 [irdma] [222808.419248] i40iw_close+0x6f/0xc0 [irdma] [222808.419352] i40e_client_device_unregister+0x14a/0x180 [i40e] [222808.419450] i40iw_remove+0x21/0x30 [irdma] [222808.419554] auxiliary_bus_remove+0x31/0x50 [222808.419563] device_remove+0x69/0xb0 [222808.419572] device_release_driver_internal+0x293/0x360 [222808.419582] driver_detach+0x7c/0xf0 [222808.419592] bus_remove_driver+0x8c/0x150 [222808.419600] driver_unregister+0x45/0x70 [222808.419610] auxiliary_driver_unregister+0x16/0x30 [222808.419618] irdma_exit_module+0x18/0x1e [irdma] [222808.419733] __do_sys_delete_module.constprop.0+0x1e2/0x310 [222808.419745] __x64_sys_delete_module+0x1b/0x30 [222808.419755] do_syscall_64+0x39/0x90 [222808.419763] entry_SYSCALL_64_after_hwframe+0x63/0xcd [222808.419829] value changed: 0x01 -> 0x03 2025-12-30 not yet calculated CVE-2023-54292 https://git.kernel.org/stable/c/c5b5dbcbf91f769b8eb25f88e32a1522f920f37a
https://git.kernel.org/stable/c/5986e96be7d0b82e50a9c6b019ea3f1926fd8764
https://git.kernel.org/stable/c/b8b90ba636e3861665aef9a3eab5fcf92839a2c5
https://git.kernel.org/stable/c/f0842bb3d38863777e3454da5653d80b5fde6321
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bcache: fixup btree_cache_wait list damage We get a kernel crash about "list_add corruption. next->prev should be prev (ffff9c801bc01210), but was ffff9c77b688237c. (next=ffffae586d8afe68)." crash> struct list_head 0xffff9c801bc01210 struct list_head { next = 0xffffae586d8afe68, prev = 0xffffae586d8afe68 } crash> struct list_head 0xffff9c77b688237c struct list_head { next = 0x0, prev = 0x0 } crash> struct list_head 0xffffae586d8afe68 struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback" Cannot access memory at address 0xffffae586d8afe68 [230469.019492] Call Trace: [230469.032041] prepare_to_wait+0x8a/0xb0 [230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache] [230469.056533] mca_cannibalize_lock+0x72/0x90 [escache] [230469.068788] mca_alloc+0x2ae/0x450 [escache] [230469.080790] bch_btree_node_get+0x136/0x2d0 [escache] [230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache] [230469.104382] ? finish_wait+0x80/0x80 [230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache] [230469.127259] kthread+0x112/0x130 [230469.138448] ? kthread_flush_work_fn+0x10/0x10 [230469.149477] ret_from_fork+0x35/0x40 bch_btree_check_thread() and bch_dirty_init_thread() may call mca_cannibalize() to cannibalize other cached btree nodes. Only one thread can do it at a time, so the op of other threads will be added to the btree_cache_wait list. We must call finish_wait() to remove op from btree_cache_wait before free it's memory address. Otherwise, the list will be damaged. Also should call bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up other waiters. 2025-12-30 not yet calculated CVE-2023-54293 https://git.kernel.org/stable/c/bcb295778afda4f2feb0d3c0289a53fd43d5a3a6
https://git.kernel.org/stable/c/cbdd5b3322f7bbe6454c97cac994757f1192c07b
https://git.kernel.org/stable/c/25ec4779d0fb3ed9cac1e4d9e0e4261b4a12f6ed
https://git.kernel.org/stable/c/2882a4c4f0c90e99f37dbd8db369b9982fd613e7
https://git.kernel.org/stable/c/f0854489fc07d2456f7cc71a63f4faf9c716ffbe
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix memleak of md thread In raid10_run(), if setup_conf() succeed and raid10_run() failed before setting 'mddev->thread', then in the error path 'conf->thread' is not freed. Fix the problem by setting 'mddev->thread' right after setup_conf(). 2025-12-30 not yet calculated CVE-2023-54294 https://git.kernel.org/stable/c/abf4d67060c8f63caff096e5fca1564bfef1e5d4
https://git.kernel.org/stable/c/3725b35fc0e5e4eea0434ef625f3d92f3059d080
https://git.kernel.org/stable/c/2a65555f7e0f4a05b663879908a991e6d9f81e51
https://git.kernel.org/stable/c/d6cfcf98b824591cffa4c1e9889fb4fa619359fe
https://git.kernel.org/stable/c/36ba0c7b86acd9c2ea80a273204d52c21c955471
https://git.kernel.org/stable/c/5d763f708b0f918fb87799e33c25113ae6081216
https://git.kernel.org/stable/c/ec473e82e10d39a02eb59b0b95e546119a3bdb79
https://git.kernel.org/stable/c/f0ddb83da3cbbf8a1f9087a642c448ff52ee9abd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type spi_nor_set_erase_type() was used either to set or to mask out an erase type. When we used it to mask out an erase type a shift-out-of-bounds was hit: UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24 shift exponent 4294967295 is too large for 32-bit type 'int' The setting of the size_{shift, mask} and of the opcode are unnecessary when the erase size is zero, as throughout the code just the erase size is considered to determine whether an erase type is supported or not. Setting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF is an unused opcode. Thus when masking out an erase type, just set the erase size to zero. This will fix the shift-out-of-bounds. [ta: refine changes, new commit message, fix compilation error] 2025-12-30 not yet calculated CVE-2023-54295 https://git.kernel.org/stable/c/e6409208c13f7c56adc12dd795abf4141e3d5e64
https://git.kernel.org/stable/c/61d44a4db2f54dbac7d22c2541574ea5755e0468
https://git.kernel.org/stable/c/53b2916ebde741c657a857fa1936c0d9fcb59170
https://git.kernel.org/stable/c/99341b8aee7b5b4255b339345bbcaa35867dfd0c
https://git.kernel.org/stable/c/f0f0cfdc3a024e21161714f2e05f0df3b84d42ad
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration Fix a goof where KVM tries to grab source vCPUs from the destination VM when doing intrahost migration. Grabbing the wrong vCPU not only hoses the guest, it also crashes the host due to the VMSA pointer being left NULL. BUG: unable to handle page fault for address: ffffe38687000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO 6.5.0-smp--fff2e47e6c3b-next #151 Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023 RIP: 0010:__free_pages+0x15/0xd0 RSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000 RBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000 R10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000 R13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> sev_free_vcpu+0xcb/0x110 [kvm_amd] svm_vcpu_free+0x75/0xf0 [kvm_amd] kvm_arch_vcpu_destroy+0x36/0x140 [kvm] kvm_destroy_vcpus+0x67/0x100 [kvm] kvm_arch_destroy_vm+0x161/0x1d0 [kvm] kvm_put_kvm+0x276/0x560 [kvm] kvm_vm_release+0x25/0x30 [kvm] __fput+0x106/0x280 ____fput+0x12/0x20 task_work_run+0x86/0xb0 do_exit+0x2e3/0x9c0 do_group_exit+0xb1/0xc0 __x64_sys_exit_group+0x1b/0x20 do_syscall_64+0x41/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> CR2: ffffe38687000000 2025-12-30 not yet calculated CVE-2023-54296 https://git.kernel.org/stable/c/5c18ace750e4d4d58d7da02d1c669bf21c824158
https://git.kernel.org/stable/c/2ee4b180d51b12a45bdd3264629719ef6a572a73
https://git.kernel.org/stable/c/f1187ef24eb8f36e8ad8106d22615ceddeea6097
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix memory leak after finding block group with super blocks At exclude_super_stripes(), if we happen to find a block group that has super blocks mapped to it and we are on a zoned filesystem, we error out as this is not supposed to happen, indicating either a bug or maybe some memory corruption for example. However we are exiting the function without freeing the memory allocated for the logical address of the super blocks. Fix this by freeing the logical address. 2025-12-30 not yet calculated CVE-2023-54297 https://git.kernel.org/stable/c/ab80a901f8daca07c4a54af0ab0de745c9918294
https://git.kernel.org/stable/c/c35ea606196243063e63785918c7c8fe27c45798
https://git.kernel.org/stable/c/cca627afb463a4b47721eac017516ba200de85c3
https://git.kernel.org/stable/c/f1a07c2b4e2c473ec322b8b9ece071b8c88a3512
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: thermal: intel: quark_dts: fix error pointer dereference If alloc_soc_dts() fails, then we can just return. Trying to free "soc_dts" will lead to an Oops. 2025-12-30 not yet calculated CVE-2023-54298 https://git.kernel.org/stable/c/0b366c6a42e2e2bc67af8d1130b68f3bfa31c80e
https://git.kernel.org/stable/c/d0178f2788fb1183a5cc350213efdc94010b9147
https://git.kernel.org/stable/c/e23f1d9e6e03d04da2f18e78ab5d4255ffeb1333
https://git.kernel.org/stable/c/f73134231fa23e0856c15010db5f5c03693c1e92
https://git.kernel.org/stable/c/5eaf55b38691291d49417c22e726591078ca1893
https://git.kernel.org/stable/c/69e49f1b53605706bc2203455021539aba2ebe21
https://git.kernel.org/stable/c/24c221b11c2894e1a5f07b93362d9bc91c6d8be7
https://git.kernel.org/stable/c/f1b930e740811d416de4d2074da48b6633a672c8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: typec: bus: verify partner exists in typec_altmode_attention Some usb hubs will negotiate DisplayPort Alt mode with the device but will then negotiate a data role swap after entering the alt mode. The data role swap causes the device to unregister all alt modes, however the usb hub will still send Attention messages even after failing to reregister the Alt Mode. type_altmode_attention currently does not verify whether or not a device's altmode partner exists, which results in a NULL pointer error when dereferencing the typec_altmode and typec_altmode_ops belonging to the altmode partner. Verify the presence of a device's altmode partner before sending the Attention message to the Alt Mode driver. 2025-12-30 not yet calculated CVE-2023-54299 https://git.kernel.org/stable/c/5f71716772b88cbe0e1788f6a38d7871aff2120b
https://git.kernel.org/stable/c/38e1f2ee82bacbbfded8f1c06794a443d038d054
https://git.kernel.org/stable/c/0ad6bad31da692f8d7acacab07eabe7586239ae0
https://git.kernel.org/stable/c/0d3b5fe47938e9c451466845304a2bd74e967a80
https://git.kernel.org/stable/c/d49547950bf7f3480d6ca05fe055978e5f0d9e5b
https://git.kernel.org/stable/c/1101867a1711c27d8bbe0e83136bec47f8c1ca2a
https://git.kernel.org/stable/c/f23643306430f86e2f413ee2b986e0773e79da31
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should validate pkt_len before accessing the SKB. For example, the obtained SKB may have been badly constructed with pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr but after being processed in ath9k_htc_rx_msg() and passed to ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI command header which should be located inside its data payload. Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit memory can be referenced. Tested on Qualcomm Atheros Communications AR9271 802.11n . Found by Linux Verification Center (linuxtesting.org) with Syzkaller. 2025-12-30 not yet calculated CVE-2023-54300 https://git.kernel.org/stable/c/0bc12e41af4e3ae1f0efecc377f0514459df0707
https://git.kernel.org/stable/c/28259ce4f1f1f9ab37fa817756c89098213d2fc0
https://git.kernel.org/stable/c/90e3c10177573b8662ac9858abd9bf731d5d98e0
https://git.kernel.org/stable/c/250efb4d3f5b32a115ea6bf25437ba44a1b3c04f
https://git.kernel.org/stable/c/ad5425e70789c29b93acafb5bb4629e4eb908296
https://git.kernel.org/stable/c/d1c2ff2bd84c3692c9df267a2b991ce92bfca8ef
https://git.kernel.org/stable/c/8ed572e52714593b209e3aa352406aff84481179
https://git.kernel.org/stable/c/75acec91aeaa07375cd5f418069e61b16d39bbad
https://git.kernel.org/stable/c/f24292e827088bba8de7158501ac25a59b064953
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: serial: 8250_bcm7271: fix leak in `brcmuart_probe` Smatch reports: drivers/tty/serial/8250/8250_bcm7271.c:1120 brcmuart_probe() warn: 'baud_mux_clk' from clk_prepare_enable() not released on lines: 1032. The issue is fixed by using a managed clock. 2025-12-30 not yet calculated CVE-2023-54301 https://git.kernel.org/stable/c/5258395e67fee6929fb8e50c8239f8de51b8cb2d
https://git.kernel.org/stable/c/2a3e5f428fc4315be6144524912eaefac16f43a9
https://git.kernel.org/stable/c/56a81445b8e4b8906d557518c5dae3ddbb447d1e
https://git.kernel.org/stable/c/f264f2f6f4788dc031cef60a0cf2881902736709
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix data race on CQP completion stats CQP completion statistics is read lockesly in irdma_wait_event and irdma_check_cqp_progress while it can be updated in the completion thread irdma_sc_ccq_get_cqe_info on another CPU as KCSAN reports. Make completion statistics an atomic variable to reflect coherent updates to it. This will also avoid load/store tearing logic bug potentially possible by compiler optimizations. [77346.170861] BUG: KCSAN: data-race in irdma_handle_cqp_op [irdma] / irdma_sc_ccq_get_cqe_info [irdma] [77346.171383] write to 0xffff8a3250b108e0 of 8 bytes by task 9544 on cpu 4: [77346.171483] irdma_sc_ccq_get_cqe_info+0x27a/0x370 [irdma] [77346.171658] irdma_cqp_ce_handler+0x164/0x270 [irdma] [77346.171835] cqp_compl_worker+0x1b/0x20 [irdma] [77346.172009] process_one_work+0x4d1/0xa40 [77346.172024] worker_thread+0x319/0x700 [77346.172037] kthread+0x180/0x1b0 [77346.172054] ret_from_fork+0x22/0x30 [77346.172136] read to 0xffff8a3250b108e0 of 8 bytes by task 9838 on cpu 2: [77346.172234] irdma_handle_cqp_op+0xf4/0x4b0 [irdma] [77346.172413] irdma_cqp_aeq_cmd+0x75/0xa0 [irdma] [77346.172592] irdma_create_aeq+0x390/0x45a [irdma] [77346.172769] irdma_rt_init_hw.cold+0x212/0x85d [irdma] [77346.172944] irdma_probe+0x54f/0x620 [irdma] [77346.173122] auxiliary_bus_probe+0x66/0xa0 [77346.173137] really_probe+0x140/0x540 [77346.173154] __driver_probe_device+0xc7/0x220 [77346.173173] driver_probe_device+0x5f/0x140 [77346.173190] __driver_attach+0xf0/0x2c0 [77346.173208] bus_for_each_dev+0xa8/0xf0 [77346.173225] driver_attach+0x29/0x30 [77346.173240] bus_add_driver+0x29c/0x2f0 [77346.173255] driver_register+0x10f/0x1a0 [77346.173272] __auxiliary_driver_register+0xbc/0x140 [77346.173287] irdma_init_module+0x55/0x1000 [irdma] [77346.173460] do_one_initcall+0x7d/0x410 [77346.173475] do_init_module+0x81/0x2c0 [77346.173491] load_module+0x1232/0x12c0 [77346.173506] __do_sys_finit_module+0x101/0x180 [77346.173522] __x64_sys_finit_module+0x3c/0x50 [77346.173538] do_syscall_64+0x39/0x90 [77346.173553] entry_SYSCALL_64_after_hwframe+0x63/0xcd [77346.173634] value changed: 0x0000000000000094 -> 0x0000000000000095 2025-12-30 not yet calculated CVE-2023-54302 https://git.kernel.org/stable/c/bf0f9f65b7fe36ea9d2e23263dcefc90255d7b1f
https://git.kernel.org/stable/c/4e1a5842a359ee18d5a9e75097d7cf4d93e233bb
https://git.kernel.org/stable/c/2623ca92cd8f9668edabe9e4f4a3cf77fd7115f2
https://git.kernel.org/stable/c/f2c3037811381f9149243828c7eb9a1631df9f9c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Disable preemption in bpf_perf_event_output The nesting protection in bpf_perf_event_output relies on disabled preemption, which is guaranteed for kprobes and tracepoints. However bpf_perf_event_output can be also called from uprobes context through bpf_prog_run_array_sleepable function which disables migration, but keeps preemption enabled. This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like: kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle page fault for address: ffffffff82be3eea ... Call Trace: ? __die+0x1f/0x70 ? page_fault_oops+0x176/0x4d0 ? exc_page_fault+0x132/0x230 ? asm_exc_page_fault+0x22/0x30 ? perf_output_sample+0x12b/0x910 ? perf_event_output+0xd0/0x1d0 ? bpf_perf_event_output+0x162/0x1d0 ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87 ? __uprobe_perf_func+0x12b/0x540 ? uprobe_dispatcher+0x2c4/0x430 ? uprobe_notify_resume+0x2da/0xce0 ? atomic_notifier_call_chain+0x7b/0x110 ? exit_to_user_mode_prepare+0x13e/0x290 ? irqentry_exit_to_user_mode+0x5/0x30 ? asm_exc_int3+0x35/0x40 Fixing this by disabling preemption in bpf_perf_event_output. 2025-12-30 not yet calculated CVE-2023-54303 https://git.kernel.org/stable/c/3654ed5daf492463c3faa434c7000d45c2da2ace
https://git.kernel.org/stable/c/a0ac32cf61e5a76e2429e486925a52ee41dd75e3
https://git.kernel.org/stable/c/f2c67a3e60d1071b65848efaa8c3b66c363dd025
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: firmware: meson_sm: fix to avoid potential NULL pointer dereference of_match_device() may fail and returns a NULL pointer. Fix this by checking the return value of of_match_device. 2025-12-30 not yet calculated CVE-2023-54304 https://git.kernel.org/stable/c/fba9c24c196310546f13c77ff66d0741155fa771
https://git.kernel.org/stable/c/9f4017cac70c04090dd4f672e755d6c875af67d8
https://git.kernel.org/stable/c/502dfc5875bab9ae5d6a2939146c2c5e5683be40
https://git.kernel.org/stable/c/bd3a6b6d5dd863dbbe17985c7612159cf4533cad
https://git.kernel.org/stable/c/68f3209546b5083f8bffa46f7173cc05191eace1
https://git.kernel.org/stable/c/2d6c4a1a4e6678cb98dd57964f133a995ecc91c1
https://git.kernel.org/stable/c/f2ed165619c16577c02b703a114a1f6b52026df4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext4: refuse to create ea block when umounted The ea block expansion need to access s_root while it is already set as NULL when umount is triggered. Refuse this request to avoid panic. 2025-12-30 not yet calculated CVE-2023-54305 https://git.kernel.org/stable/c/aedea161d031502a423ed1c7597754681a4f8cda
https://git.kernel.org/stable/c/21f6a80d9234422e2eb445734b22c78fc5bf6719
https://git.kernel.org/stable/c/a92b67e768bde433b9385cde56c09deb58db269e
https://git.kernel.org/stable/c/0dc0fa313bb4e86382a3e7125429710d44383196
https://git.kernel.org/stable/c/116008ada3d0de4991099edaf6b8c2e9cd6f225a
https://git.kernel.org/stable/c/05cbf6ddd9847c7b4f0662c048f195b09405a9d0
https://git.kernel.org/stable/c/a458a8c1d1fc4e10a1813786132b09a3863ad3f2
https://git.kernel.org/stable/c/f31173c19901a96bb2ebf6bcfec8a08df7095c91
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: tls: avoid hanging tasks on the tx_lock syzbot sent a hung task report and Eric explains that adversarial receiver may keep RWIN at 0 for a long time, so we are not guaranteed to make forward progress. Thread which took tx_lock and went to sleep may not release tx_lock for hours. Use interruptible sleep where possible and reschedule the work if it can't take the lock. Testing: existing selftest passes 2025-12-30 not yet calculated CVE-2023-54306 https://git.kernel.org/stable/c/bde541a57b4204d0a800afbbd3d1c06c9cdb133f
https://git.kernel.org/stable/c/7123a4337bf73132bbfb5437e4dc83ba864a9a1e
https://git.kernel.org/stable/c/be5d5d0637fd88c18ee76024bdb22649a1de00d6
https://git.kernel.org/stable/c/1f800f6aae57d2d8f63d32fff383017cbc11cf65
https://git.kernel.org/stable/c/ccf1ccdc5926907befbe880b562b2a4b5f44c087
https://git.kernel.org/stable/c/f3221361dc85d4de22586ce8441ec2c67b454f5d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ptp_qoriq: fix memory leak in probe() Smatch complains that: drivers/ptp/ptp_qoriq.c ptp_qoriq_probe() warn: 'base' from ioremap() not released. Fix this by revising the parameter from 'ptp_qoriq->base' to 'base'. This is only a bug if ptp_qoriq_init() returns on the first -ENODEV error path. For other error paths ptp_qoriq->base and base are the same. And this change makes the code more readable. 2025-12-30 not yet calculated CVE-2023-54307 https://git.kernel.org/stable/c/46c4993a1514eea3bbc7147d0c81c23cc06c6bed
https://git.kernel.org/stable/c/3907fcb5a439933cf8c10d6dc300bc11eba30de3
https://git.kernel.org/stable/c/c0de1a26e6595b0e7969c5b35990a77a2d93104f
https://git.kernel.org/stable/c/43b4331ce0cd88ccba425e0702ba35c1a52daccf
https://git.kernel.org/stable/c/c960785c8168d0e572101ed921b9be3934ed0bc9
https://git.kernel.org/stable/c/f33642224e38d7e0d59336e10e7b4e370b1c4506
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: ymfpci: Create card with device-managed snd_devm_card_new() snd_card_ymfpci_remove() was removed in commit c6e6bb5eab74 ("ALSA: ymfpci: Allocate resources with device-managed APIs"), but the call to snd_card_new() was not replaced with snd_devm_card_new(). Since there was no longer a call to snd_card_free, unloading the module would eventually result in Oops: [697561.532887] BUG: unable to handle page fault for address: ffffffffc0924480 [697561.532893] #PF: supervisor read access in kernel mode [697561.532896] #PF: error_code(0x0000) - not-present page [697561.532899] PGD ae1e15067 P4D ae1e15067 PUD ae1e17067 PMD 11a8f5067 PTE 0 [697561.532905] Oops: 0000 [#1] PREEMPT SMP NOPTI [697561.532909] CPU: 21 PID: 5080 Comm: wireplumber Tainted: G W OE 6.2.7 #1 [697561.532914] Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS, BIOS 4408 10/28/2022 [697561.532916] RIP: 0010:try_module_get.part.0+0x1a/0xe0 [697561.532924] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 49 89 fc bf 01 00 00 00 e8 56 3c f8 ff <41> 83 3c 24 02 0f 84 96 00 00 00 41 8b 84 24 30 03 00 00 85 c0 0f [697561.532927] RSP: 0018:ffffbe9b858c3bd8 EFLAGS: 00010246 [697561.532930] RAX: ffff9815d14f1900 RBX: ffff9815c14e6000 RCX: 0000000000000000 [697561.532933] RDX: 0000000000000000 RSI: ffffffffc055092c RDI: ffffffffb3778c1a [697561.532935] RBP: ffffbe9b858c3be8 R08: 0000000000000040 R09: ffff981a1a741380 [697561.532937] R10: ffffbe9b858c3c80 R11: 00000009d56533a6 R12: ffffffffc0924480 [697561.532939] R13: ffff9823439d8500 R14: 0000000000000025 R15: ffff9815cd109f80 [697561.532942] FS: 00007f13084f1f80(0000) GS:ffff9824aef40000(0000) knlGS:0000000000000000 [697561.532945] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [697561.532947] CR2: ffffffffc0924480 CR3: 0000000145344000 CR4: 0000000000350ee0 [697561.532949] Call Trace: [697561.532951] <TASK> [697561.532955] try_module_get+0x13/0x30 [697561.532960] snd_ctl_open+0x61/0x1c0 [snd] [697561.532976] snd_open+0xb4/0x1e0 [snd] [697561.532989] chrdev_open+0xc7/0x240 [697561.532995] ? fsnotify_perm.part.0+0x6e/0x160 [697561.533000] ? __pfx_chrdev_open+0x10/0x10 [697561.533005] do_dentry_open+0x169/0x440 [697561.533009] vfs_open+0x2d/0x40 [697561.533012] path_openat+0xa9d/0x10d0 [697561.533017] ? debug_smp_processor_id+0x17/0x20 [697561.533022] ? trigger_load_balance+0x65/0x370 [697561.533026] do_filp_open+0xb2/0x160 [697561.533032] ? _raw_spin_unlock+0x19/0x40 [697561.533036] ? alloc_fd+0xa9/0x190 [697561.533040] do_sys_openat2+0x9f/0x160 [697561.533044] __x64_sys_openat+0x55/0x90 [697561.533048] do_syscall_64+0x3b/0x90 [697561.533052] entry_SYSCALL_64_after_hwframe+0x72/0xdc [697561.533056] RIP: 0033:0x7f1308a40db4 [697561.533059] Code: 24 20 eb 8f 66 90 44 89 54 24 0c e8 46 68 f8 ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 32 44 89 c7 89 44 24 0c e8 78 68 f8 ff 8b 44 [697561.533062] RSP: 002b:00007ffcce664450 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 [697561.533066] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1308a40db4 [697561.533068] RDX: 0000000000080000 RSI: 00007ffcce664690 RDI: 00000000ffffff9c [697561.533070] RBP: 00007ffcce664690 R08: 0000000000000000 R09: 0000000000000012 [697561.533072] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000080000 [697561.533074] R13: 00007f13054b069b R14: 0000565209f83200 R15: 0000000000000000 [697561.533078] </TASK> 2025-12-30 not yet calculated CVE-2023-54308 https://git.kernel.org/stable/c/95642872c466030240199ba796a40771c493ed0c
https://git.kernel.org/stable/c/db7d7782677ff998c06997903d5400a0ba91cebb
https://git.kernel.org/stable/c/255a81a89501df77379b51a81c7a2e8e7c359bc6
https://git.kernel.org/stable/c/f33fc1576757741479452255132d6e3aaf558ffe
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation /dev/vtpmx is made visible before 'workqueue' is initialized, which can lead to a memory corruption in the worst case scenario. Address this by initializing 'workqueue' as the very first step of the driver initialization. 2025-12-30 not yet calculated CVE-2023-54309 https://git.kernel.org/stable/c/509d21f1c4bb9d35d397fca3226165b156a7639f
https://git.kernel.org/stable/c/04e8697d26613ccea760cf57eb20a5a27f788c0f
https://git.kernel.org/stable/c/86b9820395f226b8f33cbae9599deebf8af1ce72
https://git.kernel.org/stable/c/9ff7fcb3a2ed0e9b895bb5b4c13872d584a8815b
https://git.kernel.org/stable/c/e08295290c53a3cf174c236721747a01b9550ae2
https://git.kernel.org/stable/c/99b998fb9d7d2d2d9dbb3e19db2d0ade02f5a604
https://git.kernel.org/stable/c/092db954e2c3c5ba6c0ce990c7da72cf8f3b9c51
https://git.kernel.org/stable/c/f4032d615f90970d6c3ac1d9c0bce3351eb4445c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition mptlan_probe() calls mpt_register_lan_device() which initializes the &priv->post_buckets_task workqueue. A call to mpt_lan_wake_post_buckets_task() will subsequently start the work. During driver unload in mptlan_remove() the following race may occur: CPU0 CPU1 |mpt_lan_post_receive_buckets_work() mptlan_remove() | free_netdev() | kfree(dev); | | | dev->mtu | //use Fix this by finishing the work prior to cleaning up in mptlan_remove(). [mkp: we really should remove mptlan instead of attempting to fix it] 2025-12-30 not yet calculated CVE-2023-54310 https://git.kernel.org/stable/c/92f869693d84e813895ff4d25363744575515423
https://git.kernel.org/stable/c/60c8645ad6f5b722615383d595d63b62b07a13c3
https://git.kernel.org/stable/c/410e610a96c52a7b41e2ab6c9ca60868d9acecce
https://git.kernel.org/stable/c/697f92f8317e538d8409a0c95d6370eb40b34c05
https://git.kernel.org/stable/c/e84282efc87f2414839f6e15c31b4daa34ebaac1
https://git.kernel.org/stable/c/9c6da3b7f12528cd52c458b33496a098b838fcfc
https://git.kernel.org/stable/c/48daa4a3015d859ee424948844ce3c12f2fe44e6
https://git.kernel.org/stable/c/f486893288f3e9b171b836f43853a6426515d800
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext4: fix deadlock when converting an inline directory in nojournal mode In no journal mode, ext4_finish_convert_inline_dir() can self-deadlock by calling ext4_handle_dirty_dirblock() when it already has taken the directory lock. There is a similar self-deadlock in ext4_incvert_inline_data_nolock() for data files which we'll fix at the same time. A simple reproducer demonstrating the problem: mke2fs -Fq -t ext2 -O inline_data -b 4k /dev/vdc 64 mount -t ext4 -o dirsync /dev/vdc /vdc cd /vdc mkdir file0 cd file0 touch file0 touch file1 attr -s BurnSpaceInEA -V abcde . touch supercalifragilisticexpialidocious 2025-12-30 not yet calculated CVE-2023-54311 https://git.kernel.org/stable/c/b4fa4768c9acff77245d672d855d2c88294850b1
https://git.kernel.org/stable/c/5f8b55136ad787aed2c184f7cb3e93772ae637a3
https://git.kernel.org/stable/c/640c8c365999c6f23447ac766437236ad88317c5
https://git.kernel.org/stable/c/665cc3ba50330049524c1d275bc840a8f28dde73
https://git.kernel.org/stable/c/0b1c4357bb21d9770451a1bdb8d419ea10bada88
https://git.kernel.org/stable/c/804de0c72cd473e186ca4e1f6287d45431b14e5a
https://git.kernel.org/stable/c/f4ce24f54d9cca4f09a395f3eecce20d6bec4663
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: samples/bpf: Fix buffer overflow in tcp_basertt Using sizeof(nv) or strlen(nv)+1 is correct. 2025-12-30 not yet calculated CVE-2023-54312 https://git.kernel.org/stable/c/cf7514fedc25675e68b74941df28a883951e70fd
https://git.kernel.org/stable/c/f394d204d64095d72ad9f03ff98f3f3743bf743a
https://git.kernel.org/stable/c/bd3e880dce27d225598730d2bbb3dc05b443af22
https://git.kernel.org/stable/c/e92f61e0701ea780e57e1be8dbd1fbec5f42c09e
https://git.kernel.org/stable/c/56c25f2763a16db4fa1b486e6a21dc246cd992bd
https://git.kernel.org/stable/c/dfc004688518d24159606289c74d0c4e123e6436
https://git.kernel.org/stable/c/7c08d1b0d1f75117cf82aeaef49ba9f861b3fb59
https://git.kernel.org/stable/c/f4dea9689c5fea3d07170c2cb0703e216f1a0922
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ovl: fix null pointer dereference in ovl_get_acl_rcu() Following process: P1 P2 path_openat link_path_walk may_lookup inode_permission(rcu) ovl_permission acl_permission_check check_acl get_cached_acl_rcu ovl_get_inode_acl realinode = ovl_inode_real(ovl_inode) drop_cache __dentry_kill(ovl_dentry) iput(ovl_inode) ovl_destroy_inode(ovl_inode) dput(oi->__upperdentry) dentry_kill(upperdentry) dentry_unlink_inode upperdentry->d_inode = NULL ovl_inode_upper upperdentry = ovl_i_dentry_upper(ovl_inode) d_inode(upperdentry) // returns NULL IS_POSIXACL(realinode) // NULL pointer dereference , will trigger an null pointer dereference at realinode: [ 205.472797] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted 6.3.0-12064-g2edfa098e750-dirty #1216 [ 205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300 [ 205.489584] Call Trace: [ 205.489812] <TASK> [ 205.490014] ovl_get_inode_acl+0x26/0x30 [ 205.490466] get_cached_acl_rcu+0x61/0xa0 [ 205.490908] generic_permission+0x1bf/0x4e0 [ 205.491447] ovl_permission+0x79/0x1b0 [ 205.491917] inode_permission+0x15e/0x2c0 [ 205.492425] link_path_walk+0x115/0x550 [ 205.493311] path_lookupat.isra.0+0xb2/0x200 [ 205.493803] filename_lookup+0xda/0x240 [ 205.495747] vfs_fstatat+0x7b/0xb0 Fetch a reproducer in [Link]. Use the helper ovl_i_path_realinode() to get realinode and then do non-nullptr checking. 2025-12-30 not yet calculated CVE-2023-54313 https://git.kernel.org/stable/c/d97481c7b2739a704848bb3c01f224dc71bdf78e
https://git.kernel.org/stable/c/c4a5fb1ae5d3f02d3227afde2b9339994389463d
https://git.kernel.org/stable/c/d536af163c53ce9f9bcfe87d2e9946f06f1a7ea4
https://git.kernel.org/stable/c/f4e19e595cc2e76a8a58413eb19d3d9c51328b53
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: af9005: Fix null-ptr-deref in af9005_i2c_xfer In af9005_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9005_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") 2025-12-30 not yet calculated CVE-2023-54314 https://git.kernel.org/stable/c/98c12abb275b75a98ff62de9466d21e4daa98536
https://git.kernel.org/stable/c/63d962ac7a52c0ff4cd09af2e284dce5e5955dfe
https://git.kernel.org/stable/c/0c02eb70b1dd4ae9bb304ce6cdadbc6faba2b2e9
https://git.kernel.org/stable/c/c7e5ac737db25d7387fe517cb5207706782b6cf8
https://git.kernel.org/stable/c/033b0c0780adee32dde218179e9bc51d2525108f
https://git.kernel.org/stable/c/abb6fd93e05e80668d2317fe1110bc99b05034c3
https://git.kernel.org/stable/c/e595ff350b2fd600823ee8491df7df693ae4b7c5
https://git.kernel.org/stable/c/f4ee84f27625ce1fdf41e8483fa0561a1b837d10
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/sriov: perform null check on iov before dereferencing iov Currently pointer iov is being dereferenced before the null check of iov which can lead to null pointer dereference errors. Fix this by moving the iov null check before the dereferencing. Detected using cppcheck static analysis: linux/arch/powerpc/platforms/powernv/pci-sriov.c:597:12: warning: Either the condition '!iov' is redundant or there is possible null pointer dereference: iov. [nullPointerRedundantCheck] num_vfs = iov->num_vfs; ^ 2025-12-30 not yet calculated CVE-2023-54315 https://git.kernel.org/stable/c/07c19c0ad4b07f4b598da369714de028f6a6a323
https://git.kernel.org/stable/c/d3a0d96c16e5f8d55e2c70163abda3c7c8328106
https://git.kernel.org/stable/c/d9a1aaea856002cb58dfb7c8d8770400fa1a0299
https://git.kernel.org/stable/c/6314465b88072a6b6f3b3c12a7898abe09095f95
https://git.kernel.org/stable/c/72990144e17e5e2cb378f1d9b10530b85b9bc382
https://git.kernel.org/stable/c/f4f913c980bc6abe0ccfe88fe3909c125afe4a2d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: refscale: Fix uninitalized use of wait_queue_head_t Running the refscale test occasionally crashes the kernel with the following error: [ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8 [ 8569.952900] #PF: supervisor read access in kernel mode [ 8569.952902] #PF: error_code(0x0000) - not-present page [ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0 [ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI [ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021 [ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190 : [ 8569.952940] Call Trace: [ 8569.952941] <TASK> [ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale] [ 8569.952959] kthread+0x10e/0x130 [ 8569.952966] ret_from_fork+0x1f/0x30 [ 8569.952973] </TASK> The likely cause is that init_waitqueue_head() is called after the call to the torture_create_kthread() function that creates the ref_scale_reader kthread. Although this init_waitqueue_head() call will very likely complete before this kthread is created and starts running, it is possible that the calling kthread will be delayed between the calls to torture_create_kthread() and init_waitqueue_head(). In this case, the new kthread will use the waitqueue head before it is properly initialized, which is not good for the kernel's health and well-being. The above crash happened here: static inline void __add_wait_queue(...) { : if (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here The offset of flags from list_head entry in wait_queue_entry is -0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task structure is zero initialized, the instruction will try to access address 0xffffffffffffffe8, which is exactly the fault address listed above. This commit therefore invokes init_waitqueue_head() before creating the kthread. 2025-12-30 not yet calculated CVE-2023-54316 https://git.kernel.org/stable/c/066fbd8bc981cf49923bf828b7b4092894df577f
https://git.kernel.org/stable/c/ec9d118ad99dc6f1bc674c1e649c25533d89b9ba
https://git.kernel.org/stable/c/e0322a255a2242dbe4686b6176b3c83dea490529
https://git.kernel.org/stable/c/e5de968a9032366198720eac4f368ed7e690b3ef
https://git.kernel.org/stable/c/70a2856fd1d0a040c876ba9e3f89b949ae92e4dd
https://git.kernel.org/stable/c/f5063e8948dad7f31adb007284a5d5038ae31bb8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dm flakey: don't corrupt the zero page When we need to zero some range on a block device, the function __blkdev_issue_zero_pages submits a write bio with the bio vector pointing to the zero page. If we use dm-flakey with corrupt bio writes option, it will corrupt the content of the zero page which results in crashes of various userspace programs. Glibc assumes that memory returned by mmap is zeroed and it uses it for calloc implementation; if the newly mapped memory is not zeroed, calloc will return non-zeroed memory. Fix this bug by testing if the page is equal to ZERO_PAGE(0) and avoiding the corruption in this case. 2025-12-30 not yet calculated CVE-2023-54317 https://git.kernel.org/stable/c/b7f8892f672222dbfcc721f51edc03963212b249
https://git.kernel.org/stable/c/98e311be44dbe31ad9c42aa067b2359bac451fda
https://git.kernel.org/stable/c/3c4a56ef7c538d16c1738ba0ccea9e7146105b5a
https://git.kernel.org/stable/c/f2b478228bfdd11e358c5bc197561331f5d5c394
https://git.kernel.org/stable/c/ff60b2bb680ebcaf8890814dd51084a022891469
https://git.kernel.org/stable/c/be360c83f2d810493c04f999d69ec9152981e0c0
https://git.kernel.org/stable/c/63d31617883d64b43b0e2d529f0751f40713ecae
https://git.kernel.org/stable/c/f50714b57aecb6b3dc81d578e295f86d9c73f078
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add While doing smcr_port_add, there maybe linkgroup add into or delete from smc_lgr_list.list at the same time, which may result kernel crash. So, use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add. The crash calltrace show below: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 0 PID: 559726 Comm: kworker/0:92 Kdump: loaded Tainted: G Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 449e491 04/01/2014 Workqueue: events smc_ib_port_event_work [smc] RIP: 0010:smcr_port_add+0xa6/0xf0 [smc] RSP: 0000:ffffa5a2c8f67de0 EFLAGS: 00010297 RAX: 0000000000000001 RBX: ffff9935e0650000 RCX: 0000000000000000 RDX: 0000000000000010 RSI: ffff9935e0654290 RDI: ffff9935c8560000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9934c0401918 R10: 0000000000000000 R11: ffffffffb4a5c278 R12: ffff99364029aae4 R13: ffff99364029aa00 R14: 00000000ffffffed R15: ffff99364029ab08 FS: 0000000000000000(0000) GS:ffff994380600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000f06a10003 CR4: 0000000002770ef0 PKRU: 55555554 Call Trace: smc_ib_port_event_work+0x18f/0x380 [smc] process_one_work+0x19b/0x340 worker_thread+0x30/0x370 ? process_one_work+0x340/0x340 kthread+0x114/0x130 ? __kthread_cancel_work+0x50/0x50 ret_from_fork+0x1f/0x30 2025-12-30 not yet calculated CVE-2023-54318 https://git.kernel.org/stable/c/d1c6c93c27a4bf48006ab16cd9b38d85559d7645
https://git.kernel.org/stable/c/06b4934ab2b534bb92935c7601852066ebb9eab8
https://git.kernel.org/stable/c/70c8d17007dc4a07156b7da44509527990e569b3
https://git.kernel.org/stable/c/b717463610a27fc0b58484cfead7a623d5913e61
https://git.kernel.org/stable/c/f5146e3ef0a9eea405874b36178c19a4863b8989
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91-pio4: check return value of devm_kasprintf() devm_kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks") Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int") 2025-12-30 not yet calculated CVE-2023-54319 https://git.kernel.org/stable/c/8d788f2ba830d6d32499b198c526d577c590eedf
https://git.kernel.org/stable/c/3e8ce1d5a1a9d758b359e5c426543957f35991f8
https://git.kernel.org/stable/c/aa3932eb07392d626486428e2ffddc660658e22a
https://git.kernel.org/stable/c/f3c7b95c9991dab02e616fc251b6c3516e0bd0ac
https://git.kernel.org/stable/c/0a95dd17a73b7603818ad7c46c99d757232be331
https://git.kernel.org/stable/c/0af388fce352ed2ab383fd5d1a08db551ca15c38
https://git.kernel.org/stable/c/5bfd577cc728270d6cd7af6c652a1e7661f25487
https://git.kernel.org/stable/c/8a1fa202f47f39680a4305af744f499a324f8a03
https://git.kernel.org/stable/c/f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2() Function amd_pmc_stb_debugfs_open_v2() may be called when the STB debug mechanism enabled. When amd_pmc_send_cmd() fails, the 'buf' needs to be released. 2025-12-30 not yet calculated CVE-2023-54320 https://git.kernel.org/stable/c/d804adef7b23b22bb82e1b3dd113e9073cea9bc1
https://git.kernel.org/stable/c/f6e7ac4c35a28aef0be93b32c533ae678ad0b9e7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential null-ptr-deref in device_add() I got the following null-ptr-deref report while doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 CPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+ RIP: 0010:klist_put+0x2d/0xd0 Call Trace: <TASK> klist_remove+0xf1/0x1c0 device_release_driver_internal+0x196/0x210 bus_remove_device+0x1bd/0x240 device_add+0xd3d/0x1100 w1_add_master_device+0x476/0x490 [wire] ds2482_probe+0x303/0x3e0 [ds2482] This is how it happened: w1_alloc_dev() // The dev->driver is set to w1_master_driver. memcpy(&dev->dev, device, sizeof(struct device)); device_add() bus_add_device() dpm_sysfs_add() // It fails, calls bus_remove_device. // error path bus_remove_device() // The dev->driver is not null, but driver is not bound. __device_release_driver() klist_remove(&dev->p->knode_driver) <-- It causes null-ptr-deref. // normal path bus_probe_device() // It's not called yet. device_bind_driver() If dev->driver is set, in the error path after calling bus_add_device() in device_add(), bus_remove_device() is called, then the device will be detached from driver. But device_bind_driver() is not called yet, so it causes null-ptr-deref while access the 'knode_driver'. To fix this, set dev->driver to null in the error path before calling bus_remove_device(). 2025-12-30 not yet calculated CVE-2023-54321 https://git.kernel.org/stable/c/2c59650d078b1b3f1ea50d5f8ee9fcc537dc02d3
https://git.kernel.org/stable/c/7cf515bf9e8c2908dc170ecf2df117162a16c9c5
https://git.kernel.org/stable/c/17982304806c5c10924e73f7ca5556e0d7378452
https://git.kernel.org/stable/c/f6837f34a34973ef6600c08195ed300e24e97317
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: arm64: set __exception_irq_entry with __irq_entry as a default filter_irq_stacks() is supposed to cut entries which are related irq entries from its call stack. And in_irqentry_text() which is called by filter_irq_stacks() uses __irqentry_text_start/end symbol to find irq entries in callstack. But it doesn't work correctly as without "CONFIG_FUNCTION_GRAPH_TRACER", arm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq between __irqentry_text_start and __irqentry_text_end as we discussed in below link. https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t This problem can makes unintentional deep call stack entries especially in KASAN enabled situation as below. [ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity [ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c [ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c [ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c [ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0 [ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000 [ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd [ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040 [ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000 [ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20 [ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8 [ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800 [ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8 [ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c [ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022 [ 2479.386231]I[0:launcher-loader: 1719] Call trace: [ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c [ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70 [ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138 [ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24 [ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170 [ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20 [ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c [ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28 [ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0 [ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80 [ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98 [ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c [ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0 [ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 [ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c [ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4 [ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0 [ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 [ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c [ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304 [ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160 [ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194 [ 2479.386833]I ---truncated--- 2025-12-30 not yet calculated CVE-2023-54322 https://git.kernel.org/stable/c/c71d6934c6ac40a97146a410e0320768c7b1bb3c
https://git.kernel.org/stable/c/0bd309f22663f3ee749bea0b6d70642c31a1c0a5
https://git.kernel.org/stable/c/d3b219e504fc5c5a25fa7c04c8589ff34baef9a8
https://git.kernel.org/stable/c/f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: cxl/pmem: Fix nvdimm registration races A loop of the form: while true; do modprobe cxl_pci; modprobe -r cxl_pci; done ...fails with the following crash signature: BUG: kernel NULL pointer dereference, address: 0000000000000040 [..] RIP: 0010:cxl_internal_send_cmd+0x5/0xb0 [cxl_core] [..] Call Trace: <TASK> cxl_pmem_ctl+0x121/0x240 [cxl_pmem] nvdimm_get_config_data+0xd6/0x1a0 [libnvdimm] nd_label_data_init+0x135/0x7e0 [libnvdimm] nvdimm_probe+0xd6/0x1c0 [libnvdimm] nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm] really_probe+0xde/0x380 __driver_probe_device+0x78/0x170 driver_probe_device+0x1f/0x90 __device_attach_driver+0x85/0x110 bus_for_each_drv+0x7d/0xc0 __device_attach+0xb4/0x1e0 bus_probe_device+0x9f/0xc0 device_add+0x445/0x9c0 nd_async_device_register+0xe/0x40 [libnvdimm] async_run_entry_fn+0x30/0x130 ...namely that the bottom half of async nvdimm device registration runs after the CXL has already torn down the context that cxl_pmem_ctl() needs. Unlike the ACPI NFIT case that benefits from launching multiple nvdimm device registrations in parallel from those listed in the table, CXL is already marked PROBE_PREFER_ASYNCHRONOUS. So provide for a synchronous registration path to preclude this scenario. 2025-12-30 not yet calculated CVE-2023-54323 https://git.kernel.org/stable/c/a371788d4f4a7f59eecd22644331d599979fd283
https://git.kernel.org/stable/c/18c65667fa9104780eeaa0dc1bc240f0c2094772
https://git.kernel.org/stable/c/f57aec443c24d2e8e1f3b5b4856aea12ddda4254
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dm: fix a race condition in retrieve_deps There's a race condition in the multipath target when retrieve_deps races with multipath_message calling dm_get_device and dm_put_device. retrieve_deps walks the list of open devices without holding any lock but multipath may add or remove devices to the list while it is running. The end result may be memory corruption or use-after-free memory access. See this description of a UAF with multipath_message(): https://listman.redhat.com/archives/dm-devel/2022-October/052373.html Fix this bug by introducing a new rw semaphore "devices_lock". We grab devices_lock for read in retrieve_deps and we grab it for write in dm_get_device and dm_put_device. 2025-12-30 not yet calculated CVE-2023-54324 https://git.kernel.org/stable/c/dbf1a719850577bb51fc7512a3972994b797a17b
https://git.kernel.org/stable/c/38f6e5ae5d9ff4a4050ea6f7b543d5d5a4e087cf
https://git.kernel.org/stable/c/f6007dce0cd35d634d9be91ef3515a6385dcee16
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: qat - fix out-of-bounds read When preparing an AER-CTR request, the driver copies the key provided by the user into a data structure that is accessible by the firmware. If the target device is QAT GEN4, the key size is rounded up by 16 since a rounded up size is expected by the device. If the key size is rounded up before the copy, the size used for copying the key might be bigger than the size of the region containing the key, causing an out-of-bounds read. Fix by doing the copy first and then update the keylen. This is to fix the following warning reported by KASAN: [ 138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat] [ 138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340 [ 138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45 [ 138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022 [ 138.150663] Call Trace: [ 138.150668] <TASK> [ 138.150922] kasan_check_range+0x13a/0x1c0 [ 138.150931] memcpy+0x1f/0x60 [ 138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat] [ 138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat] [ 138.151073] crypto_skcipher_setkey+0x82/0x160 [ 138.151085] ? prepare_keybuf+0xa2/0xd0 [ 138.151095] test_skcipher_vec_cfg+0x2b8/0x800 2025-12-30 not yet calculated CVE-2023-54325 https://git.kernel.org/stable/c/7697139d5dfd491f4c495a914a1dd68f6e827a0f
https://git.kernel.org/stable/c/dc3809f390357c8992f0a23083da934a20fef9af
https://git.kernel.org/stable/c/2b1501f058245573a3aa6bf234d205dde1196184
https://git.kernel.org/stable/c/f6044cc3030e139f60c281386f28bda6e3049d66
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Free IRQs before removing the device In pci_endpoint_test_remove(), freeing the IRQs after removing the device creates a small race window for IRQs to be received with the test device memory already released, causing the IRQ handler to access invalid memory, resulting in an oops. Free the device IRQs before removing the device to avoid this issue. 2025-12-30 not yet calculated CVE-2023-54326 https://git.kernel.org/stable/c/fb7f8bdb886f2ebf35ee5edaf2bf5f02b063ddb7
https://git.kernel.org/stable/c/dd2210379205fcd23a9d8869b0cef90e3770577c
https://git.kernel.org/stable/c/cdf9a7e2cdc7a5464e3cc6d0b715ba2b1d215521
https://git.kernel.org/stable/c/14bdee38e96c7d37ca15e7bea50411eee25fe315
https://git.kernel.org/stable/c/c2dba13bc0c62b79a3cbe4bfe5faa32231bf9b55
https://git.kernel.org/stable/c/38d12bcf4e2ce3d285eb29644a79a54f42040fab
https://git.kernel.org/stable/c/f61b7634a3249d12b9daa36ffbdb9965b6f24c6c
 
pmmp--PocketMine-MP PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotbar, triggering a server crash and resulting in denial of service. 2025-12-31 not yet calculated CVE-2023-7332 https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md
https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h87r-f4vc-mchv
https://github.com/pmmp/PocketMine-MP/commit/5897476
https://www.vulncheck.com/advisories/pocketmine-mp-improper-validation-of-dropped-item-count-allows-remote-server-crash
 
Vvvebjs--givanz A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery (SSRF) and arbitrary file reading. The vulnerability stems from improper handling of user-supplied URLs in the "file_get_contents" function within the "save.php" file. 2025-12-29 not yet calculated CVE-2024-25181 https://gist.github.com/joaoviictorti/69cbae23d98fb9a1a4b3eee0c305c7de
 
Vvvebjs--givanz givanz VvvebJs 1.7.2 suffers from a File Upload vulnerability via save.php. 2025-12-29 not yet calculated CVE-2024-25182 https://gist.github.com/joaoviictorti/ff6220d8ed6df77a0420f4413a1d9b8d
 
Vvvebjs--givanz givanz VvvebJs 1.7.2 is vulnerable to Directory Traversal via scan.php. 2025-12-29 not yet calculated CVE-2024-25183 https://gist.github.com/joaoviictorti/db387ef5ea3d35482c5ad4598d945b2f
 
Vvvebjs--givanz givanz VvvebJs 1.7.2 is vulnerable to Insecure File Upload. 2025-12-29 not yet calculated CVE-2024-27480 https://gist.github.com/joaoviictorti/abb2d1929c29d09c13c60bb45f28a8ff
 
DedeCMS--Dede DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/makehtml_list_action.php. 2025-12-29 not yet calculated CVE-2024-30855 https://github.com/Limingqian123/cms/blob/main/1.md
https://gist.github.com/Limingqian123/e90a1b86c02bd83d4ab07c08cad9a629
 
REDCap--REDCap REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts. 2026-01-02 not yet calculated CVE-2024-55374 http://redcap.com
https://github.com/T3slaa/CVE-2024-55374
 
feast-dev--feast-dev/feast A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage. 2026-01-01 not yet calculated CVE-2025-11157 https://huntr.com/bounties/46d4d585-b968-4a76-80ce-872bc5525564
https://github.com/feast-dev/feast/commit/b2e37ff37953b68ae833f6874ab5bc510a4ca5fb
 
QNAP Systems Inc.--Malware Remover An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism. We have already fixed the vulnerability in the following version: Malware Remover 6.6.8.20251023 and later 2026-01-02 not yet calculated CVE-2025-11837 https://www.qnap.com/en/security-advisory/qsa-25-47
 
Unknown--WPBookit The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack. 2026-01-02 not yet calculated CVE-2025-12685 https://wpscan.com/vulnerability/e5ba488a-b43d-4c5f-9716-4b24701999f3/
 
Unknown--Knowband Mobile App Builder The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users. 2025-12-31 not yet calculated CVE-2025-13029 https://wpscan.com/vulnerability/22344534-cd36-4817-b683-c0af55759e01/
 
Unknown--Logo Slider The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. 2026-01-02 not yet calculated CVE-2025-13153 https://wpscan.com/vulnerability/0ed67947-228d-420c-8d28-e0d7326eb101/
 
Unknown--Plugin Organizer The Plugin Organizer WordPress plugin before 10.2.4 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers to perform SQL injection attacks. 2025-12-29 not yet calculated CVE-2025-13417 https://wpscan.com/vulnerability/862fdf28-5195-443d-8ef2-e4043d0fdc92/
 
Unknown--ShopBuilder The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. 2026-01-02 not yet calculated CVE-2025-13456 https://wpscan.com/vulnerability/5872ece6-52cb-4306-b7ee-41282815a243/
 
Unknown--Comments The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet. 2026-01-01 not yet calculated CVE-2025-13820 https://wpscan.com/vulnerability/21bc9b41-a967-42dc-9916-bb993b05709c/
 
Unknown--YaMaps for WordPress Plugin The YaMaps for WordPress Plugin WordPress plugin before 0.6.40 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. 2025-12-29 not yet calculated CVE-2025-13958 https://wpscan.com/vulnerability/0d4bb338-f0d0-4b57-8664-1b8cba7cbe52/
 
Unknown--Ninja Forms The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions. 2026-01-02 not yet calculated CVE-2025-14072 https://wpscan.com/vulnerability/4b19a333-eb19-4903-aa96-1fe871dd0f9f/
 
TP-Link Systems Inc.--TL-WR820N v2.8 A vulnerability in the SSH server of TP-Link TL-WR820N v2.80 allows the use of a weak cryptographic algorithm, enabling an adjacent attacker to intercept and decrypt SSH traffic. Exploitation may expose sensitive information and compromise confidentiality. 2025-12-29 not yet calculated CVE-2025-14175 https://www.tp-link.com/en/support/download/tl-wr820n/#Firmware
https://www.tp-link.com/in/support/download/tl-wr820n/#Firmware
https://www.tp-link.com/us/support/faq/4861/
 
Unknown--Advance WP Query Search Filter The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 2025-12-30 not yet calculated CVE-2025-14312 https://wpscan.com/vulnerability/f06f982b-108b-4fc1-ad48-2f890a06ecf0/
 
Unknown--Advance WP Query Search Filter The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 2025-12-30 not yet calculated CVE-2025-14313 https://wpscan.com/vulnerability/5ebcdb32-da82-4129-8538-40d1b03a1108/
 
Unknown--Ultimate Post Kit Addons for Elementor The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX "load more" endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and retrieve rendered HTML content of private and unpublished ones. 2025-12-31 not yet calculated CVE-2025-14434 https://wpscan.com/vulnerability/bf3c3193-fc9c-454b-ad4f-94ba1669a312/
 
Temporal--Temporal When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context. This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. 2025-12-30 not yet calculated CVE-2025-14986 https://github.com/temporalio/temporal/releases/tag/v1.27.4
https://github.com/temporalio/temporal/releases/tag/v1.28.2
https://github.com/temporalio/temporal/releases/tag/v1.29.2
 
Temporal--Temporal When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace. This issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. 2025-12-30 not yet calculated CVE-2025-14987 https://github.com/temporalio/temporal/releases/tag/v1.27.4
https://github.com/temporalio/temporal/releases/tag/v1.28.2
https://github.com/temporalio/temporal/releases/tag/v1.29.2
 
Moxa--NPort 5000AI-M12 Series A vulnerability exists in serial device servers where active debug code remains enabled in the UART interface. An attacker with physical access to the device can directly connect to the UART interface and, without authentication, user interaction, or execution conditions, gain unauthorized access to internal debug functionality. Exploitation is low complexity and allows an attacker to execute privileged operations and access sensitive system resources, resulting in a high impact to the confidentiality, integrity, and availability of the affected device. No security impact to external or dependent systems has been identified. 2025-12-31 not yet calculated CVE-2025-15017 https://www.moxa.com/en/support/product-support/security-advisory/mpsa-257331-cve-2025-15017-active-debug-code-vulnerability-in-serial-device-servers
 
FontForge--FontForge FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28564. 2025-12-31 not yet calculated CVE-2025-15269 ZDI-25-1195
 
FontForge--FontForge FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28563. 2025-12-31 not yet calculated CVE-2025-15270 ZDI-25-1194
 
FontForge--FontForge FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28562. 2025-12-31 not yet calculated CVE-2025-15271 ZDI-25-1193
 
FontForge--FontForge FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28547. 2025-12-31 not yet calculated CVE-2025-15272 ZDI-25-1192
 
FontForge--FontForge FontForge PFB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PFB files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28546. 2025-12-31 not yet calculated CVE-2025-15273 ZDI-25-1191
 
FontForge--FontForge FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28544. 2025-12-31 not yet calculated CVE-2025-15274 ZDI-25-1190
 
FontForge--FontForge FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28543. 2025-12-31 not yet calculated CVE-2025-15275 ZDI-25-1189
 
FontForge--FontForge FontForge SFD File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28198. 2025-12-31 not yet calculated CVE-2025-15276 ZDI-25-1187
 
FontForge--FontForge FontForge GUtils SGI File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of scanlines within SGI files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27920. 2025-12-31 not yet calculated CVE-2025-15277 ZDI-25-1186
 
FontForge--FontForge FontForge GUtils XBM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of pixels within XBM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27865. 2025-12-31 not yet calculated CVE-2025-15278 ZDI-25-1185
 
FontForge--FontForge FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of pixels within BMP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27517. 2025-12-31 not yet calculated CVE-2025-15279 ZDI-25-1184
 
FontForge--FontForge FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28525. 2025-12-31 not yet calculated CVE-2025-15280 ZDI-25-1188
 
Moxa--NPort 6100-G2/6200-G2 Series The NPort 6100-G2/6200-G2 Series is affected by an execution with unnecessary privileges vulnerability (CVE-2025-1977) that allows an authenticated user with read-only access to perform unauthorized configuration changes through the MCC (Moxa CLI Configuration) tool. The issue can be exploited remotely over the network with low-attack complexity and no user interaction but requires specific system conditions or configurations to be present. Successful exploitation may result in changes to device settings that were not intended to be permitted for the affected user role, potentially leading to a high impact on the confidentiality, integrity, and availability of the device. No impact on other systems has been identified. 2025-12-31 not yet calculated CVE-2025-1977 https://www.moxa.com/en/support/product-support/security-advisory/mpsa-251731-cve-2025-1977-cve-2025-2026-multiple-vulnerabilities-in-nport-6100-g2-6200-g2-series
 
Moxa--NPort 6100-G2/6200-G2 Series The NPort 6100-G2/6200-G2 Series is affected by a high-severity vulnerability (CVE-2025-2026) that allows remote attackers to execute a null byte injection through the device's web API. This may lead to an unexpected device reboot and result in a denial-of-service (DoS) condition. An authenticated remote attacker with web read-only privileges can exploit the vulnerable API to inject malicious input. Successful exploitation may cause the device to reboot, disrupting normal operations and causing a temporary denial of service. 2025-12-31 not yet calculated CVE-2025-2026 https://www.moxa.com/en/support/product-support/security-advisory/mpsa-251731-cve-2025-1977-cve-2025-2026-multiple-vulnerabilities-in-nport-6100-g2-6200-g2-series
 
IceWhale Tech--CasaOS CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host. 2026-01-03 not yet calculated CVE-2025-34171 https://casaos.zimaspace.com/
https://github.com/IceWhaleTech/CasaOS
https://www.vulncheck.com/advisories/casaos-unauthenticated-file-and-debug-data-exposure
 
fredtempez--ZwiiCMS ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated. 2025-12-31 not yet calculated CVE-2025-34467 https://github.com/fredtempez/ZwiiCMS
https://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00
https://www.vulncheck.com/advisories/zwiicms-lock-persistence-authenticated-dos-against-administrative-pages
 
libcoap--libcoap libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap). 2025-12-31 not yet calculated CVE-2025-34468 https://github.com/obgm/libcoap/pull/1737
https://github.com/obgm/libcoap/commit/30db3ea
https://libcoap.net/
https://www.vulncheck.com/advisories/libcoap-stack-based-buffer-overflow-in-address-resolution-dos-or-potential-rce
 
Cowrie--Cowrie Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker's true source address behind the honeypot's IP. 2025-12-31 not yet calculated CVE-2025-34469 https://github.com/advisories/GHSA-83jg-m2pm-4jxj
https://github.com/cowrie/cowrie/releases/tag/v2.9.0
https://github.com/cowrie/cowrie/pull/2800
https://github.com/cowrie/cowrie/issues/2622
https://www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplification
 
QNAP Systems Inc.--QTS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later 2026-01-02 not yet calculated CVE-2025-44013 https://www.qnap.com/en/security-advisory/qsa-25-50
 
httpbin--mccutchen A cross-site scripting (XSS) vulnerability in mccutchen httpbin v2.17.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. 2026-01-02 not yet calculated CVE-2025-45286 https://github.com/mccutchen/go-httpbin/security/advisories/GHSA-528q-4pgm-wvg2
https://github.com/advisories/GHSA-528q-4pgm-wvg2
 
QNAP Systems Inc.--QTS An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later 2026-01-02 not yet calculated CVE-2025-47208 https://www.qnap.com/en/security-advisory/qsa-25-50
 
Apache Software Foundation--Apache StreamPipes A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator.  This vulnerability allows an attacker to gain administrative control over the application by manipulating JWT tokens, which can lead to data tampering, unauthorized access and other security issues. This issue affects Apache StreamPipes: through 0.97.0. Users are recommended to upgrade to version 0.98.0, which fixes the issue. 2026-01-01 not yet calculated CVE-2025-47411 https://lists.apache.org/thread/lngko4ht2ok3o0rk9h0clgm4kb0lmt36
 
QNAP Systems Inc.--QTS A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: QTS 5.2.8.3332 build 20251128 and later 2026-01-02 not yet calculated CVE-2025-48721 https://www.qnap.com/en/security-advisory/qsa-25-51
 
Apache Software Foundation--Apache NuttX RTOS Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service. This issue affects Apache NuttX RTOS: from 10.0.0 before 12.10.0. Users of filesystem based services with write access that were exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.10.0 that fixes the issue. 2026-01-01 not yet calculated CVE-2025-48768 https://github.com/apache/nuttx/pull/16437
https://lists.apache.org/thread/nwo1kd08b7t3dyz082q2pghdxwvxwyvo
 
Apache Software Foundation--Apache NuttX RTOS Use After Free vulnerability was discovered in fs/vfs/fs_rename code of the Apache NuttX RTOS, that due recursive implementation and single buffer use by two different pointer variables allowed arbitrary user provided size buffer reallocation and write to the previously freed heap chunk, that in specific cases could cause unintended virtual filesystem rename/move operation results. This issue affects Apache NuttX RTOS: from 7.20 before 12.11.0. Users of virtual filesystem based services with write access especially when exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.11.0 that fixes the issue. 2026-01-01 not yet calculated CVE-2025-48769 https://github.com/apache/nuttx/pull/16455
https://lists.apache.org/thread/7m83v11ldfq7bvw72n9t5sccocczocjn
 
nfields--VarCreateStruct An issue was discovered in matio 1.5.28. A heap-based memory corruption can occur in Mat_VarCreateStruct() when the nfields value does not match the actual number of strings in the fields array. This leads to out-of-bounds reads and invalid memory frees during cleanup, potentially causing a segmentation fault or heap corruption. 2025-12-30 not yet calculated CVE-2025-50343 https://github.com/tbeu/matio/issues/275
https://github.com/zakkanijia/POC/blob/main/matio/CVE-2025-50343/matio.md
 
QNAP Systems Inc.--QTS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-52426 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-52430 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-52431 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later 2026-01-02 not yet calculated CVE-2025-52863 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later 2026-01-02 not yet calculated CVE-2025-52864 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--License Center An out-of-bounds read vulnerability has been reported to affect License Center. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following version: License Center 2.0.36 and later 2026-01-02 not yet calculated CVE-2025-52871 https://www.qnap.com/en/security-advisory/qsa-25-52
 
QNAP Systems Inc.--QTS A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later 2026-01-02 not yet calculated CVE-2025-52872 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-53405 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-53414 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-53589 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later 2026-01-02 not yet calculated CVE-2025-53590 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-53591 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-53592 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-53593 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--Qfinder Pro Mac A path traversal vulnerability has been reported to affect several product versions. If a local attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: Qfinder Pro Mac 7.13.0 and later Qsync for Mac 5.1.5 and later QVPN Device Client for Mac 2.2.8 and later 2026-01-02 not yet calculated CVE-2025-53594 https://www.qnap.com/en/security-advisory/qsa-25-55
 
QNAP Systems Inc.--QTS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-53596 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--License Center A buffer overflow vulnerability has been reported to affect License Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: License Center 2.0.36 and later 2026-01-02 not yet calculated CVE-2025-53597 https://www.qnap.com/en/security-advisory/qsa-25-52
 
QNAP Systems Inc.--QTS An out-of-bounds read vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-54164 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS An out-of-bounds read vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-54165 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS An out-of-bounds read vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-54166 https://www.qnap.com/en/security-advisory/qsa-25-50
 
pangolin--fosrl Authentication Bypass in fosrl/pangolin v1.6.2 and before allows attackers to access Pangolin resource via Insecure Default Configuration 2025-12-30 not yet calculated CVE-2025-56332 https://github.com/fosrl/pangolin
https://gist.github.com/mrdgef/ef6fa41d69c0457874414c163d7d7d75
 
pangolin--fosrl An issue in Fossorial fosrl/pangolin v.1.6.2 and before allows a remote attacker to escalate privileges via the 2FA component 2025-12-29 not yet calculated CVE-2025-56333 https://github.com/fosrl/pangolin
https://gist.github.com/mrdgef/ef6fa41d69c0457874414c163d7d7d75
 
machsol--machpanel File upload vulnerability in machsol machpanel 8.0.32 allows attacker to gain a webshell. 2025-12-29 not yet calculated CVE-2025-57460 https://www.machsol.com/
https://github.com/aljoharasubaie/CVE-2025-57460/blob/main/README.md
 
machsol--machpanel Stored cross-site scripting (xss) in machsol machpanel 8.0.32 allows attackers to execute arbitrary web scripts or HTML via a crafted PDF file. 2025-12-29 not yet calculated CVE-2025-57462 https://www.machsol.com/
https://github.com/aljoharasubaie/CVE-2025-57462/blob/main/README.md
 
QNAP Systems Inc.--QTS An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-57705 https://www.qnap.com/en/security-advisory/qsa-25-50
 
QNAP Systems Inc.--QTS A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later 2026-01-02 not yet calculated CVE-2025-59380 https://www.qnap.com/en/security-advisory/qsa-25-51
 
QNAP Systems Inc.--QTS A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later 2026-01-02 not yet calculated CVE-2025-59381 https://www.qnap.com/en/security-advisory/qsa-25-51
 
QNAP Systems Inc.--Qfiling A path traversal vulnerability has been reported to affect Qfiling. The remote attackers can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qfiling 3.13.1 and later 2026-01-02 not yet calculated CVE-2025-59384 https://www.qnap.com/en/security-advisory/qsa-25-54
 
QNAP Systems Inc.--MARS (Multi-Application Recovery Service) An SQL injection vulnerability has been reported to affect MARS (Multi-Application Recovery Service). The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: MARS (Multi-Application Recovery Service) 1.2.1.1686 and later 2026-01-02 not yet calculated CVE-2025-59387 https://www.qnap.com/en/security-advisory/qsa-25-53
 
QNAP Systems Inc.--Hyper Data Protector An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: Hyper Data Protector 2.2.4.1 and later 2026-01-02 not yet calculated CVE-2025-59389 https://www.qnap.com/en/security-advisory/qsa-25-48
 
UxPlay-UxPlay UxPlay 1.72 contains a double free vulnerability in its RTSP request handling. A specially crafted RTSP TEARDOWN request can trigger multiple calls to free() on the same memory address, potentially causing a Denial of Service. 2025-12-29 not yet calculated CVE-2025-60458 https://github.com/0pepsi/CVE-2025-60458
 
SevenCs--ORCA A local privilege escalation vulnerability exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The flaw is a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management logic. The regService process, which runs with SYSTEM privileges, creates a fixed directory and writes files without verifying whether the path is an NTFS reparse point. By exploiting this race condition, an attacker can replace the target directory with a junction pointing to a user-controlled path. This causes the SYSTEM-level process to drop binaries in a location fully controlled by the attacker, allowing arbitrary code execution with SYSTEM privileges. The vulnerability can be exploited by any standard user with only a single UAC confirmation, making it highly practical and dangerous in real-world environments. 2025-12-31 not yet calculated CVE-2025-61037 https://gist.github.com/jc0818/233462416579661e4e2795f96457a6bf
 
nixseparatedebuginfod--nixseparatedebuginfod nixseparatedebuginfod before v0.4.1 is vulnerable to Directory Traversal. 2025-12-30 not yet calculated CVE-2025-61557 https://github.com/symphorien/nixseparatedebuginfod
https://urldefense.us/v2/url?u=https-3A__github.com_symphorien_nixseparatedebuginfod_commit_57ac448324bfa11a8d8e8f9bea04ae9205ad18b2&d=DwIFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=Nrzxo0WDF_OE-Sa1wccaFKpKc1i6Uzf32ZZrlnVhmbk&m=dtk61i_OKshHyBz6nYW1Xx-pK5y9qdHl8ipsEqB31N2lKuU5GtTeg0C21yVO5M_W&s=wMjbc-B-uuwViJamR0q794vsOHExyt0nbnOuAZfxoGk&e=
https://github.com/symphorien/nixseparatedebuginfod/blob/05ff4edf6953d0bcfedc3f448ed0ad9c4f279ee9/advisories/CVE-2025-61557.md
 
ruby--uri URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue. 2025-12-30 not yet calculated CVE-2025-61594 https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml
https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c
https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902
https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a
 
QNAP Systems Inc.--HBS 3 Hybrid Backup Sync A generation of error message containing sensitive information vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read application data. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later 2026-01-02 not yet calculated CVE-2025-62840 https://www.qnap.com/en/security-advisory/qsa-25-46
 
QNAP Systems Inc.--HBS 3 Hybrid Backup Sync An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later 2026-01-02 not yet calculated CVE-2025-62842 https://www.qnap.com/en/security-advisory/qsa-25-46
 
QNAP Systems Inc.--QTS A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: QTS 5.2.8.3332 build 20251128 and later 2026-01-02 not yet calculated CVE-2025-62852 https://www.qnap.com/en/security-advisory/qsa-25-51
 
QNAP Systems Inc.--QuMagie A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: QuMagie 2.8.1 and later 2026-01-02 not yet calculated CVE-2025-62857 https://www.qnap.com/en/security-advisory/qsa-25-49
 
Nuvation Energy--Battery Management System A vulnerability in Nuvation Battery Management System allows Authentication Bypass.This issue affects Battery Management System: through 2.3.9. 2026-01-02 not yet calculated CVE-2025-64119 https://www.dragos.com/community/advisories/CVE-2025-64119
 
Nuvation Energy--Multi-Stack Controller (MSC) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1. 2026-01-02 not yet calculated CVE-2025-64120 https://www.dragos.com/community/advisories/CVE-2025-64119
 
Nuvation Energy--Multi-Stack Controller (MSC) Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1. 2026-01-02 not yet calculated CVE-2025-64121 https://www.dragos.com/community/advisories/CVE-2025-64119
 
Nuvation Energy--Multi-Stack Controller (MSC) Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Signature Spoofing by Key Theft.This issue affects Multi-Stack Controller (MSC): through 2.5.1. 2026-01-02 not yet calculated CVE-2025-64122 https://www.dragos.com/community/advisories/CVE-2025-64119
 
Nuvation Energy--Multi-Stack Controller (MSC) Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network Boundary Bridging.This issue affects Multi-Stack Controller (MSC): through and including release 2.5.1. 2026-01-02 not yet calculated CVE-2025-64123 https://www.dragos.com/community/advisories/CVE-2025-64119
 
Nuvation Energy--Multi-Stack Controller (MSC) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): before 2.5.1. 2026-01-03 not yet calculated CVE-2025-64124 https://www.dragos.com/community/advisories/CVE-2025-64119
 
Nuvation Energy--nCloud VPN Service A vulnerability in Nuvation Energy nCloud VPN Service allowed Network Boundary Bridging.This issue affected the nCloud VPN Service and was fixed on 2025-12-1 (December, 2025). End users do not have to take any action to mitigate the issue. 2026-01-03 not yet calculated CVE-2025-64125 https://www.dragos.com/community/advisories/CVE-2025-64119
 
discourse--discourse Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix. 2025-12-30 not yet calculated CVE-2025-64528 https://github.com/discourse/discourse/security/advisories/GHSA-c59w-jwx7-34v4
https://github.com/discourse/discourse/commit/1cb45b8b287597085e3514596ffb1d9b41938f81
https://github.com/discourse/discourse/commit/6192f55629624925595dae14364fd86cac0f09df
https://github.com/discourse/discourse/commit/e936a523b5900a9d866d23ea3da904ba12bb0fb2
 
SevenCs--ORCA An incorrect NULL DACL issue exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The regService process, which runs with SYSTEM privileges, applies a Security Descriptor to a device object with no explicitly configured DACL. This condition could allow an attacker to perform unauthorized raw disk operations, which could lead to system disruption (DoS) and exposure of sensitive data, and may facilitate local privilege escalation. 2025-12-31 not yet calculated CVE-2025-64699 https://gist.github.com/GunP4ng/42b19ee99e94c315173b74a9fb26c2b9
 
gosaliajainam--online-movie-booking SQL injection in gosaliajainam/online-movie-booking 5.5 in movie_details.php allows attackers to gain sensitive information. 2026-01-02 not yet calculated CVE-2025-65125 https://github.com/TheAnhaj/CVE-Researches
 
Recutils--GNU A divide-by-zero in the encryption/decryption routines of GNU Recutils v1.9 allows attackers to cause a Denial of Service (DoS) via inputting an empty value as a password. 2025-12-30 not yet calculated CVE-2025-65409 https://www.gnu.org/software/recutils/
http://ftp.gnu.org/gnu/recutils/
https://lists.gnu.org/archive/html/bug-recutils/2025-10/msg00004.html
https://github.com/MAXEUR5/Vulnerability_Disclosures/blob/main/2025/CVE-2025-65409.md
 
Unrtf--GNU A NULL pointer dereference in the src/path.c component of GNU Unrtf v0.21.10 allows attackers to cause a Denial of Service (DoS) via injecting a crafted payload into the search_path parameter. 2025-12-30 not yet calculated CVE-2025-65411 https://www.gnu.org/software/unrtf/
https://savannah.gnu.org/projects/unrtf/
https://lists.gnu.org/archive/html/bug-unrtf/2025-11/msg00000.html
https://sources.debian.org/src/unrtf/0.21.10-clean-1/src/main.c/#L661
https://github.com/MAXEUR5/Vulnerability_Disclosures/blob/main/2025/CVE-2025-65411.md
 
Vue--Vue DOM-based Cross-Site Scripting (XSS) vulnerability in 201206030 novel V3.5.0 allows remote attackers to execute arbitrary JavaScript code or disclose sensitive information (e.g., user session cookies) via a crafted "wvstest" parameter in the URL or malicious script injection into window.localStorage. The vulnerability arises from insufficient validation and encoding of user-controllable data in the book comment module: unfiltered user input is stored in the backend database (book_comment table, commentContent field) and returned via API, then rendered directly into the page DOM via Vue 3's v-html directive without sanitization. Even if modern browsers' built-in XSS filters block pop-up alerts, attackers can use concealed payloads to bypass interception and achieve actual harm. 2025-12-29 not yet calculated CVE-2025-65442 https://github.com/201206030/novel
https://github.com/201206030/novel-front-web
https://github.com/zero-day348/DOM-based-Cross-Site-Scripting-XSS-Vulnerability-in-novel-V3.5.0-CWE-79-
 
jsish--jsish A type confusion in jsish 2.0 allows incorrect control flow during execution of the OP_NEXT opcode. When an "instanceof" expression uses an array element access as the left-hand operand inside a for-in loop, the instructions implementation leaves an additional array reference on the stack rather than consuming it during OP_INSTANCEOF. As a result, OP_NEXT interprets the array as an iterator object and reads the iterCmd function pointer from an invalid structure, potentially causing a crash or enabling code execution depending on heap layout. 2025-12-29 not yet calculated CVE-2025-65570 https://blog.mcsky.ro/writeups/2025/11/15/inline8-writeup.html
 
Zeroheight--Zeroheight An issue was discovered in Zeroheight (SaaS) prior to 2025-06-13. A legacy user creation API pathway allowed accounts to be created without completing the intended email verification step. While unverified accounts could not access product functionality, the behavior bypassed intended verification controls and allowed unintended account creation. This could have enabled spam/fake account creation or resource usage impact. No data exposure or unauthorized access to existing accounts was reported. 2025-12-30 not yet calculated CVE-2025-65925 https://github.com/Sneden/zeroheight-account-verification-bypass-CVE-2025-65925
 
nanomq--nanomq NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). The vulnerability is triggered when NanoMQ acts as a bridge connecting to a remote MQTT broker. A malicious remote broker can trigger a crash (Denial of Service) or potential memory corruption by accepting the connection and immediately sending a malformed packet sequence. Version 0.34.5 contains a patch. The patch enforces stricter protocol adherence in the MQTT client SDK embedded in NanoMQ. Specifically, it ensures that CONNACK is always the first packet processed in the line. This prevents the state confusion that led to the Heap-Use-After-Free (UAF) when a malicious server sent a malformed packet sequence immediately after connection establishment. As a workaround, validate the remote broker before bridging. 2026-01-01 not yet calculated CVE-2025-66023 https://github.com/nanomq/nanomq/security/advisories/GHSA-24f7-q5hh-27hf
https://github.com/nanomq/nanomq/issues/2145
https://github.com/nanomq/NanoNNG/pull/1365
 
Brands Engine--inMusic inMusic Brands Engine DJ 4.3.0 suffers from Insecure Permissions due to exposed HTTP service in the Remote Library, which allows attackers to access all files and network paths. 2025-12-30 not yet calculated CVE-2025-66723 http://inmusic.com
https://github.com/audiopump/cve-2025-66723
 
TrueConf--TrueConf An HTML Injection vulnerability in TrueConf server 5.5.2.10813 in the conference description field allows an attacker to inject arbitrary HTML in the Create/Edit conference functionality. The payload will be triggered when the victim opens the Conference Info page ([conference url]/info). 2025-12-30 not yet calculated CVE-2025-66823 https://trueconf.com
https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66823/README.md
 
TrueConf--TrueConf A Stored Cross-Site Scripting (XSS) vulnerability exists in the Meeting location field of the Create/Edit Conference functionality in TrueConf Server v5.5.2.10813. The injected payload is stored via the meeting_room parameter and executed when users visit the Conference Info page, allowing attackers to achieve full Account Takeover (ATO). This issue is caused by improper sanitization of user-supplied input in the meeting_room field. 2025-12-30 not yet calculated CVE-2025-66824 https://trueconf.com
https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66824/README.md
 
TrueConf--TrueConf A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadsheet formulas into exported chat logs via crafted Display Name. 2025-12-30 not yet calculated CVE-2025-66834 https://trueconf.com
https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66834/README.md
 
TrueConf--TrueConf TrueConf Client 8.5.2 is vulnerable to DLL hijacking via crafted wfapi.dll allowing local attackers to execute arbitrary code within the user's context. 2025-12-30 not yet calculated CVE-2025-66835 http://trueconf.com
https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66835/README.md
 
JD Cloud--JD Cloud JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability. 2025-12-30 not yet calculated CVE-2025-66848 http://jd.com
https://www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2
 
cp-demangle.c--cp-demangle.c  An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file. 2025-12-29 not yet calculated CVE-2025-66861 https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md
 
cp-demangle.c--cp-demangle.c A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. 2025-12-29 not yet calculated CVE-2025-66862 https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md
 
cp-demangle.c--cp-demangle.c  An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. 2025-12-29 not yet calculated CVE-2025-66863 https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md
 
cp-demangle.c--cp-demangle.c  An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. 2025-12-29 not yet calculated CVE-2025-66864 https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md
 
cp-demangle.c--cp-demangle.c An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. 2025-12-29 not yet calculated CVE-2025-66865 https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash4.md
 
cp-demangle.c--cp-demangle.c An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. 2025-12-29 not yet calculated CVE-2025-66866 https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash6.md
 
 libming-- libming Buffer overflow vulnerability in function strcat in asan_interceptors.cpp in libming 0.4.8. 2025-12-29 not yet calculated CVE-2025-66869 https://github.com/libming/libming/issues/366
 
 libming-- libming Buffer overflow vulnerability in function dcputchar in decompile.c in libming 0.4.8. 2025-12-29 not yet calculated CVE-2025-66877 https://github.com/libming/libming/issues/367
 
Revotech--Revotech An authentication bypass in the /cgi-bin/jvsweb.cgi endpoint of Revotech I6032W-FHW v1.0.0014 - 20210517 allows attackers to access sensitive information and escalate privileges via a crafted HTTP request. 2026-01-02 not yet calculated CVE-2025-67158 http://i6032w-fhw.com
http://revotech.com
https://github.com/Remenis/CVE-2025-67158
 
Vatilon--Vatilon Vatilon v1.12.37-20240124 was discovered to transmit user credentials in plaintext. 2026-01-02 not yet calculated CVE-2025-67159 http://vatilon.com
https://github.com/Remenis/CVE-2025-67159
 
Vatilon--Vatilon An issue in Vatilon v1.12.37-20240124 allows attackers to access sensitive directories and files via a directory traversal. 2026-01-02 not yet calculated CVE-2025-67160 http://vatilon.com
https://github.com/Remenis/CVE-2025-67160
 
NagiosXI--NagiosXI NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapshots.php. 2025-12-29 not yet calculated CVE-2025-67254 https://www.nagios.org/
https://github.com/YongYe-Security/NagiosXI/tree/main
 
NagiosXI--NagiosXI In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability. 2025-12-29 not yet calculated CVE-2025-67255 https://www.nagios.org/
https://github.com/YongYe-Security/NagiosXI/tree/main
 
gpsd--gpsd gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution. 2026-01-02 not yet calculated CVE-2025-67268 https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4
https://github.com/ntpsec/gpsd/blob/master/drivers/driver_nmea2000.c
https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md
 
gpsd--gpsd An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition. 2026-01-02 not yet calculated CVE-2025-67269 https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7
https://gitlab.com/gpsd/gpsd
https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md
 
composer--composer Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue. 2025-12-30 not yet calculated CVE-2025-67746 https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g
https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71
https://github.com/composer/composer/releases/tag/2.2.26
https://github.com/composer/composer/releases/tag/2.9.3
 
github.com/golang/vscode-go--github.com/golang/vscode-go To prevent unexpected untrusted code execution, the Visual Studio Code Go extension is now disabled in Restricted Mode. 2025-12-29 not yet calculated CVE-2025-68120 https://nvd.nist.gov/vuln/detail/CVE-2025-68120
https://groups.google.com/g/golang-dev/c/CHG4qfcicBU/m/4tanFUymDQAJ
https://pkg.go.dev/vuln/GO-2025-4249
 
agronholm--cbor2 cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue. 2025-12-31 not yet calculated CVE-2025-68131 https://github.com/agronholm/cbor2/security/advisories/GHSA-wcj4-jw5j-44wh
https://github.com/agronholm/cbor2/pull/268
 
SignalK--signalk-server Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. Version 2.19.0 contains a patch for the issue. 2026-01-01 not yet calculated CVE-2025-68619 https://github.com/SignalK/signalk-server/security/advisories/GHSA-93jc-vqqc-vvvh
https://github.com/SignalK/signalk-server/releases/tag/v2.19.0
 
infiniflow--ragflow RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user (normal login account) can execute arbitrary system commands on the server host process via the frontend Canvas CodeExec component, completely bypassing sandbox isolation. This occurs because untrusted data (stdout) is parsed using eval() with no filtering or sandboxing. The intended design was to "automatically convert string results into Python objects," but this effectively executes attacker-controlled code. Additional endpoints lack access control or contain inverted permission logic, significantly expanding the attack surface and enabling chained exploitation. Version 0.23.0 contains a patch for the issue. 2025-12-31 not yet calculated CVE-2025-68700 https://github.com/infiniflow/ragflow/security/advisories/GHSA-8xw3-v6c2-j84j
https://github.com/infiniflow/ragflow/commit/7a344a32f9f83529e12ca12f40f2657eb79fe811
 
GoAhead-Webs--GoAhead-Webs A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer with no bounds checks. This allows an attacker to corrupt adjacent stack memory, crash the web server, and (under certain conditions) may enable arbitrary code execution. 2025-12-29 not yet calculated CVE-2025-68706 https://kuwfi.com/products/kuwfi-gigabit-wireless-router-4g-lte-wifi-router-dual-band-portable-wifi-modem-hotspot-64-user-with-gigabit-wan-lan-rj11-port
https://github.com/actuator/cve/tree/main/Kuwfi
https://drive.proton.me/urls/HJCJYAC7JM#XtHcm3P7QaYk
https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-68706.txt
 
miniOrange--WordPress Social Login and Register Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through <= 7.7.0. 2025-12-30 not yet calculated CVE-2025-68974 https://vdp.patchstack.com/database/Wordpress/Plugin/miniorange-login-openid/vulnerability/wordpress-wordpress-social-login-and-register-plugin-7-7-0-local-file-inclusion-vulnerability?_s_id=cve
 
Eagle-Themes--Eagle Booking Authorization Bypass Through User-Controlled Key vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3. 2025-12-30 not yet calculated CVE-2025-68975 https://vdp.patchstack.com/database/Wordpress/Plugin/eagle-booking/vulnerability/wordpress-eagle-booking-plugin-1-3-4-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Eagle-Themes--Eagle Booking Missing Authorization vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3. 2025-12-30 not yet calculated CVE-2025-68976 https://vdp.patchstack.com/database/Wordpress/Plugin/eagle-booking/vulnerability/wordpress-eagle-booking-plugin-1-3-4-3-settings-change-vulnerability?_s_id=cve
 
designthemes--DesignThemes Portfolio Addon Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Portfolio Addon designthemes-portfolio-addon allows DOM-Based XSS.This issue affects DesignThemes Portfolio Addon: from n/a through <= 1.5. 2025-12-30 not yet calculated CVE-2025-68977 https://vdp.patchstack.com/database/Wordpress/Plugin/designthemes-portfolio-addon/vulnerability/wordpress-designthemes-portfolio-addon-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
designthemes--DesignThemes Core Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core designthemes-core allows DOM-Based XSS.This issue affects DesignThemes Core: from n/a through <= 1.6. 2025-12-30 not yet calculated CVE-2025-68978 https://vdp.patchstack.com/database/Wordpress/Plugin/designthemes-core/vulnerability/wordpress-designthemes-core-plugin-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve
 
SimpleCalendar--Google Calendar Events Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through <= 3.5.9. 2025-12-30 not yet calculated CVE-2025-68979 https://vdp.patchstack.com/database/Wordpress/Plugin/google-calendar-events/vulnerability/wordpress-google-calendar-events-plugin-3-5-9-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
designthemes--WeDesignTech Portfolio Missing Authorization vulnerability in designthemes WeDesignTech Portfolio wedesigntech-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Portfolio: from n/a through <= 1.0.2. 2025-12-30 not yet calculated CVE-2025-68980 https://vdp.patchstack.com/database/Wordpress/Plugin/wedesigntech-portfolio/vulnerability/wordpress-wedesigntech-portfolio-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve
 
designthemes--HomeFix Elementor Portfolio Missing Authorization vulnerability in designthemes HomeFix Elementor Portfolio homefix-ele-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeFix Elementor Portfolio: from n/a through <= 1.0.1. 2025-12-30 not yet calculated CVE-2025-68981 https://vdp.patchstack.com/database/Wordpress/Plugin/homefix-ele-portfolio/vulnerability/wordpress-homefix-elementor-portfolio-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve
 
designthemes--DesignThemes LMS Addon Missing Authorization vulnerability in designthemes DesignThemes LMS Addon designthemes-lms-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes LMS Addon: from n/a through <= 2.6. 2025-12-30 not yet calculated CVE-2025-68982 https://vdp.patchstack.com/database/Wordpress/Plugin/designthemes-lms-addon/vulnerability/wordpress-designthemes-lms-addon-plugin-2-6-broken-access-control-vulnerability?_s_id=cve
 
thembay--Greenmart Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Greenmart greenmart allows PHP Local File Inclusion.This issue affects Greenmart: from n/a through <= 4.2.11. 2025-12-30 not yet calculated CVE-2025-68983 https://vdp.patchstack.com/database/Wordpress/Theme/greenmart/vulnerability/wordpress-greenmart-theme-4-2-11-local-file-inclusion-vulnerability?_s_id=cve
 
thembay--Puca Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Puca puca allows PHP Local File Inclusion.This issue affects Puca: from n/a through <= 2.6.39. 2025-12-30 not yet calculated CVE-2025-68984 https://vdp.patchstack.com/database/Wordpress/Theme/puca/vulnerability/wordpress-puca-theme-2-6-39-local-file-inclusion-vulnerability?_s_id=cve
 
thembay--Aora Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15. 2025-12-30 not yet calculated CVE-2025-68985 https://vdp.patchstack.com/database/Wordpress/Theme/aora/vulnerability/wordpress-aora-theme-1-3-15-local-file-inclusion-vulnerability?_s_id=cve
 
Edge-Themes--Cinerama - A WordPress Theme for Movie Studios and Filmmakers Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Cinerama - A WordPress Theme for Movie Studios and Filmmakers cinerama allows PHP Local File Inclusion.This issue affects Cinerama - A WordPress Theme for Movie Studios and Filmmakers: from n/a through <= 2.4. 2025-12-30 not yet calculated CVE-2025-68987 https://vdp.patchstack.com/database/Wordpress/Theme/cinerama/vulnerability/wordpress-cinerama-a-wordpress-theme-for-movie-studios-and-filmmakers-theme-2-4-local-file-inclusion-vulnerability?_s_id=cve
 
o2oe--E-Invoice App Malaysia Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in o2oe E-Invoice App Malaysia einvoiceapp-malaysia allows Retrieve Embedded Sensitive Data.This issue affects E-Invoice App Malaysia: from n/a through <= 1.1.0. 2025-12-30 not yet calculated CVE-2025-68988 https://vdp.patchstack.com/database/Wordpress/Plugin/einvoiceapp-malaysia/vulnerability/wordpress-e-invoice-app-malaysia-plugin-1-1-0-sensitive-data-exposure-vulnerability?_s_id=cve
 
Renzo Johnson--Contact Form 7 Extension For Mailchimp Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 Extension For Mailchimp: from n/a through <= 0.9.49. 2025-12-30 not yet calculated CVE-2025-68989 https://vdp.patchstack.com/database/Wordpress/Plugin/contact-form-7-mailchimp-extension/vulnerability/wordpress-contact-form-7-extension-for-mailchimp-plugin-0-9-49-sensitive-data-exposure-vulnerability?_s_id=cve
 
xenioushk--BWL Pro Voting Manager Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9. 2025-12-30 not yet calculated CVE-2025-68990 https://vdp.patchstack.com/database/Wordpress/Plugin/bwl-pro-voting-manager/vulnerability/wordpress-bwl-pro-voting-manager-plugin-1-4-9-sql-injection-vulnerability?_s_id=cve
 
xenioushk--BWL Pro Voting Manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows DOM-Based XSS.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9. 2025-12-30 not yet calculated CVE-2025-68991 https://vdp.patchstack.com/database/Wordpress/Plugin/bwl-pro-voting-manager/vulnerability/wordpress-bwl-pro-voting-manager-plugin-1-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
xenioushk--BWL Knowledge Base Manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xenioushk BWL Knowledge Base Manager bwl-kb-manager allows Stored XSS.This issue affects BWL Knowledge Base Manager: from n/a through <= 1.6.3. 2025-12-30 not yet calculated CVE-2025-68992 https://vdp.patchstack.com/database/Wordpress/Plugin/bwl-kb-manager/vulnerability/wordpress-bwl-knowledge-base-manager-plugin-1-6-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
XforWooCommerce--Share, Print and PDF Products for WooCommerce Missing Authorization vulnerability in XforWooCommerce Share, Print and PDF Products for WooCommerce share-print-pdf-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share, Print and PDF Products for WooCommerce: from n/a through <= 3.1.2. 2025-12-30 not yet calculated CVE-2025-68993 https://vdp.patchstack.com/database/Wordpress/Plugin/share-print-pdf-woocommerce/vulnerability/wordpress-share-print-and-pdf-products-for-woocommerce-plugin-3-1-2-broken-access-control-vulnerability?_s_id=cve
 
XforWooCommerce--Product Loops for WooCommerce Missing Authorization vulnerability in XforWooCommerce Product Loops for WooCommerce product-loops allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Loops for WooCommerce: from n/a through <= 2.1.2. 2025-12-30 not yet calculated CVE-2025-68994 https://vdp.patchstack.com/database/Wordpress/Plugin/product-loops/vulnerability/wordpress-product-loops-for-woocommerce-plugin-2-1-2-broken-access-control-vulnerability?_s_id=cve
 
Gal Dubinski--My Sticky Elements Missing Authorization vulnerability in Gal Dubinski My Sticky Elements mystickyelements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Sticky Elements: from n/a through <= 2.3.3. 2025-12-30 not yet calculated CVE-2025-68995 https://vdp.patchstack.com/database/Wordpress/Plugin/mystickyelements/vulnerability/wordpress-my-sticky-elements-plugin-2-3-3-broken-access-control-vulnerability?_s_id=cve
 
WebCodingPlace--Responsive Posts Carousel Pro Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows PHP Local File Inclusion.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1. 2025-12-30 not yet calculated CVE-2025-68996 https://vdp.patchstack.com/database/Wordpress/Plugin/responsive-posts-carousel-pro/vulnerability/wordpress-responsive-posts-carousel-pro-plugin-15-1-local-file-inclusion-vulnerability?_s_id=cve
 
AdvancedCoding--wpDiscuz Authorization Bypass Through User-Controlled Key vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through <= 7.6.40. 2025-12-30 not yet calculated CVE-2025-68997 https://vdp.patchstack.com/database/Wordpress/Plugin/wpdiscuz/vulnerability/wordpress-wpdiscuz-plugin-7-6-40-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Heateor Support--Heateor Social Login Cross-Site Request Forgery (CSRF) vulnerability in Heateor Support Heateor Social Login heateor-social-login allows Cross Site Request Forgery.This issue affects Heateor Social Login: from n/a through <= 1.1.39. 2025-12-30 not yet calculated CVE-2025-68998 https://vdp.patchstack.com/database/Wordpress/Plugin/heateor-social-login/vulnerability/wordpress-heateor-social-login-plugin-1-1-39-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Atte Moisio--AM Events Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atte Moisio AM Events am-events allows Stored XSS.This issue affects AM Events: from n/a through <= 1.13.1. 2025-12-30 not yet calculated CVE-2025-69006 https://vdp.patchstack.com/database/Wordpress/Plugin/am-events/vulnerability/wordpress-am-events-plugin-1-13-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
OTWthemes--Popping Sidebars and Widgets Light Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Popping Sidebars and Widgets Light popping-sidebars-and-widgets-light allows Stored XSS.This issue affects Popping Sidebars and Widgets Light: from n/a through <= 1.27. 2025-12-30 not yet calculated CVE-2025-69007 https://vdp.patchstack.com/database/Wordpress/Plugin/popping-sidebars-and-widgets-light/vulnerability/wordpress-popping-sidebars-and-widgets-light-plugin-1-27-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Inboxify--Inboxify Sign Up Form Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Inboxify Inboxify Sign Up Form inboxify-sign-up-form allows Stored XSS.This issue affects Inboxify Sign Up Form: from n/a through <= 1.0.4. 2025-12-30 not yet calculated CVE-2025-69008 https://vdp.patchstack.com/database/Wordpress/Plugin/inboxify-sign-up-form/vulnerability/wordpress-inboxify-sign-up-form-plugin-1-0-4-cross-site-scripting-xss-vulnerability?_s_id=cve
 
kamleshyadav--Medicalequipment Missing Authorization vulnerability in kamleshyadav Medicalequipment medicalequipment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Medicalequipment: from n/a through <= 1.0.9. 2025-12-30 not yet calculated CVE-2025-69009 https://vdp.patchstack.com/database/Wordpress/Theme/medicalequipment/vulnerability/wordpress-medicalequipment-theme-1-0-9-broken-access-control-vulnerability?_s_id=cve
 
themebeez--Themebeez Toolkit Missing Authorization vulnerability in themebeez Themebeez Toolkit themebeez-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Themebeez Toolkit: from n/a through <= 1.3.5. 2025-12-30 not yet calculated CVE-2025-69010 https://vdp.patchstack.com/database/Wordpress/Plugin/themebeez-toolkit/vulnerability/wordpress-themebeez-toolkit-plugin-1-3-5-broken-access-control-vulnerability?_s_id=cve
 
Stephen Harris--Event Organiser Missing Authorization vulnerability in Stephen Harris Event Organiser event-organiser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Organiser: from n/a through <= 3.12.8. 2025-12-30 not yet calculated CVE-2025-69012 https://vdp.patchstack.com/database/Wordpress/Plugin/event-organiser/vulnerability/wordpress-event-organiser-plugin-3-12-8-broken-access-control-vulnerability?_s_id=cve
 
jetmonsters--Stratum Missing Authorization vulnerability in jetmonsters Stratum stratum allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stratum: from n/a through <= 1.6.1. 2025-12-30 not yet calculated CVE-2025-69013 https://vdp.patchstack.com/database/Wordpress/Plugin/stratum/vulnerability/wordpress-stratum-plugin-1-6-1-broken-access-control-vulnerability?_s_id=cve
 
Youzify--Youzify Server-Side Request Forgery (SSRF) vulnerability in Youzify Youzify youzify allows Server Side Request Forgery.This issue affects Youzify: from n/a through <= 1.3.5. 2025-12-30 not yet calculated CVE-2025-69014 https://vdp.patchstack.com/database/Wordpress/Plugin/youzify/vulnerability/wordpress-youzify-plugin-1-3-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
Automattic--Crowdsignal Forms Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through <= 1.7.2. 2025-12-30 not yet calculated CVE-2025-69015 https://vdp.patchstack.com/database/Wordpress/Plugin/crowdsignal-forms/vulnerability/wordpress-crowdsignal-forms-plugin-1-7-2-broken-access-control-vulnerability?_s_id=cve
 
averta--Shortcodes and extra features for Phlox theme Missing Authorization vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.12. 2025-12-30 not yet calculated CVE-2025-69016 https://vdp.patchstack.com/database/Wordpress/Plugin/auxin-elements/vulnerability/wordpress-shortcodes-and-extra-features-for-phlox-theme-plugin-2-17-12-broken-access-control-vulnerability?_s_id=cve
 
Magnigenie--RestroPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magnigenie RestroPress restropress allows Stored XSS.This issue affects RestroPress: from n/a through <= 3.2.4.2. 2025-12-30 not yet calculated CVE-2025-69017 https://vdp.patchstack.com/database/Wordpress/Plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Shamalli--Web Directory Free Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shamalli Web Directory Free web-directory-free allows DOM-Based XSS.This issue affects Web Directory Free: from n/a through <= 1.7.12. 2025-12-30 not yet calculated CVE-2025-69018 https://vdp.patchstack.com/database/Wordpress/Plugin/web-directory-free/vulnerability/wordpress-web-directory-free-plugin-1-7-12-cross-site-scripting-xss-vulnerability?_s_id=cve
 
FlippingBook--FlippingBook Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FlippingBook FlippingBook flippingbook allows DOM-Based XSS.This issue affects FlippingBook: from n/a through <= 2.0.1. 2025-12-30 not yet calculated CVE-2025-69019 https://vdp.patchstack.com/database/Wordpress/Plugin/flippingbook/vulnerability/wordpress-flippingbook-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Tribulant Software--Newsletters Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tribulant Software Newsletters newsletters-lite allows Stored XSS.This issue affects Newsletters: from n/a through <= 4.12. 2025-12-30 not yet calculated CVE-2025-69020 https://vdp.patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-12-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Ays Pro--Popup box Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 6.0.7. 2025-12-30 not yet calculated CVE-2025-69021 https://vdp.patchstack.com/database/Wordpress/Plugin/ays-popup-box/vulnerability/wordpress-popup-box-plugin-6-0-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Weblizar - WordPress Themes & Plugin--HR Management Lite Missing Authorization vulnerability in Weblizar - WordPress Themes &amp; Plugin HR Management Lite hr-management-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HR Management Lite: from n/a through <= 3.5. 2025-12-30 not yet calculated CVE-2025-69022 https://vdp.patchstack.com/database/Wordpress/Plugin/hr-management-lite/vulnerability/wordpress-hr-management-lite-plugin-3-5-broken-access-control-vulnerability?_s_id=cve
 
Marketing Fire--Discussion Board Missing Authorization vulnerability in Marketing Fire Discussion Board wp-discussion-board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Discussion Board: from n/a through <= 2.5.7. 2025-12-30 not yet calculated CVE-2025-69023 https://vdp.patchstack.com/database/Wordpress/Plugin/wp-discussion-board/vulnerability/wordpress-discussion-board-plugin-2-5-7-broken-access-control-vulnerability?_s_id=cve
 
bizswoop--BizPrint Missing Authorization vulnerability in bizswoop BizPrint print-google-cloud-print-gcp-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizPrint: from n/a through <= 4.6.7. 2025-12-30 not yet calculated CVE-2025-69024 https://vdp.patchstack.com/database/Wordpress/Plugin/print-google-cloud-print-gcp-woocommerce/vulnerability/wordpress-bizprint-plugin-4-6-7-broken-access-control-vulnerability?_s_id=cve
 
Aethonic--Poptics: AI-Powered Popup Builder for Lead Generation, Conversions, Exit-Intent, Email Opt-ins & WooCommerce Sales Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Aethonic Poptics: AI-Powered Popup Builder for Lead Generation, Conversions, Exit-Intent, Email Opt-ins &amp; WooCommerce Sales poptics allows Retrieve Embedded Sensitive Data.This issue affects Poptics: AI-Powered Popup Builder for Lead Generation, Conversions, Exit-Intent, Email Opt-ins &amp; WooCommerce Sales: from n/a through <= 1.0.20. 2025-12-30 not yet calculated CVE-2025-69025 https://vdp.patchstack.com/database/Wordpress/Plugin/poptics/vulnerability/wordpress-poptics-ai-powered-popup-builder-for-lead-generation-conversions-exit-intent-email-opt-ins-woocommerce-sales-plugin-1-0-20-sensitive-data-exposure-vulnerability?_s_id=cve
 
Roxnor--PopupKit Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Roxnor PopupKit popup-builder-block allows Retrieve Embedded Sensitive Data.This issue affects PopupKit: from n/a through <= 2.1.5. 2025-12-30 not yet calculated CVE-2025-69026 https://vdp.patchstack.com/database/Wordpress/Plugin/popup-builder-block/vulnerability/wordpress-popupkit-plugin-2-1-5-sensitive-data-exposure-vulnerability?_s_id=cve
 
tychesoftwares--Product Delivery Date for WooCommerce Lite Missing Authorization vulnerability in tychesoftwares Product Delivery Date for WooCommerce - Lite product-delivery-date-for-woocommerce-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Delivery Date for WooCommerce - Lite: from n/a through <= 3.2.0. 2025-12-30 not yet calculated CVE-2025-69027 https://vdp.patchstack.com/database/Wordpress/Plugin/product-delivery-date-for-woocommerce-lite/vulnerability/wordpress-product-delivery-date-for-woocommerce-lite-plugin-3-2-0-broken-access-control-vulnerability?_s_id=cve
 
BoldGrid--weForms Missing Authorization vulnerability in BoldGrid weForms weforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weForms: from n/a through <= 1.6.25. 2025-12-30 not yet calculated CVE-2025-69028 https://vdp.patchstack.com/database/Wordpress/Plugin/weforms/vulnerability/wordpress-weforms-plugin-1-6-25-broken-access-control-vulnerability?_s_id=cve
 
Select-Themes--Struktur Authorization Bypass Through User-Controlled Key vulnerability in Select-Themes Struktur struktur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Struktur: from n/a through <= 2.5.1. 2025-12-30 not yet calculated CVE-2025-69029 https://vdp.patchstack.com/database/Wordpress/Theme/struktur/vulnerability/wordpress-struktur-theme-2-5-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Mikado-Themes--Backpack Traveler Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backpack Traveler: from n/a through <= 2.10.3. 2025-12-30 not yet calculated CVE-2025-69030 https://vdp.patchstack.com/database/Wordpress/Theme/backpacktraveler/vulnerability/wordpress-backpack-traveler-theme-2-10-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
Skywarrior--Arcane Missing Authorization vulnerability in Skywarrior Arcane arcane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arcane: from n/a through <= 3.6.6. 2025-12-30 not yet calculated CVE-2025-69031 https://vdp.patchstack.com/database/Wordpress/Theme/arcane/vulnerability/wordpress-arcane-theme-3-6-6-broken-access-control-vulnerability?_s_id=cve
 
Mikado-Themes--FiveStar Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through <= 1.7. 2025-12-30 not yet calculated CVE-2025-69032 https://vdp.patchstack.com/database/Wordpress/Theme/fivestar/vulnerability/wordpress-fivestar-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
A WP Life--Blog Filter Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.3. 2025-12-30 not yet calculated CVE-2025-69033 https://vdp.patchstack.com/database/Wordpress/Plugin/blog-filter/vulnerability/wordpress-blog-filter-plugin-1-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Mikado-Themes--Lekker Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Lekker lekker allows PHP Local File Inclusion.This issue affects Lekker: from n/a through <= 1.8. 2025-12-30 not yet calculated CVE-2025-69034 https://vdp.patchstack.com/database/Wordpress/Theme/lekker/vulnerability/wordpress-lekker-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve
 
Vidish--Combo Offers WooCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vidish Combo Offers WooCommerce woo-combo-offers allows DOM-Based XSS.This issue affects Combo Offers WooCommerce: from n/a through <= 4.2. 2025-12-30 not yet calculated CVE-2025-69088 https://vdp.patchstack.com/database/Wordpress/Plugin/woo-combo-offers/vulnerability/wordpress-combo-offers-woocommerce-plugin-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
autolistings--Auto Listings Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in autolistings Auto Listings auto-listings allows Stored XSS.This issue affects Auto Listings: from n/a through <= 2.7.1. 2025-12-30 not yet calculated CVE-2025-69089 https://vdp.patchstack.com/database/Wordpress/Plugin/auto-listings/vulnerability/wordpress-auto-listings-plugin-2-7-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Kraft Plugins--Demo Importer Plus Missing Authorization vulnerability in Kraft Plugins Demo Importer Plus demo-importer-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Demo Importer Plus: from n/a through <= 2.0.8. 2025-12-30 not yet calculated CVE-2025-69091 https://vdp.patchstack.com/database/Wordpress/Plugin/demo-importer-plus/vulnerability/wordpress-demo-importer-plus-plugin-2-0-8-broken-access-control-vulnerability?_s_id=cve
 
WPDeveloper--Essential Addons for Elementor Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows DOM-Based XSS.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.3. 2025-12-30 not yet calculated CVE-2025-69092 https://vdp.patchstack.com/database/Wordpress/Plugin/essential-addons-for-elementor-lite/vulnerability/wordpress-essential-addons-for-elementor-plugin-6-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
wpdesk--ShopMagic Missing Authorization vulnerability in wpdesk ShopMagic shopmagic-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopMagic: from n/a through <= 4.7.2. 2025-12-30 not yet calculated CVE-2025-69093 https://vdp.patchstack.com/database/Wordpress/Plugin/shopmagic-for-woocommerce/vulnerability/wordpress-shopmagic-plugin-4-7-2-broken-access-control-vulnerability?_s_id=cve
 
Quenary--tugtainer Tugtainer is a self-hosted app for automating updates of docker containers. In versions prior to 1.15.1, arbitary arguments can be injected in tugtainer-agent `POST api/command/run`. Version 1.15.1 fixes the issue. 2025-12-29 not yet calculated CVE-2025-69201 https://github.com/Quenary/tugtainer/security/advisories/GHSA-grc3-8w5x-g54q
https://github.com/Quenary/tugtainer/pull/88
https://github.com/Quenary/tugtainer/commit/dbb17d843e30fd7509acf0328c913dcb42f40831
https://github.com/Quenary/tugtainer/releases/tag/v1.15.1
 
arthurfiorette--axios-cache-interceptor Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignoring request headers like `Authorization`. When the server responds with `Vary: Authorization` (indicating the response varies by auth token), the library ignores this, causing all requests to share the same cache regardless of authorization. Server-side applications (APIs, proxies, backend services) that use axios-cache-interceptor to cache requests to upstream services, handle requests from multiple users with different auth tokens, and upstream services replies on `Vary` to differentiate caches are affected. Browser/client-side applications (single user per browser session) are not affected. Services using different auth tokens to call upstream services will return incorrect cached data, bypassing authorization checks and leaking user data across different authenticated sessions. After `v1.11.1`, automatic `Vary` header support is now enabled by default. When server responds with `Vary: Authorization`, cache keys now include the authorization header value. Each user gets their own cache. 2025-12-29 not yet calculated CVE-2025-69202 https://github.com/arthurfiorette/axios-cache-interceptor/security/advisories/GHSA-x4m5-4cw8-vc44
https://github.com/arthurfiorette/axios-cache-interceptor/commit/49a808059dfc081b9cc23d48f243d55dfce15f01
 
NeoRazorX--facturascripts FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator's browser session. Version 2025.7 fixes the issue. 2025-12-30 not yet calculated CVE-2025-69210 https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-2267-xqcf-gw2m
https://facturascripts.com/publicaciones/ya-disponible-facturascripts-2025-7
https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.7
 
nestjs--nest Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses `@nestjs/platform-fastify`; relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`; and applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes('admin')`). Exploitation can result in unauthenticated users accessing protected routes, restricted administrative endpoints becoming accessible to lower-privileged users, and/or middleware performing sanitization or validation being skipped. This issue is patched in `@nestjs/platform-fastify@11.1.11`. 2025-12-29 not yet calculated CVE-2025-69211 https://github.com/nestjs/nest/security/advisories/GHSA-8wpr-639p-ccrj
https://github.com/nestjs/nest/commit/c4cedda15a05aafec1e6045b36b0335ab850e771
 
NAVER--NAVER Whale browser Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment. 2025-12-30 not yet calculated CVE-2025-69234 https://cve.naver.com/detail/cve-2025-69234.html
 
NAVER--NAVER Whale browser Whale browser before 4.35.351.12 allows an attacker to bypass the Same-Origin Policy in a sidebar environment. 2025-12-30 not yet calculated CVE-2025-69235 https://cve.naver.com/detail/cve-2025-69235.html
 
WasmEdge--WasmEdge WasmEdge is a WebAssembly runtime. Prior to version 0.16.0-alpha.3, a multiplication in `WasmEdge/include/runtime/instance/memory.h` can wrap, causing `checkAccessBound()` to incorrectly allow the access. This leads to a segmentation fault. Version 0.16.0-alpha.3 contains a patch for the issue. 2025-12-30 not yet calculated CVE-2025-69261 https://github.com/WasmEdge/WasmEdge/security/advisories/GHSA-89fm-8mr7-gg4m
https://github.com/WasmEdge/WasmEdge/commit/37cc9fa19bd23edbbdaa9252059b17f191fa4d17
 
infiniflow--ragflow RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta (assistant/agent share auth) token generation process allows these tokens to be mutually derivable. Specifically, both tokens are generated using the same `URLSafeTimedSerializer` with predictable inputs, enabling an unauthorized user who obtains the shared assistant/agent URL to derive the personal API key. This grants them full control over the assistant/agent owner's account. Version 0.22.0 fixes the issue. 2025-12-31 not yet calculated CVE-2025-69286 https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7
https://github.com/infiniflow/ragflow/commit/a3bb4aadcc3494fb27f2a9933b4c46df8eb532e6
https://github.com/infiniflow/ragflow/blob/v0.20.5/api/apps/system_app.py#L214-L215
https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/__init__.py#L343
https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/api_utils.py#L378
 
QNAP Systems Inc.--QTS An exposure of sensitive system information to an unauthorized control sphere vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.1.3250 build 20250912 and later 2026-01-02 not yet calculated CVE-2025-9110 https://www.qnap.com/en/security-advisory/qsa-25-51
 
yhirose--cpp-httplib cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue. 2026-01-01 not yet calculated CVE-2026-21428 https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7
https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd
https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0
 
emlog--emlog Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available. 2026-01-02 not yet calculated CVE-2026-21429 https://github.com/emlog/emlog/security/advisories/GHSA-jw5v-2g53-rx8w
 
emlog--emlog Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available. 2026-01-02 not yet calculated CVE-2026-21430 https://github.com/emlog/emlog/security/advisories/GHSA-2g2w-vmg7-pq4q
 
emlog--emlog Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available. 2026-01-02 not yet calculated CVE-2026-21431 https://github.com/emlog/emlog/security/advisories/GHSA-9vc2-crhr-248x
 
emlog--emlog Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available. 2026-01-02 not yet calculated CVE-2026-21432 https://github.com/emlog/emlog/security/advisories/GHSA-4rxf-mjqx-c464
 
getsolus--eopkg eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected. 2026-01-01 not yet calculated CVE-2026-21436 https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m
https://github.com/getsolus/eopkg/pull/201
https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d
https://github.com/getsolus/eopkg/releases/tag/v4.4.0
 
getsolus--eopkg eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected. 2026-01-01 not yet calculated CVE-2026-21437 https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6
https://github.com/getsolus/eopkg/pull/201
https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d
https://github.com/getsolus/eopkg/releases/tag/v4.4.0
 
adonisjs--core AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6. 2026-01-02 not yet calculated CVE-2026-21440 https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h
https://github.com/adonisjs/bodyparser/commit/143a16f35602be8561215611582211dec280cae6
https://github.com/adonisjs/bodyparser/commit/6795c0e3fa824ae275bbd992aae60609e96f0f03
https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2
https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.6
 
langflow-ai--langflow Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch. 2026-01-02 not yet calculated CVE-2026-21445 https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx
https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a
 
bagisto--bagisto Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue. 2026-01-02 not yet calculated CVE-2026-21446 https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw
https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed
 
bagisto--bagisto Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch. 2026-01-02 not yet calculated CVE-2026-21448 https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6
 
bagisto--bagisto Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue. 2026-01-02 not yet calculated CVE-2026-21449 https://github.com/bagisto/bagisto/security/advisories/GHSA-mqhg-v22x-pqj8
 
bagisto--bagisto Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue. 2026-01-02 not yet calculated CVE-2026-21450 https://github.com/bagisto/bagisto/security/advisories/GHSA-9hvg-qw5q-wqwp
 
bagisto--bagisto Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes the issue. 2026-01-02 not yet calculated CVE-2026-21451 https://github.com/bagisto/bagisto/security/advisories/GHSA-2mwc-h2mg-v6p8
 
knadh--listmonk listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue. 2026-01-02 not yet calculated CVE-2026-21483 https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565
 

Back to top

Vulnerability Summary for the Week of December 22, 2025
Posted on Monday December 29, 2025

High Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
9786--phpok3w A vulnerability was identified in 9786 phpok3w up to 901d96a06809fb28b17f3a4362c59e70411c933c. Impacted is an unknown function of the file show.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-28 7.3 CVE-2025-15142 VDB-338520 | 9786 phpok3w show.php sql injection
VDB-338520 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #715574 | phpok3w 1.0 SQL Injection
https://gitee.com/9786/phpok3w/issues/IDD1IZ
 
Alteryx--Server A vulnerability was found in Alteryx Server. Affected by this issue is some unknown functionality of the file /gallery/api/status/. Performing manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. Upgrading to version 2023.1.1.13.486, 2023.2.1.10.293, 2024.1.1.9.236, 2024.2.1.6.125 and 2025.1.1.1.31 can resolve this issue. Upgrading the affected component is recommended. 2025-12-26 7.3 CVE-2025-15097 VDB-338428 | Alteryx Server status improper authentication
VDB-338428 | CTI Indicators (IOB, IOC, IOA)
Submit #710169 | Alteryx Alteryx Server 2020/2021/2022/2023/2024/2025 Authentication Bypass Issues
https://ict-strypes.eu/wp-content/uploads/2025/12/Alteryx-Second-Research.pdf
https://gist.github.com/apostolovd/f84631eed2f0c0e83e2e174b1480f08c
https://help.alteryx.com/release-notes/en/release-notes/server-release-notes/server-2025-1-release-notes.html
 
Anviz Biometric Technology Co., Ltd.--Anviz AIM CrossChex Standard Anviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers to execute commands by inserting malicious formulas in user import fields. Attackers can craft payloads in fields like 'Name', 'Gender', or 'Position' to trigger Excel macro execution when importing user data. 2025-12-24 9.8 CVE-2018-25135 ExploitDB-45765
Anviz Biometric Technology Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5498)
 
beaverbuilder--Beaver Builder Page Builder Drag and Drop Website Builder The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'duplicate_wpml_layout' function in all versions up to, and including, 2.9.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary posts with the content of other existing posts, potentially exposing private and password-protected content and deleting any content that is not saved in revisions or backups. Posts must have been created with Beaver Builder to be copied or updated. 2025-12-23 8.1 CVE-2025-12934 https://www.wordfence.com/threat-intel/vulnerabilities/id/bc2db74d-61b9-498a-a0d8-e43466b06f37?source=cve
https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-builder-model.php#L181
https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-builder-model.php#L5490
https://plugins.trac.wordpress.org/changeset/3425646/beaver-builder-lite-version/trunk
 
Beward R&D Co., Ltd--N100 H.264 VGA IP Camera Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the 'READ.filePath' parameter. Attackers can exploit the fileread script or SendCGICMD API to access sensitive files like /etc/passwd and /etc/issue by supplying absolute file paths. 2025-12-24 8.8 CVE-2019-25246 ExploitDB-46320
Beward Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5511)
 
Beward--N100 H.264 VGA IP Camera Beward N100 M2.1.6.04C014 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve the camera's RTSP stream by exploiting the lack of authentication in the video access mechanism. 2025-12-24 7.5 CVE-2019-25248 ExploitDB-46317
Beward Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5509)
 
Centreon--Infra Monitoring - Open-tickets Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows SQL Injection to user with elevated privileges.This issue affects Infra Monitoring - Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. 2025-12-22 7.2 CVE-2025-12514 https://github.com/centreon/centreon/releases
 
CMSimple--CMSimple CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection. 2025-12-23 7.2 CVE-2021-47732 ExploitDB-49751
Official CMSimple Vendor Homepage
VulnCheck Advisory: CMSimple 5.2 Stored Cross-Site Scripting via Filebrowser External Input
 
Cmsimple--Cmsimple CMSimple 5.4 contains an authenticated remote code execution vulnerability that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by crafting a reverse shell payload and saving it through the template editing endpoint with a valid CSRF token. 2025-12-23 8.8 CVE-2021-47735 ExploitDB-50356
Official CMSimple Homepage
VulnCheck Advisory: CMSimple 5.4 Authenticated Remote Code Execution via Template Editing
 
Cmsimple-Xh--CMSimple_XH CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server. 2025-12-23 8.8 CVE-2021-47736 ExploitDB-50367
Official Vendor Homepage
VulnCheck Advisory: CMSimple_XH 1.7.4 Authenticated Remote Code Execution via Content Editing
 
Cobiansoft--Cobian Backup Gravity Cobian Backup Gravity 11.2.0.582 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the CobianBackup11 service to inject malicious code that would execute with LocalSystem privileges during service startup. 2025-12-22 8.4 CVE-2022-50688 ExploitDB-50791
Cobian Backup Official Vendor Homepage
VulnCheck Advisory: Cobian Backup Gravity 11.2.0.582 Unquoted Service Path Privilege Escalation
 
code-projects--Online Farm System A vulnerability was identified in code-projects Online Farm System 1.0. Affected is an unknown function of the file /addProduct.php. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. 2025-12-23 7.3 CVE-2025-15049 VDB-337854 | code-projects Online Farm System addProduct.php sql injection
VDB-337854 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721001 | code-projects Online Farm System V1.0 SQL Injection
https://github.com/xiaotsai/tttt/issues/1
https://code-projects.org/
 
code-projects--Refugee Food Management System A vulnerability was determined in code-projects Refugee Food Management System 1.0. The affected element is an unknown function of the file /home/home.php. This manipulation of the argument a causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. 2025-12-22 7.3 CVE-2025-15012 VDB-337718 | code-projects Refugee Food Management System home.php sql injection
VDB-337718 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #719788 | Code-projects Refugee Food Management System v1.0 SQL Injection
https://github.com/jjjjj-zr/jjjjjzr17/issues/2
https://code-projects.org/
 
code-projects--Simple Stock System A vulnerability was found in code-projects Simple Stock System 1.0. Impacted is an unknown function of the file /logout.php. The manipulation of the argument uname results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. 2025-12-22 7.3 CVE-2025-15011 VDB-337717 | code-projects Simple Stock System logout.php sql injection
VDB-337717 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #719663 | Code-projects Simple Stock System v1.0 SQL Injection
https://github.com/chunmingshanan/CVE/issues/1
https://code-projects.org/
 
code-projects--Student Information System A flaw has been found in code-projects Student Information System 1.0. This issue affects some unknown processing of the file /searchresults.php. Executing manipulation of the argument searchbox can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. 2025-12-24 7.3 CVE-2025-15053 VDB-337859 | code-projects Student Information System searchresults.php sql injection
VDB-337859 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #720796 | Fabian Ros Student Information System In PHP With Source Code November 2, 2025 SQL Injection
https://github.com/i4G5d/CRITICAL-SEVERITY-VULNERABILITY-REPORT-Widespread-SQLI
https://code-projects.org/
 
CodexThemes--TheGem Theme Elements (for Elementor) Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor).This issue affects TheGem Theme Elements (for Elementor): from n/a through 5.10.5.1. 2025-12-23 7.5 CVE-2025-68560 https://vdp.patchstack.com/database/wordpress/plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-10-5-1-local-file-inclusion-vulnerability?_s_id=cve
 
D-Link--DSL-124 Wireless N300 ADSL2+ D-Link DSL-124 ME_1.00 contains a configuration file disclosure vulnerability that allows unauthenticated attackers to retrieve router settings through a POST request. Attackers can send a specific POST request to the router's configuration endpoint to download a complete backup file containing sensitive network credentials and system configurations. 2025-12-22 7.5 CVE-2023-53974 ExploitDB-51129
D-Link Official Homepage
D-Link MEA Product Details Page
VulnCheck Advisory: D-Link DSL-124 ME_1.00 Backup Configuration File Disclosure via Unauthenticated Request
 
DB Elettronica Telecomunicazioni SpA--Screen SFT DAB 600/C Screen SFT DAB 600/C Firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to the userManager API to remove user accounts without proper authentication. 2025-12-22 9.8 CVE-2023-53968 ExploitDB-51457
DB Elettronica Telecomunicazioni Official Website
SFT DAB Series Product Page
Zero Science Lab Disclosure (ZSL-2022-5773)
VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Erase Account
 
DB Elettronica Telecomunicazioni SpA--Screen SFT DAB 600/C Screen SFT DAB 600/C firmware 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without requiring the current credentials. Attackers can exploit the userManager.cgx API endpoint by sending a crafted POST request with a new MD5-hashed password to directly modify the admin account's authentication. 2025-12-22 7.5 CVE-2023-53967 ExploitDB-51458
DB Elettronica Telecomunicazioni SpA Homepage
SFT DAB Series Product Page
Zero Science Lab Disclosure (ZSL-2022-5774)
VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Admin Password Change
 
DB Elettronica Telecomunicazioni SpA--Screen SFT DAB 600/C Screen SFT DAB 600/C firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to the userManager API to change user passwords without proper authentication. 2025-12-22 7.5 CVE-2023-53969 ExploitDB-51456
DB Elettronica Telecomunicazioni Official Website
SFT DAB Series Product Page
Zero Science Lab Disclosure (ZSL-2022-5772)
VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Password Change
 
DB Elettronica Telecomunicazioni SpA--Screen SFT DAB 600/C Screen SFT DAB 600/C Firmware 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP-bound session identifiers. Attackers can exploit the vulnerable deviceManagement API endpoint to reset device configurations by sending crafted POST requests with manipulated session parameters. 2025-12-22 7.5 CVE-2023-53970 ExploitDB-51459
DB Elettronica Telecomunicazioni Product Homepage
SFT DAB Series Product Page
Zero Science Lab Disclosure (ZSL-2022-5775)
VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Reset Board Config
 
devolo AG--dLAN 550 duo+ Starter Kit devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a password by manipulating system configuration parameters. 2025-12-24 9.8 CVE-2019-25249 ExploitDB-46325
Official Vendor Homepage
Zero Science Lab Disclosure (ZSL-2019-5508)
 
Eaton--Eaton UPS Companion Software Improper authentication of library files in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the software package. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center. 2025-12-26 8.6 CVE-2025-59887 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1026.pdf
 
Eaton--Eaton xComfort ECI Improper input validation at one of the endpoints of Eaton xComfort ECI's web interface, could lead into an attacker with network access to the device executing privileged user commands. As cybersecurity standards continue to evolve and to meet our requirements today, Eaton has decided to discontinue the product. Upon retirement or end of support, there will be no new security updates, non-security updates, or paid assisted support options, or online technical content updates. 2025-12-23 8.8 CVE-2025-59886 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1022.pdf
 
Eaton--UPS Companion software Due to insecure library loading in the Eaton UPS Companion software executable, an attacker with access to the software package could perform arbitrary code execution . This security issue has been fixed in the latest version of EUC which is available on the Eaton download center. 2025-12-26 7.8 CVE-2025-67450 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1027.pdf
 
Echo Call Center Services Trade and Industry Inc.--Specto CM Unrestricted Upload of File with Dangerous Type vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Remote Code Inclusion.This issue affects Specto CM: before 17032025. 2025-12-24 8.8 CVE-2025-2155 https://www.usom.gov.tr/bildirim/tr-25-0480
 
Eclipse Foundation--BlueChi A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege escalation, unauthorized service execution, and potential system compromise. 2025-12-24 7.2 CVE-2025-2515 https://access.redhat.com/security/cve/CVE-2025-2515
RHBZ#2353313
https://github.com/eclipse-bluechi/bluechi/commit/fe0d28301ce2bd45f0b1d8a98a94efef799fbc73#diff-64140c83db42a8888f346a40de293b80f79ebf7d75ce4137b22567e360bce607
https://github.com/eclipse-bluechi/bluechi/issues/1069
https://github.com/eclipse-bluechi/bluechi/pull/1073
 
Epic Games--Easy Anti-Cheat Epic Games Easy Anti-Cheat 4.0 contains an unquoted service path vulnerability that allows local non-privileged users to execute arbitrary code with elevated system privileges. Attackers can exploit the service configuration by inserting malicious code in the system root path that would execute with LocalSystem privileges during application startup. 2025-12-23 8.4 CVE-2021-47739 ExploitDB-49841
Epic Games Official Website
Easy Anti-Cheat Official Website
Zero Science Lab Disclosure (ZSL-2021-5652)
VulnCheck Advisory: Epic Games Easy Anti-Cheat 4.0 Local Privilege Escalation via Unquoted Service Path
 
FantasticLBP--Hotels_Server A security vulnerability has been detected in FantasticLBP Hotels_Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. Affected by this issue is some unknown functionality of the file /controller/api/Room.php. Such manipulation of the argument hotelId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 7.3 CVE-2025-15127 VDB-338505 | FantasticLBP Hotels_Server Room.php sql injection
VDB-338505 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711809 | Github Hotels_Server v1.0 SQL Injection
https://github.com/liangmingpku/CVE/issues/1
 
fedify-dev--fedify Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2. 2025-12-22 7.5 CVE-2025-68475 https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93
https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779
https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a
https://github.com/fedify-dev/fedify/releases/tag/1.6.13
https://github.com/fedify-dev/fedify/releases/tag/1.7.14
https://github.com/fedify-dev/fedify/releases/tag/1.8.15
https://github.com/fedify-dev/fedify/releases/tag/1.9.2
 
FLIR Systems, Inc.--Brickstream 3D+ FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can retrieve video stream images by directly accessing multiple image endpoints like middleImage.jpg, rightimage.jpg, and leftimage.jpg. 2025-12-24 7.5 CVE-2018-25136 ExploitDB-45607
FLIR Brickstream Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5496)
 
FLIR Systems, Inc.--FLIR AX8 Thermal Camera FLIR AX8 Thermal Camera 1.32.16 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly connect to the RTSP stream using tools like VLC or FFmpeg to view and record thermal camera footage. 2025-12-24 7.5 CVE-2018-25139 ExploitDB-45606
FLIR Systems Official Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5492)
 
FLIR Systems, Inc.--FLIR Brickstream 3D+ FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability in the ExportConfig REST API that allows attackers to download sensitive configuration files. Attackers can exploit the getConfigExportFile.cgi endpoint to retrieve system configurations, potentially enabling authentication bypass and privilege escalation. 2025-12-24 7.5 CVE-2018-25137 ExploitDB-45599
FLIR Brickstream Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5495)
 
FLIR Systems, Inc.--Thermal Traffic Cameras FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially initiate denial of service by sending crafted WebSocket messages without authentication. 2025-12-24 7.5 CVE-2018-25140 ExploitDB-45539
FLIR Systems Official Website
Zero Science Lab Disclosure (ZSL-2018-5490)
 
FLIR Systems--FLIR AX8 Thermal Camera FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username and password combinations. 2025-12-24 7.5 CVE-2018-25138 ExploitDB-45629
FLIR Systems Official Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5494)
 
FLIR--FLIR Thermal Traffic Cameras FLIR thermal traffic cameras contain an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve video streams by accessing specific endpoints like /live.mjpeg, /snapshot.jpg, and RTSP streaming URLs without authentication. 2025-12-24 7.5 CVE-2018-25141 ExploitDB-45537
FLIR Official Vendor Homepage
Zero Science Lab Disclosure (ZSL-2018-5489)
 
FluidSynth--fluidsynth FluidSynth is a software synthesizer based on the SoundFont 2 specifications. From versions 2.5.0 to before 2.5.2, a race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the (unloaded) DLS file are concurrently used to synthesize audio. This issue has been patched in version 2.5.2. The problem will not occur, when explicitly unloading a DLS file (before synth destruction), provided that at the time of unloading, no samples of the respective file are used by active voices. The problem will not occur in versions of FluidSynth that have been compiled without native DLS support. 2025-12-23 7 CVE-2025-68617 https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-ffw2-xvvp-39ch
https://github.com/FluidSynth/fluidsynth/issues/1717
https://github.com/FluidSynth/fluidsynth/issues/1728
https://github.com/FluidSynth/fluidsynth/commit/685e54cdc44911ace31774260bd0c9ec89887491
https://github.com/FluidSynth/fluidsynth/commit/962b9946b5cb6b16f0c08b89dd1b7016d4fce886
 
FreyrSCADA--IEC-60870-5-104 FreyrSCADA/IEC-60870-5-104 server v21.06.008 allows remote attackers to cause a denial of service by sending specific message sequences. 2025-12-23 7.5 CVE-2024-9684 https://github.com/FreyrSCADA/IEC-60870-5-104/issues/6
https://drive.google.com/drive/folders/1pBPZR59d_rlixH7ZysUmmbOEZvjZV9g1
 
Gitea--Gitea Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API. 2025-12-26 8.2 CVE-2025-68939 https://blog.gitea.com/release-of-1.23.0/
https://github.com/go-gitea/gitea/releases/tag/v1.23.0
https://github.com/go-gitea/gitea/pull/32151
 
GnuPG--GnuPG In GnuPG through 2.4.8, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. 2025-12-28 7.8 CVE-2025-68973 https://gpg.fail/memcpy
https://news.ycombinator.com/item?id=46403200
https://www.openwall.com/lists/oss-security/2025/12/28/5
https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9
https://github.com/gpg/gnupg/blob/ff30683418695f5d2cc9e6cf8c9418e09378ebe4/g10/armor.c#L1305-L1306
 
Guangzhou V-SOLUTION Electronic Technology Co., Ltd.--SOL GPON/EPON OLT Platform V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a crafted HTTP POST request to the user management endpoint with 'user_role_mod' set to integer value '1' to elevate their privileges. 2025-12-24 9.8 CVE-2019-25237 ExploitDB-47435
V-SOL Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5538)
 
Guangzhou V-SOLUTION Electronic Technology--GPON/EPON OLT Platform V-SOL GPON/EPON OLT Platform 2.03 contains an unauthenticated information disclosure vulnerability that allows attackers to download configuration files via direct object reference. Attackers can retrieve sensitive configuration data by sending HTTP GET requests to the usrcfg.conf endpoint, potentially enabling authentication bypass and system access. 2025-12-24 7.5 CVE-2019-25239 ExploitDB-47433
V-SOL Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5534)
 
Hasura--Hasura GraphQL Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resources and potentially crash the GraphQL endpoint. 2025-12-22 7.5 CVE-2021-47713 ExploitDB-49789
Hasura GraphQL Engine GitHub Repository
VulnCheck Advisory: Hasura GraphQL 1.3.3 Denial of Service via Malicious GraphQL Query
 
Hitachi--Hitachi Infrastructure Analytics Advisor Cross-site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.5-00. 2025-12-24 8.2 CVE-2025-66444 https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-133/index.html
 
Hitachi--Hitachi Infrastructure Analytics Advisor Authorization bypass vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.5-00. 2025-12-24 7.1 CVE-2025-66445 https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-133/index.html
 
Hotech Software Inc.--Otello Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Hotech Software Inc. Otello allows Stored XSS.This issue affects Otello: from 2.4.0 before 2.4.4. 2025-12-23 7.3 CVE-2025-13183 https://www.usom.gov.tr/bildirim/tr-25-0476
 
IBM--API Connect IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application. 2025-12-26 9.8 CVE-2025-13915 https://www.ibm.com/support/pages/node/7255149
 
IBM--Concert IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system. 2025-12-26 7.8 CVE-2025-12771 https://www.ibm.com/support/pages/node/7255549
 
IBM--Concert IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link. 2025-12-26 7.7 CVE-2025-64645 https://www.ibm.com/support/pages/node/7255549
 
IdeaBox Creations--PowerPack Pro for Elementor Missing Authorization vulnerability in IdeaBox Creations PowerPack Pro for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PowerPack Pro for Elementor: from n/a through 2.10.6. 2025-12-23 7.5 CVE-2024-24844 https://vdp.patchstack.com/database/wordpress/plugin/powerpack-elements/vulnerability/wordpress-powerpack-pro-for-elementor-plugin-2-10-6-unauthenticated-plugin-settings-reset-vulnerability?_s_id=cve
 
InternLM--lmdeploy LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1. 2025-12-26 8.8 CVE-2025-67729 https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh
https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee
 
iSeeQ--Hybrid DVR WH-H4 iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication. 2025-12-24 9.8 CVE-2019-25236 ExploitDB-47562
iSeeQ Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5539)
 
itsourcecode--Online Frozen Foods Ordering System A vulnerability was determined in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /contact_us.php. This manipulation of the argument Name causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. 2025-12-24 7.3 CVE-2025-15073 VDB-338330 | itsourcecode Online Frozen Foods Ordering System contact_us.php sql injection
VDB-338330 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721321 | itsourcecode Online Frozen Foods Ordering System v1.0 SQL Injection
https://github.com/24ggee/CVE/issues/1
https://itsourcecode.com/
 
itsourcecode--Online Frozen Foods Ordering System A vulnerability was identified in itsourcecode Online Frozen Foods Ordering System 1.0. This vulnerability affects unknown code of the file /customer_details.php. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. 2025-12-25 7.3 CVE-2025-15074 VDB-338331 | itsourcecode Online Frozen Foods Ordering System customer_details.php sql injection
VDB-338331 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721389 | itsourcecode Online Frozen Foods Ordering System v1.0 SQL Injection
https://github.com/ttting888/CVE/issues/1
https://itsourcecode.com/
 
itsourcecode--Student Management System A security flaw has been discovered in itsourcecode Student Management System 1.0. This affects an unknown part of the file /record.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. 2025-12-23 7.3 CVE-2025-15034 VDB-337747 | itsourcecode Student Management System record.php sql injection
VDB-337747 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #720615 | itsourcecode Student Management System V1.0 SQL Injection
https://github.com/ltranquility/CVE/issues/29
https://itsourcecode.com/
 
itsourcecode--Student Management System A security flaw has been discovered in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /student_p.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. 2025-12-25 7.3 CVE-2025-15075 VDB-338332 | itsourcecode Student Management System student_p.php sql injection
VDB-338332 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721406 | itsourcecode Student Management System V1.0 SQL Injection
https://github.com/ltranquility/CVE/issues/30
https://itsourcecode.com/
 
itsourcecode--Student Management System A security vulnerability has been detected in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /form137.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. 2025-12-25 7.3 CVE-2025-15077 VDB-338334 | itsourcecode Student Management System form137.php sql injection
VDB-338334 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721484 | itsourcecode Student Management System V1.0 SQL Injection
https://github.com/BUPT424201/CVE/issues/2
https://itsourcecode.com/
 
itsourcecode--Student Management System A vulnerability was detected in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /list_report.php. The manipulation of the argument sy results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. 2025-12-25 7.3 CVE-2025-15078 VDB-338335 | itsourcecode Student Management System list_report.php sql injection
VDB-338335 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721485 | itsourcecode Student Management System V1.0 SQL Injection
https://github.com/BUPT424201/CVE/issues/3
https://itsourcecode.com/
 
iWT Ltd.--FaceSentry Access Control System FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters. 2025-12-24 8.8 CVE-2019-25243 ExploitDB-47064
Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5523)
 
iWT Ltd.--FaceSentry Access Control System FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privileges and gain root access by executing sudo commands without authentication. 2025-12-24 7.5 CVE-2019-25241 ExploitDB-47067
Vendor Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5526)
 
jackq--XCMS A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. This impacts an unknown function of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php. This manipulation causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-27 7.3 CVE-2025-15109 VDB-338480 | jackq XCMS upload.php unrestricted upload
VDB-338480 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711696 | XCMS 1.0 Unrestricted Upload
https://gitee.com/jackq/XCMS/issues/IDC4ZT
 
kermitproject--C-Kermit C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644d allows a remote Kermit system to overwrite files on the local system, or retrieve arbitrary files from the local system. 2025-12-24 8.9 CVE-2025-68920 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025
https://github.com/KermitProject/ckermit/pull/20
https://www.kermitproject.org/ftp/kermit/test/tar/
https://www.complete.org/kermit/
 
kiboit--PhastPress The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path. 2025-12-23 9.8 CVE-2025-14388 https://www.wordfence.com/threat-intel/vulnerabilities/id/eec9bbc0-5a68-4624-a672-bd6227d6fa45?source=cve
https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9641
https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9608
https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9570
https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9597
https://plugins.trac.wordpress.org/changeset/3418139
 
KYOCERA Corporation--KYOCERA Net Admin KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuration data like database credentials through an out-of-band channel attack. 2025-12-24 7.5 CVE-2019-25253 ExploitDB-44430
Kyocera Official Website
Zero Science Lab Disclosure (ZSL-2018-5459)
 
langchain-ai--langchain LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5. 2025-12-23 9.3 CVE-2025-68664 https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm
https://github.com/langchain-ai/langchain/pull/34455
https://github.com/langchain-ai/langchain/pull/34458
https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8
https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6
https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81
https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5
 
langchain-ai--langchainjs LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3 2025-12-23 8.6 CVE-2025-68665 https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6
https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62
https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8
https://github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3
 
Leica Geosystems AG--GR10/GR25/GR30/GR50 GNSS Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a stored cross-site scripting vulnerability in the configuration file upload functionality. Attackers can upload a malicious HTML file to that executes arbitrary JavaScript in a user's browser session when viewed. 2025-12-24 7.2 CVE-2018-25131 ExploitDB-46091
Leica Geosystems Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5503)
 
lemon8866--StreamVault StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126. 2025-12-26 10 CVE-2025-66203 https://github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6m
https://github.com/lemon8866/StreamVault/releases/tag/251226
 
LogicalDOC Srl--LogicalDOC Enterprise LogicalDOC Enterprise 7.7.4 contains multiple post-authentication file disclosure vulnerabilities that allow attackers to read arbitrary files through unverified 'suffix' and 'fileVersion' parameters. Attackers can exploit directory traversal techniques in /thumbnail and /convertpdf endpoints to access sensitive system files like win.ini and /etc/passwd by manipulating path traversal sequences. 2025-12-24 7.5 CVE-2019-25258 ExploitDB-44019
LogicalDOC Official Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5450)
 
luiswang--WebTareas WebTareas 2.4 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the chat photo upload functionality. Attackers can upload a PHP file with arbitrary code to the /files/Messages/ directory and execute it directly through the generated file path. 2025-12-22 8.8 CVE-2023-53971 ExploitDB-51089
WebTareas Project Homepage
VulnCheck Advisory: WebTareas 2.4 Authenticated Remote Code Execution via File Upload
 
luiswang--WebTareas WebTareas 2.4 contains a SQL injection vulnerability in the webTareasSID cookie parameter that allows unauthenticated attackers to manipulate database queries. Attackers can exploit error-based and time-based blind SQL injection techniques to extract database information and potentially access sensitive system data. 2025-12-22 7.5 CVE-2023-53972 ExploitDB-51087
WebTareas Project Homepage
VulnCheck Advisory: WebTareas 2.4 Unauthenticated SQL Injection via Session Cookie Parameter
 
Mattermost--Mattermost Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555 2025-12-22 7.2 CVE-2025-14273 https://mattermost.com/security-updates
 
MegaSys Computer Technologies--Telenium Online Web Application Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an attacker can inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server. 2025-12-24 9.8 CVE-2025-8769 https://megasys.com/support/
https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-04
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2024/icsa-24-263-04.json
 
Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak Microhard Systems IPn4G 1.1.0 contains a service vulnerability that allows authenticated users to enable a restricted SSH shell with a default 'msshc' user. Attackers can exploit a custom 'ping' command in the NcFTP environment to escape the restricted shell and execute commands with root privileges. 2025-12-24 8.8 CVE-2018-25143 ExploitDB-45041
Microhard Systems Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5486)
 
Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials Microhard Systems IPn4G 1.1.0 contains hardcoded default credentials that cannot be changed through normal gateway operations. Attackers can exploit these default credentials to gain unauthorized root-level access to the device by logging in with predefined username and password combinations. 2025-12-24 7.5 CVE-2018-25147 ExploitDB-45040
Microhard Systems Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5480)
 
Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit Microhard Systems IPn4G 1.1.0 contains multiple authenticated remote code execution vulnerabilities in the admin interface that allow attackers to create crontab jobs and modify system startup scripts. Attackers can exploit hidden admin features to execute arbitrary commands with root privileges, including starting services, disabling firewalls, and writing files to the system. 2025-12-24 8.8 CVE-2018-25148 ExploitDB-45038
Microhard Systems Product Web Page
Zero Science Lab Disclosure (ZSL-2018-5479)
 
Mitsubishi Electric Europe--smartRTU A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands. 2025-12-24 7.5 CVE-2025-3232 https://emea.mitsubishielectric.com/fa/products/quality/quality-news-information
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-09
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-105-09.json
 
Mybb--MyBB MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language configuration editing interface. 2025-12-22 8.8 CVE-2023-53979 ExploitDB-51213
Official MyBB Vendor Homepage
Researcher Disclosure
VulnCheck Advisory: MyBB 1.8.32 Authenticated Remote Code Execution via Chained Vulnerabilities
 
Keycloak--Keycloak A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable. 2025-12-23 7.5 CVE-2025-11419 RHSA-2025:18254
RHSA-2025:18255
RHSA-2025:18889
RHSA-2025:18890
https://access.redhat.com/security/cve/CVE-2025-11419
RHBZ#2402142
 
PuneethReddyHC--PuneethReddyHC event-management 1.0 Improper input handling in /Grocery/search_products_itname.php inPuneethReddyHC event-management 1.0 permits SQL injection via the sitem_name POST parameter. Crafted payloads can alter query logic and disclose database contents. Exploitation may result in sensitive data disclosure and backend compromise. 2025-12-23 9.8 CVE-2025-65354 https://www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2
 
n8n-io--n8n n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables. 2025-12-26 9.9 CVE-2025-68668 https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v
 
n8n-io--n8n n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the "Respond to Webhook" node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0. This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface. This issue has been patched in version 1.114.0. Workarounds for this issue involve restricting workflow creation and modification privileges to trusted users only, avoiding use of untrusted HTML responses in the "Respond to Webhook" node, and using an external reverse proxy or HTML sanitizer to filter responses that include executable scripts. 2025-12-26 7.3 CVE-2025-61914 https://github.com/n8n-io/n8n/security/advisories/GHSA-58jc-rcg5-95f3
 
n8n-io--n8n n8n is an open source workflow automation platform. Prior to version 2.0.0, in self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This allows a workflow editor to perform actions on the n8n host with the same privileges as the n8n process, including: reading files from the host filesystem (subject to any file-access restrictions configured on the instance and OS/container permissions), and writing files to the host filesystem (subject to the same restrictions). This issue has been patched in version 2.0.0. Workarounds for this issue involve limiting file operations by setting N8N_RESTRICT_FILE_ACCESS_TO to a dedicated directory (e.g., ~/.n8n-files) and ensure it contains no sensitive data, keeping N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES=true (default) to block access to .n8n and user-defined config files, and disabling high-risk nodes (including the Code node) using NODES_EXCLUDE if workflow editors are not fully trusted. 2025-12-26 7.1 CVE-2025-68697 https://github.com/n8n-io/n8n/security/advisories/GHSA-j4p8-h8mh-rh8q
 
nanbingxyz--5ire 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. In versions 0.15.2 and prior, an RCE vulnerability exists in useMarkdown.ts, where the markdown-it-mermaid plugin is initialized with securityLevel: 'loose'. This configuration explicitly permits the rendering of HTML tags within Mermaid diagram nodes. This issue has not been patched at time of publication. 2025-12-23 9.7 CVE-2025-68669 https://github.com/nanbingxyz/5ire/security/advisories/GHSA-5hpf-p8fw-j349
https://github.com/nanbingxyz/5ire/blob/c40d05a2b546094789fc727daa5383bb15034442/src/hooks/useMarkdown.ts#L156
https://github.com/nanbingxyz/5ire/releases/tag/v0.15.2
 
nanomq--nanomq NanoMQ MQTT Broker (NanoMQ) is an Edge Messaging Platform. Prior to version 0.24.2, there is a classical data racing issue about sub info list which could result in heap use after free crash. This issue has been patched in version 0.24.2. 2025-12-27 7.5 CVE-2025-59946 https://github.com/nanomq/nanomq/security/advisories/GHSA-xg37-23w7-72p5
https://github.com/nanomq/nanomq/issues/1863
 
net-snmp--net-snmp net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in versions 5.9.5 and 5.10.pre2. 2025-12-22 9.8 CVE-2025-68615 https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq
 
NetBT Consulting Services Inc.--e-Fatura Unquoted Search Path or Element vulnerability in NetBT Consulting Services Inc. E-Fatura allows Leveraging/Manipulating Configuration File Search Paths, Redirect Access to Libraries.This issue affects e-Fatura: before 1.2.15. 2025-12-22 7.3 CVE-2025-14018 https://www.usom.gov.tr/bildirim/tr-25-0474
 
NovaRad Corporation--NovaPACS Diagnostics Viewer NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack. 2025-12-24 9.8 CVE-2018-25142 ExploitDB-45337
NovaRad Corporation Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5488)
 
NVIDIA--Isaac Launchable NVIDIA Isaac Launchable contains a vulnerability where an attacker could exploit a hard-coded credential issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and data tampering. 2025-12-23 9.8 CVE-2025-33222 https://nvd.nist.gov/vuln/detail/CVE-2025-33222
https://www.cve.org/CVERecord?id=CVE-2025-33222
https://nvidia.custhelp.com/app/answers/detail/a_id/5749
 
NVIDIA--Isaac Launchable NVIDIA Isaac Launchable contains a vulnerability where an attacker could cause an execution with unnecessary privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, information disclosure and data tampering. 2025-12-23 9.8 CVE-2025-33223 https://nvd.nist.gov/vuln/detail/CVE-2025-33223
https://www.cve.org/CVERecord?id=CVE-2025-33223
https://nvidia.custhelp.com/app/answers/detail/a_id/5749
 
NVIDIA--Isaac Launchable NVIDIA Isaac Launchable contains a vulnerability where an attacker could cause an execution with unnecessary privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, information disclosure and data tampering. 2025-12-23 9.8 CVE-2025-33224 https://nvd.nist.gov/vuln/detail/CVE-2025-33224
https://www.cve.org/CVERecord?id=CVE-2025-33224
https://nvidia.custhelp.com/app/answers/detail/a_id/5749
 
OpenOps--OpenOps OpenOps before 0.6.11 allows remote code execution in the Terraform block. 2025-12-24 7.4 CVE-2025-68922 https://github.com/openops-cloud/openops/pull/1767
https://linear.app/openops/issue/OPS-3254
https://github.com/openops-cloud/openops/releases/tag/0.6.11
https://github.com/openops-cloud/openops/compare/0.6.10...0.6.11
 
Orangescrum--orangescrum Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account. 2025-12-23 8.8 CVE-2021-47721 ExploitDB-50551
Official Product Homepage
VulnCheck Advisory: Orangescrum 1.8.0 Authenticated Privilege Escalation via User Session Manipulation
 
Orangescrum--orangescrum Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information. 2025-12-23 7.1 CVE-2021-47720 ExploitDB-50553
Official Product Homepage
VulnCheck Advisory: Orangescrum 1.8.0 Authenticated SQL Injection via Multiple Parameters
 
Pexip--Infinity Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and excessively consume resources, leading to a denial of service. 2025-12-25 8.2 CVE-2025-59683 https://docs.pexip.com/admin/security_bulletins.htm
 
Pexip--Infinity Pexip Infinity before 37.0 has improper input validation in signalling that allows a remote attacker to trigger a software abort via a crafted signalling message, resulting in a denial of service. 2025-12-25 7.5 CVE-2025-32095 https://docs.pexip.com/admin/security_bulletins.htm
 
Pexip--Infinity Pexip Infinity 33.0 through 37.0 before 37.1 has improper input validation in signaling that allows an attacker to trigger a software abort, resulting in a denial of service. 2025-12-25 7.5 CVE-2025-32096 https://docs.pexip.com/admin/security_bulletins.htm
 
Pexip--Infinity Pexip Infinity 35.0 through 37.2 before 38.0 has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a denial of service. 2025-12-25 7.5 CVE-2025-48704 https://docs.pexip.com/admin/security_bulletins.htm
 
Pexip--Infinity Pexip Infinity before 39.0 has Missing Authentication for a Critical Function in a product-internal API, allowing an attacker (who already has access to execute code on one node within a Pexip Infinity installation) to impact the operation of other nodes within the installation. 2025-12-25 7.5 CVE-2025-66377 https://docs.pexip.com/admin/security_bulletins.htm
 
Pexip--Infinity Pexip Infinity before 39.0 has Improper Input Validation in the media implementation, allowing a remote attacker to trigger a software abort via a crafted media stream, resulting in a denial of service. 2025-12-25 7.5 CVE-2025-66379 https://docs.pexip.com/admin/security_bulletins.htm
 
Pexip--Infinity Pexip Infinity 35.0 through 38.1 before 39.0, in non-default configurations that use Direct Media for WebRTC, has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a temporary denial of service. 2025-12-25 7.5 CVE-2025-66443 https://docs.pexip.com/admin/security_bulletins.htm
 
ProjectSend--projectSend ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server. 2025-12-22 9.8 CVE-2023-53980 ExploitDB-51238
Official Product Homepage
VulnCheck Advisory: ProjectSend r1605 Remote Code Execution via File Extension Manipulation
 
Ragic--Enterprise Cloud Database Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user. 2025-12-22 9.8 CVE-2025-15016 https://www.twcert.org.tw/tw/cp-132-10587-797c6-1.html
https://www.twcert.org.tw/en/cp-139-10588-771e5-2.html
 
Ragic--Enterprise Cloud Database Enterprise Cloud Database developed by Ragic has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. 2025-12-22 7.5 CVE-2025-15015 https://www.twcert.org.tw/tw/cp-132-10587-797c6-1.html
https://www.twcert.org.tw/en/cp-139-10588-771e5-2.html
 
Riello--NetMan Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/certsupload.cgi /../ directory traversal for file upload with resultant code execution. 2025-12-24 9.1 CVE-2025-68916 https://github.com/gerico-lab/riello-multiple-vulnerabilities-2025
 
Rifatron Co., Ltd.--DVR Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without authentication. 2025-12-24 9.8 CVE-2019-25240 ExploitDB-47368
Rifatron Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5532)
 
Ross Video Ltd.--DashBoard Ross Video DashBoard 8.5.1 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files due to improper permission settings. Attackers can exploit the 'M' or 'C' flags for 'Authenticated Users' group to replace the DashBoard.exe binary with a malicious executable. 2025-12-24 8.8 CVE-2019-25245 ExploitDB-46742
Ross Video Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5516)
 
Ruben Garcia--AutomatorWP Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia AutomatorWP allows SQL Injection.This issue affects AutomatorWP: from n/a through 5.2.4. 2025-12-23 7.6 CVE-2025-68561 https://vdp.patchstack.com/database/wordpress/plugin/automatorwp/vulnerability/wordpress-automatorwp-plugin-5-2-4-sql-injection-vulnerability?_s_id=cve
 
saiftheboss7--onlinemcqexam A vulnerability was found in saiftheboss7 onlinemcqexam up to 0e56806132971e49721db3ef01868098c7b42ada. This vulnerability affects unknown code of the file /admin/quesadd.php. Performing manipulation of the argument ans1/ans2 results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 7.3 CVE-2025-15140 VDB-338518 | saiftheboss7 onlinemcqexam quesadd.php sql injection
VDB-338518 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #715219 | Github Online MCQ EXAM V1.0 SQL Injection
Submit #715463 | github.com An online MCQ Exam system v1.0 SQL Injection (Duplicate)
https://github.com/Anti1i/cve/issues/4
 
Sigb--PMB PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information or perform time-based blind SQL injection attacks. 2025-12-23 8.2 CVE-2023-53982 ExploitDB-51197
Vendor Homepage
Software Download Repository
VulnCheck Advisory: PMB 7.4.6 SQL Injection Vulnerability via Unsanitized Storage Parameter
 
simstudioai--sim A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue. 2025-12-26 7.3 CVE-2025-15099 VDB-338430 | simstudioai sim CRON Secret internal.ts improper authentication
VDB-338430 | CTI Indicators (IOB, IOC, IOA)
Submit #710255 | https://github.com/simstudioai https://github.com/simstudioai/sim ≤ v0.5.21 Authentication Bypass by Primary Weakness
https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2
https://github.com/simstudioai/sim/pull/2343
https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2#-steps-to-reproduce
https://github.com/simstudioai/sim/commit/e359dc2946b12ed5e45a0ec9c95ecf91bd18502a
 
Smartwares--Smartwares HOME easy Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information. 2025-12-24 9.8 CVE-2019-25235 ExploitDB-47595
Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5540)
 
SOCA Technology Co., Ltd--SOCA Access Control System SOCA Access Control System 180612 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through unvalidated POST parameters. Attackers can bypass authentication, retrieve password hashes, and gain administrative access with full system privileges by exploiting injection flaws in Login.php and Card_Edit_GetJson.php. 2025-12-24 8.2 CVE-2018-25128 ExploitDB-46833
SOCA Technology Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5519)
 
SOCA Technology Co., Ltd--SOCA Access Control System SOCA Access Control System 180612 contains multiple insecure direct object reference vulnerabilities that allow attackers to access sensitive user credentials. Attackers can retrieve authenticated and unauthenticated user password hashes and pins through unprotected endpoints like Get_Permissions_From_DB.php and Ac10_ReadSortCard. 2025-12-24 7.5 CVE-2018-25129 ExploitDB-46832
SOCA Technology Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5517)
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the vulnerability by manipulating user-supplied input to execute privileged functionalities without proper authentication. 2025-12-22 9.8 CVE-2023-53955 ExploitDB-51169
SOUND4 Official Product Homepage
Zero Science Lab Disclosure (ZSL-2022-5723)
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Authorization Bypass via Insecure Object References
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands through the 'password' parameter. Attackers can exploit the login.php and index.php scripts by injecting shell commands via the 'password' POST parameter to execute commands with web server privileges. 2025-12-22 9.8 CVE-2023-53963 ExploitDB-51173
SOUND4 Official Product Homepage
Zero Science Lab Disclosure (ZSL-2022-5738)
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Remote Command Injection
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x contains an SQL injection vulnerability in the 'index.php' authentication mechanism that allows attackers to manipulate login credentials. Attackers can inject malicious SQL code through the 'password' POST parameter to bypass authentication and potentially gain unauthorized access to the system. 2025-12-22 8.2 CVE-2023-53960 ExploitDB-51171
SOUND4 Official Product Homepage
Zero Science Lab Disclosure (ZSL-2022-5726)
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x SQL Injection via Authentication Bypass
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated directory traversal vulnerability that allows remote attackers to write arbitrary files through the 'upgfile' parameter in upload.cgi. Attackers can exploit the vulnerability by sending crafted multipart form-data POST requests with directory traversal sequences to write files to unintended system locations. 2025-12-22 7.5 CVE-2023-53962 ExploitDB-51172
SOUND4 Official Product Homepage
Zero Science Lab Disclosure (ZSL-2022-5730)
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Directory Traversal File Write
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated vulnerability in the /usr/cgi-bin/restorefactory.cgi endpoint that allows remote attackers to reset device configuration. Attackers can send a POST request to the endpoint with specific data to trigger a factory reset and bypass authentication, gaining full system control. 2025-12-22 7.5 CVE-2023-53964 ExploitDB-51174
SOUND4 Official Product Homepage
Zero Science Lab Disclosure (ZSL-2022-5742)
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Factory Reset Vulnerability
 
SOUND4 Ltd.--SOUND4 LinkAndShare Transmitter SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted environment variables. Attackers can manipulate the username environment variable with format string payloads to potentially execute arbitrary code and crash the application. 2025-12-22 9.8 CVE-2023-53966 ExploitDB-51259
SOUND4 Official Product Homepage
Zero Science Lab Disclosure (ZSL-2022-5744)
VulnCheck Advisory: SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow
 
SOUND4 Ltd.--SOUND4 Server Service SOUND4 Server Service 4.1.102 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted binary path by inserting malicious code in the system root path that could execute with LocalSystem privileges during service startup. 2025-12-22 8.4 CVE-2023-53965 ExploitDB-51167
SOUND4 Official Website
Zero Science Lab Disclosure (ZSL-2022-5721)
VulnCheck Advisory: SOUND4 Server Service 4.1.102 Local Privilege Escalation via Unquoted Service Path
 
Synaccess Networks Inc.--netBooter NP-02x/NP-08x Synaccess netBooter NP-02x/NP-08x 6.8 contains an authentication bypass vulnerability in the webNewAcct.cgi script that allows unauthenticated attackers to create admin user accounts. Attackers can exploit the missing control check by sending crafted POST requests to create administrative accounts and gain unauthorized control over power supply management. 2025-12-24 9.8 CVE-2018-25134 ExploitDB-45920
Vendor Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5500)
 
Tenda--CH22 A weakness has been identified in Tenda CH22 1.0.0.1. Impacted is an unknown function of the file /public/. Executing manipulation can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. 2025-12-25 7.3 CVE-2025-15076 VDB-338333 | Tenda CH22 public path traversal
VDB-338333 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721411 | Tenda CH22 V1.0.0.1 Authentication Bypass Issues
https://github.com/master-abc/cve/blob/main/Tenda%20CH22%20V1.0.0.1%20Router%20Authentication%20Bypass%20Vulnerability%20in%20R7WebsSecurityHandler%20function.md
https://www.tenda.com.cn/
 
Tenda--WH450 A weakness has been identified in Tenda WH450 1.0.0.18. Affected by this vulnerability is an unknown functionality of the file /goform/CheckTools of the component HTTP Request Handler. This manipulation of the argument ipaddress causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. 2025-12-22 9.8 CVE-2025-15006 VDB-337712 | Tenda WH450 HTTP Request CheckTools stack-based overflow
VDB-337712 | CTI Indicators (IOB, IOC, IOA)
Submit #719315 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/CheckTools/CheckTools.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/CheckTools/CheckTools.md#reproduce
https://www.tenda.com.cn/
 
Tenda--WH450 A security vulnerability has been detected in Tenda WH450 1.0.0.18. Affected by this issue is some unknown functionality of the file /goform/L7Im of the component HTTP Request Handler. Such manipulation of the argument page leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. 2025-12-22 9.8 CVE-2025-15007 VDB-337713 | Tenda WH450 HTTP Request L7Im stack-based overflow
VDB-337713 | CTI Indicators (IOB, IOC, IOA)
Submit #719316 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Im/L7Im.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Im/L7Im.md#poc
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability has been found in Tenda WH450 1.0.0.18. This issue affects some unknown processing of the file /goform/SafeUrlFilter. The manipulation of the argument page leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. 2025-12-22 9.8 CVE-2025-15010 VDB-337716 | Tenda WH450 SafeUrlFilter stack-based overflow
VDB-337716 | CTI Indicators (IOB, IOC, IOA)
Submit #719219 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeUrlFilter/SafeUrlFilter.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeUrlFilter/SafeUrlFilter.md#reproduce
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability was detected in Tenda WH450 1.0.0.18. Impacted is an unknown function of the file /goform/NatStaticSetting. The manipulation of the argument page results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. 2025-12-23 9.8 CVE-2025-15044 VDB-337849 | Tenda WH450 NatStaticSetting stack-based overflow
VDB-337849 | CTI Indicators (IOB, IOC, IOA)
Submit #720856 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/NatStaticSetting/NatStaticSetting.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/NatStaticSetting/NatStaticSetting.md#reproduce
https://www.tenda.com.cn/
 
Tenda--WH450 A flaw has been found in Tenda WH450 1.0.0.18. The affected element is an unknown function of the file /goform/Natlimit of the component HTTP Request Handler. This manipulation of the argument page causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. 2025-12-23 9.8 CVE-2025-15045 VDB-337850 | Tenda WH450 HTTP Request Natlimit stack-based overflow
VDB-337850 | CTI Indicators (IOB, IOC, IOA)
Submit #720882 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/Natlimit/Natlimit.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/Natlimit/Natlimit.md#reproduce
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability has been found in Tenda WH450 1.0.0.18. The impacted element is an unknown function of the file /goform/PPTPClient of the component HTTP Request Handler. Such manipulation of the argument netmsk leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2025-12-23 9.8 CVE-2025-15046 VDB-337851 | Tenda WH450 HTTP Request PPTPClient stack-based overflow
VDB-337851 | CTI Indicators (IOB, IOC, IOA)
Submit #720883 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPClient/PPTPClient.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPClient/PPTPClient.md#reproduce
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability was found in Tenda WH450 1.0.0.18. This affects an unknown function of the file /goform/PPTPDClient of the component HTTP Request Handler. Performing manipulation of the argument Username results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. 2025-12-23 9.8 CVE-2025-15047 VDB-337852 | Tenda WH450 HTTP Request PPTPDClient stack-based overflow
VDB-337852 | CTI Indicators (IOB, IOC, IOA)
Submit #720884 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPDClient/PPTPDClient.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPDClient/PPTPDClient.md#reproduce
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability was detected in Tenda WH450 1.0.0.18. This affects an unknown part of the file /goform/L7Port of the component HTTP Request Handler. Performing manipulation of the argument page results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. 2025-12-22 7.3 CVE-2025-15008 VDB-337714 | Tenda WH450 HTTP Request L7Port stack-based overflow
VDB-337714 | CTI Indicators (IOB, IOC, IOA)
Submit #719317 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Prot/L7Prot.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Prot/L7Prot.md#reproduce
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability was determined in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/CheckTools of the component HTTP Request Handler. Executing manipulation of the argument ipaddress can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. 2025-12-23 7.3 CVE-2025-15048 VDB-337853 | Tenda WH450 HTTP Request CheckTools command injection
VDB-337853 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #720885 | Tenda WH450 V1.0.0.18 Command Injection
https://github.com/z472421519/BinaryAudit/blob/main/PoC/CMD/Tenda_WH450/CheckTools/CheckTools.md
https://github.com/z472421519/BinaryAudit/blob/main/PoC/CMD/Tenda_WH450/CheckTools/CheckTools.md#reproduce
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability has been found in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/PPTPServer. Such manipulation of the argument ip1 leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2025-12-28 7.2 CVE-2025-15160 VDB-338535 | Tenda WH450 PPTPServer stack-based overflow
VDB-338535 | CTI Indicators (IOB, IOC, IOA)
Submit #720886 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPServer/PPTPServer.md
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability was found in Tenda WH450 1.0.0.18. Affected is an unknown function of the file /goform/PPTPUserSetting. Performing manipulation of the argument delno results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. 2025-12-28 7.2 CVE-2025-15161 VDB-338536 | Tenda WH450 PPTPUserSetting stack-based overflow
VDB-338536 | CTI Indicators (IOB, IOC, IOA)
Submit #720887 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPUserSetting/PPTPUserSetting.md
https://www.tenda.com.cn/
 
Tenda--WH450 A vulnerability was determined in Tenda WH450 1.0.0.18. Affected by this vulnerability is an unknown functionality of the file /goform/RouteStatic. Executing manipulation of the argument page can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. 2025-12-28 7.2 CVE-2025-15162 VDB-338537 | Tenda WH450 RouteStatic stack-based overflow
VDB-338537 | CTI Indicators (IOB, IOC, IOA)
Submit #721210 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/RouteStatic/RouteStatic.md
https://www.tenda.com.cn/
 
The GNU Project | Free Software Foundation, Inc.--GNU Barcode GNU Barcode 0.99 contains a buffer overflow vulnerability in its code 93 encoding process that allows attackers to trigger memory corruption. Attackers can exploit boundary errors during input file processing to potentially execute arbitrary code on the affected system. 2025-12-24 9.8 CVE-2018-25154 ExploitDB-44797
GNU Barcode Official Product Page
FSF Directory Entry for Barcode
 
The GNU Project | Free Software Foundation, Inc.--GNU Barcode GNU Barcode 0.99 contains a memory leak vulnerability in the command line processing function within cmdline.c. Attackers can exploit this vulnerability by providing specially crafted input that causes unfreed memory allocations, potentially leading to denial of service conditions. 2025-12-24 7.5 CVE-2018-25153 ExploitDB-44798
GNU Barcode Product Homepage
FSF Directory Entry for Barcode
 
thedigicraft--Atom CMS Atom CMS 2.0 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries through unvalidated parameters. Attackers can inject malicious SQL code in the 'id' parameter of the admin index page to execute time-based blind SQL injection attacks. 2025-12-22 8.2 CVE-2023-53975 ExploitDB-51086
Atom CMS GitHub Repository
VulnCheck Advisory: Atom CMS 2.0 Unauthenticated SQL Injection via Admin Index Page
 
Thembay--Diza Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Diza allows PHP Local File Inclusion. This issue affects Diza: from n/a through 1.3.15. 2025-12-23 7.5 CVE-2025-68544 https://vdp.patchstack.com/database/wordpress/theme/diza/vulnerability/wordpress-diza-theme-1-3-15-local-file-inclusion-vulnerability?_s_id=cve
 
Thembay--Nika Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Nika allows PHP Local File Inclusion. This issue affects Nika: from n/a through 1.2.14. 2025-12-23 7.5 CVE-2025-68546 https://vdp.patchstack.com/database/wordpress/theme/nika/vulnerability/wordpress-nika-theme-1-2-14-local-file-inclusion-vulnerability?_s_id=cve
 
thibaud-rohmer--PhotoShow PhotoShow 3.0 contains a remote code execution vulnerability that allows authenticated administrators to inject malicious commands through the exiftran path configuration. Attackers can exploit the ffmpeg configuration settings by base64 encoding a reverse shell command and executing it through a crafted video upload process. 2025-12-22 7.2 CVE-2023-53981 ExploitDB-51236
Researcher Disclosure
Software Repository
VulnCheck Advisory: PhotoShow 3.0 Remote Code Execution via Exiftran Path Injection
 
TRENDnet--TEW-800MB A security vulnerability has been detected in TRENDnet TEW-800MB 1.0.1.0. Affected is the function do_setWizard_asp of the file /goform/wizardset of the component Management Interface. The manipulation of the argument WizardConfigured leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 8.8 CVE-2025-15136 VDB-338514 | TRENDnet TEW-800MB Management wizardset do_setWizard_asp command injection
VDB-338514 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #714042 | TRENDnet TEW-800mb v1.0.1.0 Command Injection
https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-2c7e5dd4c5a58067bc81e530bf3191c0
 
TRENDnet--TEW-800MB A vulnerability was detected in TRENDnet TEW-800MB 1.0.1.0. Affected by this vulnerability is the function sub_F934  of the file NTPSyncWithHost.cgi. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 8.8 CVE-2025-15137 VDB-338515 | TRENDnet TEW-800MB NTPSyncWithHost.cgi sub_F934  command injection
VDB-338515 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #714241 | TRENDnet TEW-800mb v1.0.1.0 Command Injection
https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-NTP-2c7e5dd4c5a580f999adcaff2c31978b
 
tychesoftwares--Print Invoice & Delivery Notes for WooCommerce The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server. 2025-12-24 9.8 CVE-2025-13773 https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769?source=cve
https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes
https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347
https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L473
https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/templates/pdf/simple/invoice/template.php#L36
https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/wcdn-front-function.php#L37
https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/vendor/dompdf/dompdf/src/PhpEvaluator.php#L52
 
UTT-- 512W A vulnerability has been found in UTT 进取 512W up to 1.7.7-171114. This affects the function strcpy of the file /goform/APSecurity. The manipulation of the argument wepkey1 leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. 2025-12-25 8.8 CVE-2025-15089 VDB-338418 | UTT 进取 512W APSecurity strcpy buffer overflow
VDB-338418 | CTI Indicators (IOB, IOC, IOA)
Submit #708348 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/14.md
https://github.com/cymiao1978/cve/blob/main/new/14.md#poc
 
UTT-- 512W A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. 2025-12-25 8.8 CVE-2025-15090 VDB-338419 | UTT 进取 512W formConfigNoticeConfig strcpy buffer overflow
VDB-338419 | CTI Indicators (IOB, IOC, IOA)
Submit #708349 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/15.md
https://github.com/cymiao1978/cve/blob/main/new/15.md#poc
 
UTT-- 512W A vulnerability was determined in UTT 进取 512W up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/formPictureUrl. This manipulation of the argument importpictureurl causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. 2025-12-25 8.8 CVE-2025-15091 VDB-338420 | UTT 进取 512W formPictureUrl strcpy buffer overflow
VDB-338420 | CTI Indicators (IOB, IOC, IOA)
Submit #708350 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/16.md
https://github.com/cymiao1978/cve/blob/main/new/16.md#poc
 
UTT-- 512W A vulnerability was identified in UTT 进取 512W up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/ConfigExceptMSN. Such manipulation of the argument remark leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. 2025-12-26 8.8 CVE-2025-15092 VDB-338421 | UTT 进取 512W ConfigExceptMSN strcpy buffer overflow
VDB-338421 | CTI Indicators (IOB, IOC, IOA)
Submit #708351 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow
https://github.com/cymiao1978/cve/blob/main/new/17.md
https://github.com/cymiao1978/cve/blob/main/new/17.md#poc
 
Verisay Communication and Information Technology Industry and Trade Ltd. Co.--Aidango Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Aidango allows Cross-Site Scripting (XSS).This issue affects Aidango: before 2.144.4. 2025-12-25 7.6 CVE-2025-2307 https://www.usom.gov.tr/bildirim/tr-25-0487
 
Verisay Communication and Information Technology Industry and Trade Ltd. Co.--Titarus Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Titarus allows Cross-Site Scripting (XSS).This issue affects Titarus: before 2.144.4. 2025-12-25 7.6 CVE-2025-2405 https://www.usom.gov.tr/bildirim/tr-25-0485
 
Verisay Communication and Information Technology Industry and Trade Ltd. Co.--Trizbi Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Trizbi allows Cross-Site Scripting (XSS).This issue affects Trizbi: before 2.144.4. 2025-12-25 7.6 CVE-2025-2406 https://www.usom.gov.tr/bildirim/tr-25-0486
 
VillaTheme--WPBulky Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme WPBulky allows Blind SQL Injection. This issue affects WPBulky: from n/a through 1.1.13. 2025-12-23 7.6 CVE-2025-68550 https://vdp.patchstack.com/database/wordpress/plugin/wpbulky-wp-bulk-edit-post-types/vulnerability/wordpress-wpbulky-plugin-1-1-13-sql-injection-vulnerability?_s_id=cve
 
Wondershare--Wondershare MirrorGo Wondershare MirrorGo 2.0.11.346 contains a local privilege escalation vulnerability due to incorrect file permissions on executable files. Unprivileged local users can replace the ElevationService.exe with a malicious file to execute arbitrary code with LocalSystem privileges. 2025-12-22 8.4 CVE-2022-50690 ExploitDB-50787
Wondershare Official Homepage
VulnCheck Advisory: Wondershare MirrorGo 2.0.11.346 Local Privilege Escalation via Insecure File Permissions
 
WPJobBoard--WPJobBoard Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPJobBoard allows Blind SQL Injection. This issue affects WPJobBoard: from n/a through 5.9.0. 2025-12-24 8.6 CVE-2023-36525 https://vdp.patchstack.com/database/wordpress/plugin/wpjobboard/vulnerability/wordpress-wpjobboard-plugin-5-9-0-unauth-blind-sql-injection-sqli-vulnerability?_s_id=cve
 
Xspeeder--SXZOS Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used. 2025-12-27 10 CVE-2025-54322 https://www.xspeeder.com
https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts
 
Zillya--Zillya Total Security Zillya Total Security 3.0.2367.0 contains a privilege escalation vulnerability that allows low-privileged users to copy files to unauthorized system locations using the quarantine module. Attackers can leverage symbolic link techniques to restore quarantined files to restricted directories, potentially enabling system-level access through techniques like DLL hijacking. 2025-12-22 8.4 CVE-2023-53973 ExploitDB-51151
Zillya Official Homepage
VulnCheck Advisory: Zillya Total Security 3.0.2367.0 Local Privilege Escalation via Quarantine Module
 

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
AVE S.p.A.--DOMINAplus AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions. 2025-12-24 5.3 CVE-2019-25233 ExploitDB-47821
AVE S.p.A. Official Website
DOMINAplus Product Page
Zero Science Lab Disclosure (ZSL-2019-5547)
 
Beward R&D Co., Ltd--BEWARD Intercom Beward Intercom 2.3.1 contains a credentials disclosure vulnerability that allows local attackers to access plain-text authentication credentials stored in an unencrypted database file. Attackers can read the BEWARD.INTERCOM.FDB file to extract usernames and passwords, enabling unauthorized access to IP cameras and door stations. 2025-12-24 6.2 CVE-2018-25130 ExploitDB-46267
Beward Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5505)
 
Beward R&D Co., Ltd--N100 H.264 VGA IP Camera Beward N100 H.264 VGA IP Camera M2.1.6 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft a malicious web page with a hidden form to add an admin user by tricking a logged-in user into submitting the form. 2025-12-24 5.3 CVE-2019-25247 ExploitDB-46318
Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5510)
 
bnayawpguy--Resoto Missing Authorization vulnerability in bnayawpguy Resoto allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Resoto: from n/a through 1.0.8. 2025-12-24 4.3 CVE-2023-28619 https://vdp.patchstack.com/database/wordpress/theme/resoto/vulnerability/wordpress-resoto-theme-1-0-8-authenticated-arbitrary-plugin-activation?_s_id=cve
 
Bob--Hostel Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bob Hostel allows DOM-Based XSS. This issue affects Hostel: from n/a through 1.1.5.1. 2025-12-24 5.9 CVE-2023-32120 https://vdp.patchstack.com/database/wordpress/plugin/hostel/vulnerability/wordpress-hostel-plugin-1-1-5-1-cross-site-scripting-xss?_s_id=cve
 
BTicino S.p.A.--Legrand BTicino Driver Manager F454 Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site request forgery to change passwords and inject stored cross-site scripting payloads through unvalidated GET parameters. 2025-12-24 5.3 CVE-2019-25244 ExploitDB-46850
BTicino Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5521)
Zero Science Lab Disclosure (ZSL-2019-5522)
 
Carlo Gavazzi AB--SmartHouse Webapp SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or injecting malicious scripts into various application parameters. 2025-12-24 5.3 CVE-2019-25234 ExploitDB-47730
SmartHouse Product Website
Zero Science Lab Disclosure (ZSL-2019-5553)
 
Centreon--Infra Monitoring Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hostgroup configuration page) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19, from 23.10.0 before 23.10.29. 2025-12-22 6.8 CVE-2025-54890 https://github.com/centreon/centreon/releases
 
Centreon--Infra Monitoring Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. 2025-12-22 6.8 CVE-2025-8460 https://github.com/centreon/centreon/releases
 
checkpoint--Identity Agent An authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being accessible in the Windows Registry keys for Check Point Identity Agent running on a Terminal Server. 2025-12-22 6.5 CVE-2025-8304 https://support.checkpoint.com/results/sk/sk184263
 
checkpoint--Identity Awareness An authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being printed in plaintext in Identity Agent for Terminal Services debug files. 2025-12-22 6.5 CVE-2025-8305 https://support.checkpoint.com/results/sk/sk184264
 
ChenJinchuang--Lin-CMS-TP5 A flaw has been found in ChenJinchuang Lin-CMS-TP5 up to 0.3.3. This vulnerability affects the function Upload of the file application/lib/file/LocalUploader.php of the component File Upload Handler. Executing manipulation of the argument File can lead to code injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-28 6.3 CVE-2025-15129 VDB-338507 | ChenJinchuang Lin-CMS-TP5 File Upload LocalUploader.php upload code injection
VDB-338507 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #712754 | lin-cms-tp5 1.0 Unrestricted Upload
https://github.com/ChenJinchuang/lin-cms-tp5/issues/65
 
Cmsimple--CMSimple CMSimple 5.4 contains a cross-site scripting vulnerability that allows attackers to bypass input filtering by using HTML to Unicode encoding. Attackers can inject malicious scripts by encoding payloads like ')-alert(1)// and execute arbitrary JavaScript when victims interact with delete buttons. 2025-12-23 6.1 CVE-2021-47733 ExploitDB-50612
CMSimple Official Homepage
VulnCheck Advisory: CMSimple 5.4 Cross-Site Scripting via HTML Unicode Encoding
 
Cmsimple--CMSimple CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms. 2025-12-23 5.5 CVE-2021-47734 ExploitDB-50547
Official CMSimple Homepage
VulnCheck Advisory: CMSimple 5.4 Authenticated Local File Inclusion Remote Code Execution
 
Cobiansoft--Cobian Backup Gravity Cobian Backup 11 Gravity 11.2.0.582 contains a denial of service vulnerability in the FTP password input field that allows attackers to crash the application. Attackers can generate a specially crafted 800-byte buffer and paste it into the password field to trigger an application crash. 2025-12-22 6.2 CVE-2022-50687 ExploitDB-50790
Cobian Backup Official Vendor Homepage
VulnCheck Advisory: Cobian Backup 11 Gravity 11.2.0.582 Local Denial of Service via Password Field
 
Cobiansoft--Cobian Reflector Cobian Reflector 0.9.93 RC1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the password input field. Attackers can paste a large 8000-byte buffer into the password field to trigger an application crash during SFTP task configuration. 2025-12-22 6.2 CVE-2022-50689 ExploitDB-50789
Cobian Software Official Homepage
VulnCheck Advisory: Cobian Reflector 0.9.93 RC1 Local Denial of Service via Password Field
 
code-projects--Student File Management System A security vulnerability has been detected in code-projects Student File Management System 1.0. This affects an unknown part of the file /save_file.php. Such manipulation of the argument File leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. 2025-12-24 6.3 CVE-2025-15050 VDB-337857 | code-projects Student File Management System save_file.php unrestricted upload
VDB-337857 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721073 | Code-Projects 学生文件管理系统 V1.0 任意文件上传
Submit #721039 | code-projects.org 学生文件管理系统 V1.0 文件上传 (Duplicate)
https://github.com/Bai-public/CVE/issues/3
https://code-projects.org/
 
CodexThemes--TheGem Theme Elements (for Elementor) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor).This issue affects TheGem Theme Elements (for Elementor): from n/a through 5.10.5.1. 2025-12-23 6.5 CVE-2025-68559 https://vdp.patchstack.com/database/wordpress/plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-10-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Cszcms--CSZ CMS CSZ CMS 1.2.7 contains a persistent cross-site scripting vulnerability that allows unauthorized users to embed malicious JavaScript in private messages. Attackers can send messages with script payloads in the user-agent header, which will execute when an admin views the message in the backend dashboard. 2025-12-23 6.4 CVE-2021-47738 ExploitDB-48354
Official CSZ CMS Vendor Homepage
CSZ CMS SourceForge Project
VulnCheck Advisory: CSZ CMS 1.2.7 Persistent Cross-Site Scripting via Private Messaging
 
Cszcms--CSZ CMS CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks. 2025-12-23 5.4 CVE-2021-47737 ExploitDB-48357
Official CSZ CMS Vendor Homepage
CSZ CMS SourceForge Project
VulnCheck Advisory: CSZ CMS 1.2.7 HTML Injection Vulnerability via Member Dashboard
 
dayrui--XunRuiCMS A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. The impacted element is the function dr_show_error/dr_exit_msg of the file /dayrui/Fcms/Init.php of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 4.3 CVE-2025-15144 VDB-338522 | dayrui XunRuiCMS JSONP Callback Init.php dr_exit_msg cross site scripting
VDB-338522 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716122 | xunruicms 4.7.1 xss
https://note-hxlab.wetolink.com/share/gbCf35DJ3los
 
Delta Electronics--DVP15MC11T Delta Electronics DVP15MC11T lacks proper validation of the modbus/tcp packets and can lead to denial of service. 2025-12-22 4 CVE-2025-59301 https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00020_DVP15MC11T%20Modbus%20TCP%20DoS%20Vulnerability.pdf
 
devolo AG--dLAN 550 duo+ Starter Kit Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL actions when a logged-in user visits the site. 2025-12-24 5.3 CVE-2019-25250 ExploitDB-46324
Official Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5507)
 
Eaton--UPS Companion software Improper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the file system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center. 2025-12-26 6.7 CVE-2025-59888 https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1026.pdf
 
Ecessa Corporation--Ecessa Edge EV150 Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials. 2025-12-24 5.3 CVE-2018-25152 ExploitDB-44932
Ecessa Corporation Product Homepage
 
Ecessa Corporation--Ecessa ShieldLink SL175EHQ Ecessa ShieldLink SL175EHQ 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a hidden form to add a superuser account by tricking a logged-in administrator into loading the page. 2025-12-24 5.3 CVE-2018-25150 ExploitDB-44938
Ecessa Corporation Product Homepage
 
Ecessa Corporation--WANWorx WVR-30 Ecessa WANWorx WVR-30 versions before 10.7.4 contain a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft a malicious web page with a hidden form to create a new superuser account by tricking an authenticated administrator into loading the page. 2025-12-24 4.3 CVE-2018-25151 ExploitDB-44936
Ecessa Corporation Official Website
 
Echo Call Center Services Trade and Industry Inc.--Specto CM Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Stored XSS.This issue affects Specto CM: before 17032025. 2025-12-24 5.4 CVE-2025-2154 https://www.usom.gov.tr/bildirim/tr-25-0480
 
floooh--sokol A vulnerability was identified in floooh sokol up to 5d11344150973f15e16d3ec4ee7550a73fb995e0. The impacted element is the function _sg_validate_pipeline_desc in the library sokol_gfx.h. Such manipulation leads to stack-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is b95c5245ba357967220c9a860c7578a7487937b0. It is best practice to apply a patch to resolve this issue. 2025-12-22 5.3 CVE-2025-15013 VDB-337719 | floooh sokol sokol_gfx.h _sg_validate_pipeline_desc stack-based overflow
VDB-337719 | CTI Indicators (IOB, IOC, IOA)
Submit #719820 | floooh sokol e0832c9 Stack-based Buffer Overflow
https://github.com/floooh/sokol/issues/1404
https://github.com/seyhajin/sokol/pull/246
https://github.com/oneafter/1212/blob/main/stack1
https://github.com/seyhajin/sokol/commit/b95c5245ba357967220c9a860c7578a7487937b0
 
floooh--sokol A vulnerability was detected in floooh sokol up to 16cbcc864012898793cd2bc57f802499a264ea40. The impacted element is the function _sg_pipeline_desc_defaults in the library sokol_gfx.h. The manipulation results in stack-based buffer overflow. The attack requires a local approach. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is identified as 5d11344150973f15e16d3ec4ee7550a73fb995e0. It is advisable to implement a patch to correct this issue. 2025-12-28 5.3 CVE-2025-15155 VDB-338533 | floooh sokol sokol_gfx.h _sg_pipeline_desc_defaults stack-based overflow
VDB-338533 | CTI Indicators (IOB, IOC, IOA)
Submit #719823 | floooh sokol e0832c9 Stack-based Buffer Overflow
https://github.com/floooh/sokol/issues/1405
https://github.com/floooh/sokol/issues/1406#issuecomment-3649548096
https://github.com/oneafter/1212/blob/main/hbf1
https://github.com/floooh/sokol/commit/5d11344150973f15e16d3ec4ee7550a73fb995e0
 
FreshRSS--FreshRSS FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0. 2025-12-26 4.3 CVE-2025-68148 https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78
https://github.com/FreshRSS/FreshRSS/pull/8029
https://github.com/FreshRSS/FreshRSS/commit/7d4854a0a4f5665db599f18c34035786465639f3
 
Fujitsu / Fsas Technologies--ETERNUS SF ACM/SC/Express Fujitsu / Fsas Technologies ETERNUS SF ACM/SC/Express (DX / AF Management Software) before 16.8-16.9.1 PA 2025-12, when collected maintenance data is accessible by a principal/authority other than ETERNUS SF Admin, allows an attacker to potentially affect system confidentiality, integrity, and availability. 2025-12-24 5.6 CVE-2025-68919 https://security.ts.fujitsu.com/ProductSecurity/content/FsasTech-PSIRT-FTI-STR-2025-111413-Security-Notice.pdf
 
getmaxun--maxun A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-27 6.3 CVE-2025-15106 VDB-338477 | getmaxun Authentication Endpoint auth.ts router.get improper authorization
VDB-338477 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #710268 | https://github.com/getmaxun https://github.com/getmaxun/maxun ≤ v0.0.28 Authentication Bypass Issues
https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b
 
Gitea--Gitea Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. 2025-12-26 5.4 CVE-2025-68942 https://blog.gitea.com/release-of-1.22.2/
https://github.com/go-gitea/gitea/releases/tag/v1.22.2
https://github.com/go-gitea/gitea/pull/31966
 
Gitea--Gitea Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order. 2025-12-26 5.3 CVE-2025-68943 https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10/
https://github.com/go-gitea/gitea/releases/tag/v1.21.8
https://github.com/go-gitea/gitea/pull/29430
 
Gitea--Gitea Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries. 2025-12-26 5 CVE-2025-68944 https://blog.gitea.com/release-of-1.22.2/
https://github.com/go-gitea/gitea/releases/tag/v1.22.2
https://github.com/go-gitea/gitea/pull/31967
 
Gitea--Gitea In Gitea before 1.21.2, an anonymous user can visit a private user's project. 2025-12-26 5.8 CVE-2025-68945 https://blog.gitea.com/release-of-1.21.2/
https://github.com/go-gitea/gitea/releases/tag/v1.21.2
https://github.com/go-gitea/gitea/pull/28423
 
Gitea--Gitea In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS. 2025-12-26 5.4 CVE-2025-68946 https://blog.gitea.com/release-of-1.20.1/
https://github.com/go-gitea/gitea/releases/tag/v1.20.1
https://github.com/go-gitea/gitea/pull/25960
 
Gitea--Gitea Gitea before 1.25.2 mishandles authorization for deletion of releases. 2025-12-26 4.3 CVE-2025-68938 https://blog.gitea.com/release-of-1.25.2/
https://github.com/go-gitea/gitea/releases/tag/v1.25.2
https://github.com/go-gitea/gitea/pull/36002/commits/d4262131b39899d9e9ee5caa2635c810d476e43f#diff-8962bac89952027d50fa51f31f59d65bedb4c02bde0265eced5cf256cbed306d
 
Gitea--Gitea Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources. 2025-12-26 4.9 CVE-2025-68941 https://blog.gitea.com/release-of-1.22.3/
https://github.com/go-gitea/gitea/releases/tag/v1.22.3
https://github.com/go-gitea/gitea/pull/32218
 
GnuPG--GnuPG In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line. 2025-12-27 5.9 CVE-2025-68972 https://gpg.fail/formfeed
https://news.ycombinator.com/item?id=46404339
 
Guangzhou V-SOLUTION Electronic Technology Co., Ltd.--SOL GPON/EPON OLT Platform V-SOL GPON/EPON OLT Platform 2.03 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to create admin users, enable SSH, or modify system settings by tricking authenticated administrators into loading a specially crafted page. 2025-12-24 4.3 CVE-2019-25238 ExploitDB-47434
V-SOL Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5536)
 
h-moses--moga-mall A vulnerability was identified in h-moses moga-mall up to 392d631a5ef15962a9bddeeb9f1269b9085473fa. This vulnerability affects the function addProduct of the file src/main/java/com/ms/product/controller/PmsProductController.java. Such manipulation of the argument objectName leads to unrestricted upload. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. 2025-12-28 6.3 CVE-2025-15152 VDB-338529 | h-moses moga-mall PmsProductController.java addProduct unrestricted upload
VDB-338529 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721988 | https://github.com/h-moses/moga-mall moga-mall 1.0 Upload any file
https://github.com/zyhzheng500-maker/cve/blob/main/moga-mall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md
 
Hasura--Hasura GraphQL Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pg_read_file() PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server. 2025-12-22 5.5 CVE-2021-47714 ExploitDB-49790
Hasura GraphQL Engine GitHub Repository
VulnCheck Advisory: Hasura GraphQL 1.3.3 Local File Read via SQL Injection
 
Hasura--Hasura GraphQL Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the add_remote_schema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL definitions to potentially access internal network resources. 2025-12-22 5.3 CVE-2021-47715 ExploitDB-49791
Hasura GraphQL Engine GitHub Repository
VulnCheck Advisory: Hasura GraphQL 1.3.3 Server-Side Request Forgery via Remote Schema Injection
 
IBM--Aspera Faspex 5 IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. 2025-12-26 5.4 CVE-2025-36230 https://www.ibm.com/support/pages/node/7255331
 
IBM--Concert IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user. 2025-12-24 6.2 CVE-2025-36154 https://www.ibm.com/support/pages/node/7255549
 
IBM--Concert IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. 2025-12-26 5.9 CVE-2025-1721 https://www.ibm.com/support/pages/node/7255549
 
IBM--Db2 Intelligence Center IBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms. 2025-12-26 4.3 CVE-2025-14687 https://www.ibm.com/support/pages/node/7255160
 
IBM--DS8A00( R10.1) IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms. 2025-12-26 6.7 CVE-2025-36192 https://www.ibm.com/support/pages/node/7255039
 
iWT Ltd.--FaceSentry Access Control System FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage. 2025-12-24 4.3 CVE-2019-25242 ExploitDB-47065
Vendor Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5524)
 
jackq--XCMS A vulnerability has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. Affected is the function Upload of the file Admin/Home/Controller/ProductImageController.class.php of the component Backend. Such manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-27 4.7 CVE-2025-15110 VDB-338481 | jackq XCMS Backend ProductImageController.class.php upload unrestricted upload
VDB-338481 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711702 | XCMS 1.1 Unrestricted Upload
https://gitee.com/jackq/XCMS/issues/IDC5C8
 
jcthiele--OpenXRechnungToolbox OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java. 2025-12-24 5 CVE-2024-58335 https://github.com/jcthiele/OpenXRechnungToolbox/commit/6c50e8979924b09f336c976cbad3a9ebfe25ebf9
https://invoice.secvuln.info
 
JD--Cloud BE6500 A vulnerability has been found in JD Cloud BE6500 4.4.1.r4308. This issue affects the function sub_4780 of the file /jdcapi. Such manipulation of the argument ddns_name leads to command injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-25 6.3 CVE-2025-15081 VDB-338409 | JD Cloud BE6500 jdcapi sub_4780 command injection
VDB-338409 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #707276 | JD cloud 京东云 JD Cloud BE6500 4.4.1.r4308 Command Injection
https://gist.github.com/isstabber/4ed3554130681e50b3e987c3c4ee1f29
 
Jewel Theme--Master Addons for Elementor Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Master Addons for Elementor: from n/a through 2.0.5.3. 2025-12-24 6.5 CVE-2023-40679 https://vdp.patchstack.com/database/wordpress/plugin/master-addons/vulnerability/wordpress-master-elementor-addons-plugin-2-0-3-broken-access-control-vulnerability?_s_id=cve
 
joey-zhou--xiaozhi-esp32-server-java A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 4.0.0 will fix this issue. It is recommended to upgrade the affected component. 2025-12-28 6.3 CVE-2025-15135 VDB-338513 | joey-zhou xiaozhi-esp32-server-java Cookie AuthenticationInterceptor.java tryAuthenticateWithCookies improper authentication
VDB-338513 | CTI Indicators (IOB, IOC, IOA)
Submit #713990 | joey-zhou xiaozhi-esp32-server-java V3.0.0 Improper Authentication
https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143
https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issuecomment-3666534810
https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issue-3722315701
https://github.com/joey-zhou/xiaozhi-esp32-server-java/releases/tag/v4.0.0
 
ketr--JEPaaS A vulnerability was detected in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is the function postilService.loadPostils of the file /je/postil/postil/loadPostil. Performing manipulation of the argument keyWord results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-25 6.3 CVE-2025-15088 VDB-338416 | ketr JEPaaS loadPostil postilService.loadPostils sql injection
VDB-338416 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #708321 | 北京凯特伟业科技有限公司 jepaas v7.2.8 SQL Injection
https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md
https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md#2%E5%A4%8D%E7%8E%B0replicate
 
kieranoshea--Calendar The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'event_desc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can convince an administrator to enable lower privilege users to manage calendar events via the plugin settings. 2025-12-23 6.4 CVE-2025-14548 https://www.wordfence.com/threat-intel/vulnerabilities/id/2e61489d-a433-4d44-bb12-8c84204922b9?source=cve
https://plugins.trac.wordpress.org/browser/calendar/trunk/calendar.php#L2154
https://plugins.trac.wordpress.org/browser/calendar/trunk/calendar.php#L899
https://plugins.trac.wordpress.org/changeset?new=3419088%40calendar%2Ftrunk&old=3122280%40calendar%2Ftrunk
 
Kunal Nagar--Custom 404 Pro Cross-Site Request Forgery (CSRF) vulnerability in Kunal Nagar Custom 404 Pro allows Cross Site Request Forgery. This issue affects Custom 404 Pro: from n/a through 3.12.0. 2025-12-22 4.3 CVE-2025-62880 https://vdp.patchstack.com/database/wordpress/plugin/custom-404-pro/vulnerability/wordpress-custom-404-pro-plugin-3-12-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
KYOCERA Corporation--KYOCERA Net Admin KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page. 2025-12-24 5.3 CVE-2019-25254 ExploitDB-44431
KYOCERA Official Website
Zero Science Lab Disclosure (ZSL-2018-5458)
 
leap13--Premium Addons for Elementor Powerful Elementor Templates & Widgets The Premium Addons for Elementor - Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates. 2025-12-23 5.3 CVE-2025-14155 https://www.wordfence.com/threat-intel/vulnerabilities/id/135c33bb-5ec2-4697-9340-1d2651ff3a0b?source=cve
https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/addons-integration.php#L1624
https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/addons-integration.php#L90
https://plugins.trac.wordpress.org/changeset/3416254/
 
leap13--Premium Addons for Elementor Powerful Elementor Templates & Widgets The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link. 2025-12-23 4.3 CVE-2025-14163 https://www.wordfence.com/threat-intel/vulnerabilities/id/77b57f2a-0b46-4b4a-bdca-1c5218d739ce?source=cve
https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/templates/classes/manager.php#L246
https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/templates/classes/manager.php#L40
https://plugins.trac.wordpress.org/changeset/3416254/
 
LearningCircuit--local-deep-research Local Deep Research is an AI-powered research assistant for deep, iterative research. In versions from 1.3.0 to before 1.3.9, the download service (download_service.py) makes HTTP requests using raw requests.get() without utilizing the application's SSRF protection (safe_requests.py). This can allow attackers to access internal services and attempt to reach cloud provider metadata endpoints (AWS/GCP/Azure), as well as perform internal network reconnaissance, by submitting malicious URLs through the API, depending on the deployment and surrounding controls. This issue has been patched in version 1.3.9. 2025-12-23 6.3 CVE-2025-67743 https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-9c54-gxh7-ppjc
https://github.com/LearningCircuit/local-deep-research/commit/b79089ff30c5d9ae77e6b903c408e1c26ad5c055
 
librenms--librenms LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code. This issue has been patched in version 25.12.0. 2025-12-22 4.3 CVE-2025-68614 https://github.com/librenms/librenms/security/advisories/GHSA-c89f-8g7g-59wj
https://github.com/librenms/librenms/commit/ebe6c79bf4ce0afeb575c1285afe3934e44001f1
 
liweiyi--ChestnutCMS A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. 2025-12-22 6.3 CVE-2025-15009 VDB-337715 | liweiyi ChestnutCMS Filename upload FilenameUtils.getExtension unrestricted upload
VDB-337715 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #719590 | liweiyi ChestnutCMS <=1.5.8 Unrestricted Upload
https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md
https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md#vulnerability-proof
 
loganhong--php loganSite A security flaw has been discovered in loganhong php loganSite up to c035fb5c3edd0b2a5e32fd4051cbbc9e61a31426. This affects an unknown function of the file /includes/article_detail.php of the component Article Handler. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. 2025-12-22 6.3 CVE-2025-15014 VDB-337720 | loganhong php loganSite Article article_detail.php sql injection
VDB-337720 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #720037 | loganhong php 1 SQL Injection
https://github.com/ssiled/cve/issues/1
 
LogicalDOC Srl--LogicalDOC Enterprise LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command, ocr.Tesseract.path, and other system paths to execute arbitrary system commands with elevated privileges. 2025-12-24 6.5 CVE-2019-25257 ExploitDB-44021
Official Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5452)
 
macrozheng--mall A security vulnerability has been detected in macrozheng mall up to 1.0.3. This vulnerability affects unknown code of the file /member/address/update/ of the component Member Endpoint. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. 2025-12-28 4.3 CVE-2025-15118 VDB-338496 | macrozheng mall Member Endpoint update improper authorization
VDB-338496 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711758 | mall latest Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/31
 
marshmallow-code--marshmallow Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2. 2025-12-22 5.3 CVE-2025-68480 https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5
https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508
 
Mattermost--Mattermost Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to. 2025-12-24 4.3 CVE-2025-13767 https://mattermost.com/security-updates
 
Mattermost--Mattermost Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts 2025-12-24 4.1 CVE-2025-64641 MMSA-2025-00551
 
Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks Microhard Systems IPn4G 1.1.0 contains an authentication bypass vulnerability in the hidden system-editor.sh script that allows authenticated attackers to read, modify, or delete arbitrary files. Attackers can exploit unsanitized 'path', 'savefile', 'edit', and 'delfile' parameters to perform unauthorized file system modifications through GET and POST requests. 2025-12-24 5.5 CVE-2018-25144 ExploitDB-45037
Microhard Systems Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5485)
 
Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download Microhard Systems IPn4G 1.1.0 contains a configuration file disclosure vulnerability that allows authenticated attackers to download sensitive system configuration files. Attackers can retrieve configuration files from multiple directories including '/www', '/etc/m_cli/', and '/tmp' to access system passwords and network settings. 2025-12-24 6.5 CVE-2018-25145 ExploitDB-45036
Microhard Systems Product Web Page
Zero Science Lab Disclosure (ZSL-2018-5484)
 
Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated users into loading a specially crafted page. 2025-12-24 4.3 CVE-2018-25149 ExploitDB-45034
Microhard Systems Product Web Page
Zero Science Lab Disclosure (ZSL-2018-5478)
 
Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS Microhard Systems IPn4G 1.1.0 contains an undocumented vulnerability that allows authenticated attackers to list and manipulate running system processes. Attackers can send arbitrary signals to kill background processes and system services through a hidden feature, potentially causing service disruption and requiring device restart. 2025-12-24 6.5 CVE-2018-25146 ExploitDB-45035
Microhard Systems Product Web Page
Zero Science Lab Disclosure (ZSL-2018-5481)
 
Mybb--myBB forums myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows authenticated administrators to inject malicious scripts when creating new templates. Attackers can exploit this vulnerability by inserting script payloads in the template title field when adding new templates through the 'Templates and Style' > 'Templates' > 'Manage Templates' > 'Global Templates' interface, causing arbitrary JavaScript to execute when the template is viewed. 2025-12-22 5.4 CVE-2023-53976 ExploitDB-51136
Official myBB Software Version Page
VulnCheck Advisory: myBB Forums 1.8.26 Stored Cross-Site Scripting via Template Management
 
Mybb--myBB forums myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the forum title field when adding new forums through the 'Forums and Posts' > 'Forum Management' interface, causing arbitrary JavaScript to execute when the forum listing is viewed. 2025-12-22 5.4 CVE-2023-53977 ExploitDB-51136
Official myBB Software Version Page
VulnCheck Advisory: myBB Forums 1.8.26 Stored Cross-Site Scripting via Forum Management
 
Mybb--myBB forums myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the announcement title field when adding announcements through the 'Forums and Posts' > 'Forum Announcements' interface, causing arbitrary JavaScript to execute when the announcement is displayed on the forum. 2025-12-22 5.4 CVE-2023-53978 ExploitDB-51136
Official myBB Software Version Page
VulnCheck Advisory: myBB Forums 1.8.26 Stored Cross-Site Scripting via Forum Announcements
 
CmsEasy--CmsEasy A flaw has been found in CmsEasy up to 7.7.7. Affected is the function savetemp_action in the library /lib/admin/template_admin.php of the component Backend Template Management Page. Executing manipulation of the argument content/tempdata can lead to code injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 4.7 CVE-2025-15148 VDB-338525 | CmsEasy Backend Template Management template_admin.php savetemp_action code injection
VDB-338525 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716303 | cmseasy 7.7.7 Command Injection
https://note-hxlab.wetolink.com/share/msJH69Y06ZlS
 
DedeCMS--DedeCMS A vulnerability was identified in DedeCMS up to 5.7.118. This impacts an unknown function of the file /freelist_main.php. The manipulation of the argument orderby leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. 2025-12-22 6.3 CVE-2025-15004 VDB-337710 | DedeCMS freelist_main.php sql injection
VDB-337710 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #717316 | dedecms V5.7.118 SQL Injection
https://note-hxlab.wetolink.com/share/JPq560c6F6tu
 
EyouCMS--EyouCMS A security flaw has been discovered in EyouCMS up to 1.7.6. The affected element is an unknown function of the file /application/admin/logic/FilemanagerLogic.php of the component Backend Template Management. The manipulation of the argument content results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 4.7 CVE-2025-15143 VDB-338521 | EyouCMS Backend Template Management FilemanagerLogic.php sql injection
VDB-338521 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716078 | EyouCMS 1.7.6 Command Injection
https://note-hxlab.wetolink.com/share/XfINjg5i25Ud
 
PbootCMS--PbootCMS A security vulnerability has been detected in PbootCMS up to 3.2.12. The affected element is the function get_user_ip of the file core/function/handle.php of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to use of less trusted source. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. 2025-12-28 5.3 CVE-2025-15154 VDB-338532 | PbootCMS Header handle.php get_user_ip less trusted source
VDB-338532 | CTI Indicators (IOB, IOC, IOA)
Submit #719818 | PbootCMS 3.2.12 get_user_ip IP Address Spoofing
https://note-hxlab.wetolink.com/share/JyBNgF8JagWQ
 
omec-project--UPF A flaw has been found in omec-project UPF up to 2.1.3-dev. This affects the function handleSessionEstablishmentRequest of the file /pfcpiface/pfcpiface/messages_session.go of the component PFCP Session Establishment Request Handler. This manipulation causes null pointer dereference. The attack may be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-28 4.3 CVE-2025-15156 VDB-338534 | omec-project UPF PFCP Session Establishment Request messages_session.go handleSessionEstablishmentRequest null pointer dereference
VDB-338534 | CTI Indicators (IOB, IOC, IOA)
Submit #719824 | Aether SD-Core UPF v2.1.3-dev NULL Pointer Dereference
https://github.com/omec-project/upf/issues/979
 
ONLYOFFICE--Document Server ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer. 2025-12-24 6.4 CVE-2025-68917 https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921
 
ONLYOFFICE--Document Server ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer. 2025-12-25 6.4 CVE-2025-68935 https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921
 
ONLYOFFICE--Document Server ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer. 2025-12-25 6.4 CVE-2025-68936 https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921
 
Orangescrum--orangescrum Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints. 2025-12-23 5.4 CVE-2021-47716 ExploitDB-50554
Official Orangescrum Product Homepage
VulnCheck Advisory: Orangescrum 1.8.0 Cross-Site Scripting via Authenticated Endpoints
 
Pexip--Infinity Pexip Infinity 32.0 through 37.1 before 37.2, in certain configurations of OTJ (One Touch Join) for Teams SIP Guest Join, has Improper Input Validation in the OTJ service, allowing a remote attacker to trigger a software abort via a crafted calendar invite, leading to a denial of service. 2025-12-25 5.9 CVE-2025-49088 https://docs.pexip.com/admin/security_bulletins.htm
 
Pexip--Infinity Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node. 2025-12-25 5.9 CVE-2025-66378 https://docs.pexip.com/admin/security_bulletins.htm
 
PHP Group--PHP In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. 2025-12-27 6.5 CVE-2025-14178 https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2
 
PluginOps--Feather Login Page Cross-Site Request Forgery (CSRF) vulnerability in PluginOps Feather Login Page allows Cross Site Request Forgery. This issue affects Feather Login Page: from n/a through 1.1.7. 2025-12-22 4.3 CVE-2025-62107 https://vdp.patchstack.com/database/wordpress/plugin/feather-login-page/vulnerability/wordpress-feather-login-page-plugin-1-1-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
prasathmani--TinyFileManager A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 4.7 CVE-2025-15138 VDB-338516 | prasathmani TinyFileManager tinyfilemanager.php path traversal
VDB-338516 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #714177 | tinyfilemanager 2.6 File Upload(RCE)
https://mesquite-dream-86b.notion.site/tinyfilemanager-File-Upload-RCE-Report-2c7512562197800d86b3e68534a56a91
 
PX4--PX4-Autopilot A vulnerability was found in PX4 PX4-Autopilot up to 1.16.0. Affected by this issue is the function MavlinkLogHandler::state_listing/MavlinkLogHandler::log_entry_from_id of the file src/modules/mavlink/mavlink_log_handler.cpp. The manipulation results in stack-based buffer overflow. The attack is only possible with local access. The patch is identified as 338595edd1d235efd885fd5e9f45e7f9dcf4013d. It is best practice to apply a patch to resolve this issue. 2025-12-28 5.3 CVE-2025-15150 VDB-338527 | PX4 PX4-Autopilot mavlink_log_handler.cpp log_entry_from_id stack-based overflow
VDB-338527 | CTI Indicators (IOB, IOC, IOA)
Submit #717323 | PX4 Autopilot main branch Stack-based Buffer Overflow
https://github.com/PX4/PX4-Autopilot/issues/26118
https://github.com/PX4/PX4-Autopilot/pull/26124
https://github.com/PX4/PX4-Autopilot/pull/26124/commits/338595edd1d235efd885fd5e9f45e7f9dcf4013d
 
Riello--NetMan Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/login.cgi username SQL Injection. For example, an attacker can delete the LOGINFAILEDTABLE table. 2025-12-24 6.5 CVE-2025-68914 https://github.com/gerico-lab/riello-multiple-vulnerabilities-2025
 
Riello--NetMan Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/loginbanner_w.cgi XSS via a crafted banner. 2025-12-24 5.5 CVE-2025-68915 https://github.com/gerico-lab/riello-multiple-vulnerabilities-2025
 
shanyu--SyCms A vulnerability has been found in shanyu SyCms up to a242ef2d194e8bb249dc175e7c49f2c1673ec921. This issue affects the function addPost of the file Application/Admin/Controller/FileManageController.class.php of the component Administrative Panel. The manipulation leads to code injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This product adopts a rolling release strategy to maintain continuous delivery The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer. 2025-12-28 4.7 CVE-2025-15130 VDB-338508 | shanyu SyCms Administrative Panel FileManageController.class.php addPost code injection
VDB-338508 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #712813 | SyCms 1.0 Unrestricted Upload
https://gitee.com/shanyu/SyCms/issues/IDCEWG
 
SOCA Technology Co., Ltd--SOCA Access Control System SOCA Access Control System 180612 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that submit forged requests to create admin accounts by tricking logged-in users into visiting a malicious site. 2025-12-24 5.3 CVE-2018-25127 ExploitDB-46834
SOCA Technology Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5520)
 
SOUND4 Ltd.--Impact/Pulse/First SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages that submit HTTP requests to the radio processing interface, triggering unintended administrative operations when a logged-in user visits the page. 2025-12-22 5.3 CVE-2023-53961 ExploitDB-51168
SOUND4 Official Product Homepage
Zero Science Lab Disclosure (ZSL-2022-5722)
VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Cross-Site Request Forgery
 
stellarwp--Membership Plugin Restrict Content The Membership Plugin - Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2025-12-23 6.4 CVE-2025-14000 https://www.wordfence.com/threat-intel/vulnerabilities/id/0b6a84d7-9e77-4a2f-b065-872e8650e75e?source=cve
https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/shortcodes.php#L26
https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/shortcodes.php#L135
https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/member-forms.php#L126
https://plugins.trac.wordpress.org/changeset/3420370/restrict-content/trunk/core/includes/member-forms.php?old=2642097&old_path=restrict-content%2Ftrunk%2Fcore%2Fincludes%2Fmember-forms.php
https://plugins.trac.wordpress.org/changeset/3420370/restrict-content/trunk/core/includes/shortcodes.php?old=2850120&old_path=restrict-content%2Ftrunk%2Fcore%2Fincludes%2Fshortcodes.php
 
sunkaifei--FlyCMS A security flaw has been discovered in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The affected element is an unknown function of the file src/main/java/com/flycms/web/system/IndexAdminController.java of the component Admin Login. Performing manipulation of the argument redirectUrl results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-26 4.3 CVE-2025-15093 VDB-338422 | sunkaifei FlyCMS Admin Login IndexAdminController.java cross site scripting
VDB-338422 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #708996 | sunkaifei FlyCms <=1.0.0 XSS
https://github.com/sunkaifei/FlyCms/issues/15
 
sunkaifei--FlyCMS A weakness has been identified in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The impacted element is the function userLogin of the file src/main/java/com/flycms/web/front/UserController.java of the component User Login. Executing manipulation of the argument redirectUrl can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-26 4.3 CVE-2025-15094 VDB-338423 | sunkaifei FlyCMS User Login UserController.java userLogin cross site scripting
VDB-338423 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #708997 | sunkaifei FlyCms <=1.0.0 XSS
https://github.com/sunkaifei/FlyCms/issues/16
 
Synaccess Networks Inc.--netBooter NP-0801DU Synaccess netBooter NP-0801DU 7.4 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages with hidden form submissions to add admin users by tricking authenticated administrators into loading a malicious page. 2025-12-24 4.3 CVE-2018-25133 ExploitDB-45894
Synaccess Networks Official Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5501)
 
Teradek, LLC--Cube Teradek Cube 7.3.6 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page with a hidden form to submit password change requests to the device's system configuration interface. 2025-12-24 5.3 CVE-2018-25156 ExploitDB-44675
Teradek Official Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5464)
 
Teradek, LLC--Slice Teradek Slice 7.3.15 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page that automatically submits password change requests to the device when a logged-in user visits the page. 2025-12-24 5.3 CVE-2018-25155 ExploitDB-44676
Teradek Official Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5467)
 
Teradek, LLC--VidiU Pro Teradek VidiU Pro 3.0.3 contains a server-side request forgery vulnerability in the management interface that allows attackers to manipulate GET parameters 'url' and 'xml_url'. Attackers can exploit this flaw to bypass firewalls, initiate network enumeration, and potentially trigger external HTTP requests to arbitrary destinations. 2025-12-24 5.3 CVE-2019-25251 ExploitDB-44672
Teradek Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5461)
 
Teradek--VidiU Pro Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious web pages that automatically submit password change requests to the device when a logged-in administrator visits the page. 2025-12-24 5.3 CVE-2019-25252 ExploitDB-44671
Teradek Official Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5460)
 
thehappymonster--Happy Addons for Elementor The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ha_page_custom_js' parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, despite the intended role restriction of Custom JS to Administrators. 2025-12-23 6.4 CVE-2025-14635 https://www.wordfence.com/threat-intel/vulnerabilities/id/16e7adef-68ab-4dd6-bd80-252622cfe705?source=cve
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.2/extensions/custom-js.php#L76
https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.2/extensions/custom-js.php#L60
https://plugins.trac.wordpress.org/changeset/3421733/
 
TOZED--ZLT M30s A vulnerability was found in TOZED ZLT M30s up to 1.47. Impacted is an unknown function of the file /reqproc/proc_post of the component Web Management Interface. Performing manipulation of the argument goformId results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-25 5.3 CVE-2025-15082 VDB-338410 | TOZED ZLT M30s Web Management proc_post information disclosure
VDB-338410 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #707306 | ZLT M30s MTNNGRM30S_1.47, M30S_1.47 (other versions might be vulnerable) Improper Access Control - Critical Information Disclosure
https://www.hacklab.eu.org/blogs/zlt_m30s_information_disclosure
https://youtu.be/u_H29UdiPOc
 
TRENDnet--TEW-822DRE A vulnerability has been found in TRENDnet TEW-822DRE 1.00B21/1.01B06. This affects the function sub_43ACF4  of the file /boafrm/formWsc. Such manipulation of the argument peerPin leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 6.3 CVE-2025-15139 VDB-338517 | TRENDnet TEW-822DRE formWsc sub_43ACF4  command injection
VDB-338517 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #715131 | TRENDnet TEW-822DRE v1.01B06 / 1.00B21 Command Injection
https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-822DRE-Command-Injection-2c9e5dd4c5a580f190e9c411ad627e9a#2c9e5dd4c5a5801dae7ad20828639d4b
 
Tyche softwares--Product Delivery Date for WooCommerce Lite Vulnerability in Tyche softwares Product Delivery Date for WooCommerce - Lite. This issue affects Product Delivery Date for WooCommerce - Lite: from n/a through 2.7.0. 2025-12-23 5.3 CVE-2023-52210 https://vdp.patchstack.com/database/wordpress/plugin/product-delivery-date-for-woocommerce-lite/vulnerability/wordpress-product-delivery-date-for-woocommerce-lite-plugin-2-7-0-broken-access-control-vulnerability?_s_id=cve
 
VideoFlow Ltd.--Digital Video Protection DVP VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests. 2025-12-24 6.5 CVE-2019-25256 ExploitDB-44386
VideoFlow Product Web Page
Zero Science Lab Disclosure (ZSL-2018-5454)
 
VideoFlow Ltd.--VideoFlow Digital Video Protection DVP VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access. 2025-12-24 4.3 CVE-2019-25255 ExploitDB-44387
VideoFlow Official Product Homepage
Zero Science Lab Disclosure (ZSL-2018-5455)
 
Vikas Ratudi--Chakra test Missing Authorization vulnerability in Vikas Ratudi Chakra test allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Chakra test: from n/a through 1.0.1. 2025-12-23 4.3 CVE-2025-68557 https://vdp.patchstack.com/database/wordpress/plugin/chakra-test/vulnerability/wordpress-chakra-test-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve
 
Vikas Ratudi--VPSUForm Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vikas Ratudi VPSUForm allows Retrieve Embedded Sensitive Data. This issue affects VPSUForm: from n/a through 3.2.24. 2025-12-23 6.5 CVE-2025-68551 https://vdp.patchstack.com/database/wordpress/plugin/v-form/vulnerability/wordpress-vpsuform-plugin-3-2-24-sensitive-data-exposure-vulnerability?_s_id=cve
 
VillaTheme--HAPPY Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.9. 2025-12-23 5.3 CVE-2025-68556 https://vdp.patchstack.com/database/wordpress/plugin/happy-helpdesk-support-ticket-system/vulnerability/wordpress-happy-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve
 
Voidthemes--Void Elementor WHMCS Elements For Elementor Page Builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Voidthemes Void Elementor WHMCS Elements For Elementor Page Builder. This issue affects Void Elementor WHMCS Elements For Elementor Page Builder: from n/a through 2.0.1.2. 2025-12-22 6.5 CVE-2025-62094 https://vdp.patchstack.com/database/wordpress/plugin/void-elementor-whmcs-elements/vulnerability/wordpress-void-elementor-whmcs-elements-for-elementor-page-builder-plugin-2-0-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
WebCodingPlace--Responsive Posts Carousel Pro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace Responsive Posts Carousel Pro allows Stored XSS. This issue affects Responsive Posts Carousel Pro: from n/a through 15.2. 2025-12-23 6.5 CVE-2025-68548 https://vdp.patchstack.com/database/wordpress/plugin/responsive-posts-carousel-pro/vulnerability/wordpress-responsive-posts-carousel-pro-plugin-15-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
wpshuffle--Frontend Post Submission Manager Lite Frontend Posting WordPress Plugin The Frontend Post Submission Manager Lite - Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments. 2025-12-25 5.3 CVE-2025-14913 https://www.wordfence.com/threat-intel/vulnerabilities/id/19a6b19c-244d-4b30-8db2-b4d06a5f5509?source=cve
https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-ajax.php#L91
https://plugins.trac.wordpress.org/changeset/3427082/frontend-post-submission-manager-lite
 
youlaitech--youlai-mall A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-25 4.3 CVE-2025-15085 VDB-338413 | youlaitech youlai-mall Balance MemberController.java deductBalance improper authorization
VDB-338413 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #708175 | youlai-mall latest Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/26
 
youlaitech--youlai-mall A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-25 4.3 CVE-2025-15086 VDB-338414 | youlaitech youlai-mall MemberController.java getMemberByMobile access control
VDB-338414 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #708176 | youlai-mall latest Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/27
 
youlaitech--youlai-mall A security vulnerability has been detected in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function submitOrderPayment of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java. Such manipulation of the argument orderSn leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-25 4.3 CVE-2025-15087 VDB-338415 | youlaitech youlai-mall OrderController.java submitOrderPayment improper authorization
VDB-338415 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #708180 | youlai-mall latest Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/30
 
YunaiV--yudao-cloud A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-26 6.3 CVE-2025-15098 VDB-338429 | YunaiV yudao-cloud Business Process Management BpmSyncHttpRequestTrigger server-side request forgery
VDB-338429 | CTI Indicators (IOB, IOC, IOA)
Submit #710170 | YunaiV YuDao Cloud <=v2025.11 Server-Side Request Forgery
https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md
https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md#proof-of-concept
 
ZKTeco--BioTime A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of the component Endpoint. Performing manipulation of the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 5.3 CVE-2025-15128 VDB-338506 | ZKTeco BioTime Endpoint safe_setting credentials storage
VDB-338506 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711813 | ZkBioTime CMS 9.0.3, 9.0.4, 9.5.2 IDOR
https://github.com/ionutluca888/IDOR-POC-ZKBio-Time/tree/main
 
ZSPACE--Z4Pro+ A vulnerability was found in ZSPACE Z4Pro+ 1.0.0440024. Impacted is the function zfilev2_api_SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation results in command injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure. 2025-12-28 6.3 CVE-2025-15131 VDB-338509 | ZSPACE Z4Pro+ HTTP POST Request status zfilev2_api_SafeStatus command injection
VDB-338509 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #713874 | ZSPACE Z4Pro+ v1.0.0440024 Command Injection
https://github.com/LX-66-LX/cve/issues/1
 
ZSPACE--Z4Pro+ A vulnerability was determined in ZSPACE Z4Pro+ 1.0.0440024. The affected element is the function zfilev2_api_open of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. 2025-12-28 6.3 CVE-2025-15132 VDB-338510 | ZSPACE Z4Pro+ HTTP POST Request open zfilev2_api_open command injection
VDB-338510 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #713885 | ZSPACE Z4Pro+ v1.0.0440024 Command Injection
https://github.com/LX-66-LX/cve/issues/2
 
ZSPACE--Z4Pro+ A vulnerability was identified in ZSPACE Z4Pro+ 1.0.0440024. The impacted element is the function zfilev2_api_CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. 2025-12-28 6.3 CVE-2025-15133 VDB-338511 | ZSPACE Z4Pro+ HTTP POST Request close zfilev2_api_CloseSafe command injection
VDB-338511 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #713887 | ZSPACE Z4Pro+ v1.0.0440024 Command Injection
https://github.com/LX-66-LX/cve/issues/3
 

Back to top

Low Vulnerabilities

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
actiontech--sqle A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release. 2025-12-27 3.7 CVE-2025-15107 VDB-338478 | actiontech sqle JWT Secret jwt.go hard-coded key
VDB-338478 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #710380 | https://github.com/actiontech https://github.com/actiontech/sqle ≤4.2511.0 Authentication Bypass by Primary Weakness
https://github.com/actiontech/sqle/issues/3186
https://github.com/actiontech/sqle/milestone/53
 
Axesstmc--Zucchetti Axess CLOKI Access Control Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control parameters by tricking authenticated users into loading the page. 2025-12-23 3.5 CVE-2021-47722 ExploitDB-50595
Product Web Page
Zero Science Lab Disclosure (ZSL-2021-5689)
VulnCheck Advisory: Zucchetti Axess CLOKI Access Control 1.64 Cross-Site Request Forgery
 
code-projects--Student Information System A vulnerability was detected in code-projects Student Information System 1.0. This vulnerability affects unknown code of the file /profile.php. Performing manipulation of the argument firstname/lastname results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. 2025-12-24 3.5 CVE-2025-15052 VDB-337858 | code-projects Student Information System profile.php cross site scripting
VDB-337858 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #720765 | Fabian Ros Student Information System In PHP With Source Code November 2, 2025 Cross Site Scripting
https://github.com/i4G5d/CRITICAL-SECURITY-VULNERABILITY-REPORT-Stored-XSS
https://code-projects.org/
 
Dromara--Sa-Token A weakness has been identified in Dromara Sa-Token up to 1.44.0. This affects the function ObjectInputStream.readObject of the file SaJdkSerializer.java. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 3.1 CVE-2025-15117 VDB-338495 | Dromara Sa-Token SaJdkSerializer.java ObjectInputStream.readObject deserialization
VDB-338495 | CTI Indicators (IOB, IOC, IOA)
Submit #711750 | github.com/dromara/Sa-Token Sa-Token <=1.44.0 Deserialization
https://github.com/Yohane-Mashiro/Sa-Token-cve
 
getmaxun--maxun A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-27 3.7 CVE-2025-15105 VDB-338476 | getmaxun auth.ts hard-coded key
VDB-338476 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #710256 | https://github.com/getmaxun https://github.com/getmaxun/maxun ≤ v0.0.28 Authentication Bypass by Primary Weakness
https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6
 
Gitea--Gitea In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request. 2025-12-26 3.1 CVE-2025-68940 https://blog.gitea.com/release-of-1.22.5/
https://github.com/go-gitea/gitea/releases/tag/v1.22.5
https://github.com/go-gitea/gitea/pull/32654
 
Honor--Magic OS ADB(Android Debug Bridge) is affected by type privilege bypass, successful exploitation of this vulnerability may affect service availability. 2025-12-24 2.2 CVE-2025-57840 https://www.honor.com/global/security/cve-2025-57840
 
IBM--Aspera Faspex 5 IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse. 2025-12-26 3.8 CVE-2025-36228 https://www.ibm.com/support/pages/node/7255331
 
IBM--Aspera Faspex 5 IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers. 2025-12-26 3.1 CVE-2025-36229 https://www.ibm.com/support/pages/node/7255331
 
CouchCMS--CouchCMS A security flaw has been discovered in CouchCMS up to 2.4. Affected is an unknown function of the file couch/config.example.php of the component reCAPTCHA Handler. The manipulation of the argument K_RECAPTCHA_SITE_KEY/K_RECAPTCHA_SECRET_KEY results in use of hard-coded cryptographic key . It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been released to the public and may be exploited. 2025-12-22 3.7 CVE-2025-15005 VDB-337711 | CouchCMS reCAPTCHA config.example.php hard-coded key
VDB-337711 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #718998 | https://github.com/CouchCMS/CouchCMS ≤ 2.4 Use of Hard-coded Cryptographic Key
https://note-hxlab.wetolink.com/share/jNNcrdrNyCvl
https://note-hxlab.wetolink.com/share/jNNcrdrNyCvl#-span--strong-proof-of-concept---strong---span-
 
Halo--Halo A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the component Configuration Handler. Executing manipulation can lead to information disclosure. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 3.1 CVE-2025-15141 VDB-338519 | Halo Configuration actuator information disclosure
VDB-338519 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #715235 | Halo 2.21.10 Exposure of Sensitive Information Due to Incompatible Policies
https://github.com/SECWG/cve/issues/9
 
JeecgBoot--JeecgBoot A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 3.1 CVE-2025-15119 VDB-338497 | JeecgBoot list queryPageList improper authorization
VDB-338497 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711771 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/32
 
JeecgBoot--JeecgBoot A flaw has been found in JeecgBoot up to 3.9.0. Impacted is the function getDeptRoleList of the file /sys/sysDepartRole/getDeptRoleList. This manipulation of the argument departId causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 3.1 CVE-2025-15120 VDB-338498 | JeecgBoot getDeptRoleList improper authorization
VDB-338498 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711772 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/33
 
JeecgBoot--JeecgBoot A vulnerability was found in JeecgBoot up to 3.9.0. The impacted element is the function loadDatarule of the file /sys/sysDepartRole/datarule/. Performing manipulation of the argument departId/roleId results in improper authorization. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 3.1 CVE-2025-15122 VDB-338500 | JeecgBoot datarule loadDatarule improper authorization
VDB-338500 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711774 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/35
 
JeecgBoot--JeecgBoot A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 3.1 CVE-2025-15123 VDB-338501 | JeecgBoot datarule improper authorization
VDB-338501 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711775 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/36
 
JeecgBoot--JeecgBoot A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 3.1 CVE-2025-15124 VDB-338502 | JeecgBoot list getParameterMap improper authorization
VDB-338502 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711776 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/37
 
JeecgBoot--JeecgBoot A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 3.1 CVE-2025-15125 VDB-338503 | JeecgBoot queryDepartPermission improper authorization
VDB-338503 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711777 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/38
 
JeecgBoot--JeecgBoot A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authorization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 3.1 CVE-2025-15126 VDB-338504 | JeecgBoot getPositionUserList improper authorization
VDB-338504 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711782 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/39
 
JeecgBoot--JeecgBoot A vulnerability has been found in JeecgBoot up to 3.9.0. The affected element is the function getDeptRoleByUserId of the file /sys/sysDepartRole/getDeptRoleByUserId. Such manipulation of the argument departId leads to information disclosure. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 2.4 CVE-2025-15121 VDB-338499 | JeecgBoot getDeptRoleByUserId information disclosure
VDB-338499 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711773 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/34
 
OpenCart--OpenCart A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 3.7 CVE-2025-15116 VDB-338494 | OpenCart Single-Use Coupon race condition
VDB-338494 | CTI Indicators (IOB, IOC)
Submit #711745 | OpenCart 4.1.0.3 Time-of-check Time-of-use
https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01
https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01#steps-to-reproduce
 
PbootCMS--PbootCMS A weakness has been identified in PbootCMS up to 3.2.12. Impacted is an unknown function of the file /data/pbootcms.db of the component SQLite Database. Executing manipulation can lead to files or directories accessible. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be exploited. Modifying the configuration settings is advised. 2025-12-28 3.7 CVE-2025-15153 VDB-338531 | PbootCMS SQLite Database pbootcms.db file access
VDB-338531 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #719814 | PbootCMS 3.2.12 SQLite Database File Disclosure
https://note-hxlab.wetolink.com/share/ALC1iSa8J56A
 
PandaXGO--PandaX A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit is now public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-27 3.7 CVE-2025-15108 VDB-338479 | PandaXGO PandaX JWT Secret config.yml hard-coded key
VDB-338479 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #711519 | https://github.com/PandaXGO https://github.com/PandaXGO/PandaX before commit fb8ff40f7ce5dfebdf66306c6d85625061faf7e5 (As of December 10, 2025) Authentication Bypass by Primary Weakness
https://github.com/PandaXGO/PandaX/issues/9
 
postmanlabs--httpbin A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-26 3.5 CVE-2025-15095 VDB-338424 | postmanlabs httpbin core.py cross site scripting
VDB-338424 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #709002 | postmanlabs httpbin <=0.6.1 XSS
https://github.com/postmanlabs/httpbin/issues/735
 
rawchen--ecms A vulnerability has been found in rawchen ecms up to b59d7feaa9094234e8aa6c8c6b290621ca575ded. Affected by this vulnerability is the function updateProductServlet of the file src/servlet/product/updateProductServlet.java of the component Add New Product Page. The manipulation of the argument productName leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-28 2.4 CVE-2025-15149 VDB-338526 | rawchen ecms Add New Product updateProductServlet.java updateProductServlet cross site scripting
VDB-338526 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716583 | https://github.com/rawchen/ecms?tab=readme-ov-file ecms 1.0 Stored XSS
https://github.com/zyhzheng500-maker/cve/blob/main/%E5%AD%98%E5%82%A8%E5%9E%8BXss.md
 
SohuTV--CacheCloud A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. This affects the function doTotalList of the file src/main/java/com/sohu/cache/web/controller/TotalManageController.java. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-28 2.4 CVE-2025-15145 VDB-338523 | SohuTV CacheCloud TotalManageController.java doTotalList cross site scripting
VDB-338523 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716301 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/365
https://github.com/sohutv/cachecloud/issues/365#issue-3733522215
 
SohuTV--CacheCloud A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This impacts the function doUserList of the file src/main/java/com/sohu/cache/web/controller/UserManageController.java. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-28 2.4 CVE-2025-15146 VDB-338524 | SohuTV CacheCloud UserManageController.java doUserList cross site scripting
VDB-338524 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #716302 | SohuTV CacheCloud <=3.2.0 Reflected XSS
https://github.com/sohutv/cachecloud/issues/366
https://github.com/sohutv/cachecloud/issues/366#issue-3733542570
 
TaleLin--Lin-CMS A vulnerability was determined in TaleLin Lin-CMS up to 0.6.0. This affects an unknown part of the file /tests/config.py of the component Tests Folder. This manipulation of the argument username/password causes password in configuration file. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. 2025-12-28 3.7 CVE-2025-15151 VDB-338528 | TaleLin Lin-CMS Tests Folder config.py password in configuration file
VDB-338528 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #721893 | https://doc.cms.talelin.com/ Lin-CMS 0.6.0 weak password
https://github.com/m3ngx1ng/cve/blob/4690d4020a4a642af4c50912f762937292228641/lin-cms.md
 
TOZED--ZLT M30s A vulnerability was determined in TOZED ZLT M30s up to 1.47. The affected element is an unknown function of the component UART Interface. Executing manipulation can lead to on-chip debug and test interface with improper access control. The physical device can be targeted for the attack. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-25 2 CVE-2025-15083 VDB-338411 | TOZED ZLT M30s UART on-chip debug and test interface with improper access control
VDB-338411 | CTI Indicators (IOB, IOC)
Submit #707974 | TOZED ZLT M30s 1.47 Improper Access Control in Debug Interface
https://hacklab.eu.org/blogs/zlt_m30s_debug_interface
 
youlaitech--youlai-mall A vulnerability was identified in youlaitech youlai-mall 1.0.0/2.0.0. The impacted element is the function orderService.payOrder of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java of the component Order Payment Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-12-25 3.1 CVE-2025-15084 VDB-338412 | youlaitech youlai-mall Order Payment OrderController.java orderService.payOrder access control
VDB-338412 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #708174 | youlai-mall latest Improper Control of Resource Identifiers
https://github.com/Hwwg/cve/issues/24
 
yourmaileyes--MOOC A security flaw has been discovered in yourmaileyes MOOC up to 1.17. This affects the function subreview of the file mooc/controller/MainController.java of the component Submission Handler. Performing manipulation of the argument review results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The project was informed of the problem early through an issue report but has not responded yet. 2025-12-28 3.5 CVE-2025-15134 VDB-338512 | yourmaileyes MOOC Submission MainController.java subreview cross site scripting
VDB-338512 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #713955 | yourmaileyes MOOC V1.17 Improper Neutralization of Alternate XSS Syntax
https://github.com/yourmaileyes/MOOC/issues/12
https://github.com/yourmaileyes/MOOC/issues/12#issue-3722197285
 

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product		 Description Published CVSS Score Source Info Patch Info
10up--Eight Day Week Print Workflow Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in 10up Eight Day Week Print Workflow eight-day-week-print-workflow allows Retrieve Embedded Sensitive Data.This issue affects Eight Day Week Print Workflow: from n/a through <= 1.2.5. 2025-12-24 not yet calculated CVE-2025-67621 https://vdp.patchstack.com/database/Wordpress/Plugin/eight-day-week-print-workflow/vulnerability/wordpress-eight-day-week-print-workflow-plugin-1-2-5-sensitive-data-exposure-vulnerability?_s_id=cve
 
6Storage--6Storage Rentals Server-Side Request Forgery (SSRF) vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Server Side Request Forgery. This issue affects 6Storage Rentals: from n/a through <= 2.19.9. 2025-12-24 not yet calculated CVE-2025-67623 https://vdp.patchstack.com/database/Wordpress/Plugin/6storage-rentals/vulnerability/wordpress-6storage-rentals-plugin-2-19-9-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
abhinavxd--libredesk Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta. 2025-12-27 not yet calculated CVE-2025-68927 https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4
https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb
 
Academy Software Foundation--OpenEXR Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EXR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27946. 2025-12-23 not yet calculated CVE-2025-12495 ZDI-25-989
 
Academy Software Foundation--OpenEXR Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EXR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27947. 2025-12-23 not yet calculated CVE-2025-12839 ZDI-25-990
 
Academy Software Foundation--OpenEXR Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EXR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27948. 2025-12-23 not yet calculated CVE-2025-12840 ZDI-25-991
 
Addonify--Addonify Missing Authorization vulnerability in Addonify Addonify addonify-quick-view allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify: from n/a through <= 2.0.4. 2025-12-24 not yet calculated CVE-2025-68578 https://vdp.patchstack.com/database/Wordpress/Plugin/addonify-quick-view/vulnerability/wordpress-addonify-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve
 
Alessandro Piconi--Simple Keyword to Link Cross-Site Request Forgery (CSRF) vulnerability in Alessandro Piconi Simple Keyword to Link simple-keyword-to-link allows Cross Site Request Forgery. This issue affects Simple Keyword to Link: from n/a through <= 1.5. 2025-12-24 not yet calculated CVE-2025-68573 https://vdp.patchstack.com/database/Wordpress/Plugin/simple-keyword-to-link/vulnerability/wordpress-simple-keyword-to-link-plugin-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
AMP-MODE--Review Disclaimer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AMP-MODE Review Disclaimer review-disclaimer allows Stored XSS.This issue affects Review Disclaimer: from n/a through <= 2.0.3. 2025-12-24 not yet calculated CVE-2025-67628 https://vdp.patchstack.com/database/Wordpress/Plugin/review-disclaimer/vulnerability/wordpress-review-disclaimer-plugin-2-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
apiDoc--apidoc-core Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the "define" property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules. 2025-12-26 not yet calculated CVE-2025-13158 https://www.sonatype.com/security-advisories/cve-2025-13158
 
Assaf Parag--Poll, Survey & Quiz Maker Plugin by Opinion Stage Missing Authorization vulnerability in Assaf Parag Poll, Survey & Quiz Maker Plugin by Opinion Stage social-polls-by-opinionstage allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll, Survey & Quiz Maker Plugin by Opinion Stage: from n/a through <= 19.12.1. 2025-12-24 not yet calculated CVE-2025-68594 https://vdp.patchstack.com/database/Wordpress/Plugin/social-polls-by-opinionstage/vulnerability/wordpress-poll-survey-quiz-maker-plugin-by-opinion-stage-plugin-19-12-1-broken-access-control-vulnerability?_s_id=cve
 
Automattic--WoooCommerce A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier. 2025-12-22 not yet calculated CVE-2025-15033 https://wpscan.com/vulnerability/f55fd7d3-7fbe-474f-9406-f47f8aee5e57/
 
Basticom--Basticom Framework Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basticom Basticom Framework basticom-framework allows Stored XSS. This issue affects Basticom Framework: from n/a through <= 1.5.2. 2025-12-24 not yet calculated CVE-2025-67629 https://vdp.patchstack.com/database/Wordpress/Plugin/basticom-framework/vulnerability/wordpress-basticom-framework-plugin-1-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
bdthemes--Prime Slider Addons For Elementor Server-Side Request Forgery (SSRF) vulnerability in bdthemes Prime Slider - Addons For Elementor bdthemes-prime-slider-lite allows Server Side Request Forgery. This issue affects Prime Slider - Addons For Elementor: from n/a through <= 4.0.10. 2025-12-24 not yet calculated CVE-2025-68500 https://vdp.patchstack.com/database/Wordpress/Plugin/bdthemes-prime-slider-lite/vulnerability/wordpress-prime-slider-addons-for-elementor-plugin-4-0-10-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
Ben Balter--WP Document Revisions Missing Authorization vulnerability in Ben Balter WP Document Revisions wp-document-revisions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Document Revisions: from n/a through <= 3.7.2. 2025-12-24 not yet calculated CVE-2025-68585 https://vdp.patchstack.com/database/Wordpress/Plugin/wp-document-revisions/vulnerability/wordpress-wp-document-revisions-plugin-3-7-2-broken-access-control-vulnerability?_s_id=cve
 
BeRocket--Brands for WooCommerce Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BeRocket Brands for WooCommerce brands-for-woocommerce allows Blind SQL Injection. This issue affects Brands for WooCommerce: from n/a through <= 3.8.6.3. 2025-12-24 not yet calculated CVE-2025-68519 https://vdp.patchstack.com/database/Wordpress/Plugin/brands-for-woocommerce/vulnerability/wordpress-brands-for-woocommerce-plugin-3-8-6-3-sql-injection-vulnerability?_s_id=cve
 
Bit Apps--Bit Assist Missing Authorization vulnerability in Bit Apps Bit Assist bit-assist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bit Assist: from n/a through <= 1.5.11. 2025-12-24 not yet calculated CVE-2025-68596 https://vdp.patchstack.com/database/Wordpress/Plugin/bit-assist/vulnerability/wordpress-bit-assist-plugin-1-5-11-broken-access-control-vulnerability?_s_id=cve
 
BlueGlass Interactive AG--Jobs for WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Stored XSS. This issue affects Jobs for WordPress: from n/a through <= 2.7.17. 2025-12-24 not yet calculated CVE-2025-68597 https://vdp.patchstack.com/database/Wordpress/Plugin/job-postings/vulnerability/wordpress-jobs-for-wordpress-plugin-2-7-17-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Bob--Watu Quiz Missing Authorization vulnerability in Bob Watu Quiz watu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watu Quiz: from n/a through <= 3.4.5. 2025-12-24 not yet calculated CVE-2025-68587 https://vdp.patchstack.com/database/Wordpress/Plugin/watu/vulnerability/wordpress-watu-quiz-plugin-3-4-5-broken-access-control-vulnerability-2?_s_id=cve
 
boldthemes--Bold Timeline Lite Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bold themes Bold Timeline Lite bold-timeline-lite allows Stored XSS. This issue affects Bold Timeline Lite: from n/a through <= 1.2.7. 2025-12-24 not yet calculated CVE-2025-68513 https://vdp.patchstack.com/database/Wordpress/Plugin/bold-timeline-lite/vulnerability/wordpress-bold-timeline-lite-plugin-1-2-7-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Brainstorm Force--Astra Widgets Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS. This issue affects Astra Widgets: from n/a through <= 1.2.16. 2025-12-24 not yet calculated CVE-2025-68497 https://vdp.patchstack.com/database/Wordpress/Plugin/astra-widgets/vulnerability/wordpress-astra-widgets-plugin-1-2-16-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Brave--Brave Missing Authorization vulnerability in Brave brave-popup-builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Brave: from n/a through <= 0.8.3. 2025-12-24 not yet calculated CVE-2025-68508 https://vdp.patchstack.com/database/Wordpress/Plugin/brave-popup-builder/vulnerability/wordpress-brave-plugin-0-8-3-broken-access-control-vulnerability?_s_id=cve
 
brownbagmarketing--Greenhouse Job Board Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brownbagmarketing Greenhouse Job Board greenhouse-job-board allows DOM-Based XSS. This issue affects Greenhouse Job Board: from n/a through <= 2.7.3. 2025-12-24 not yet calculated CVE-2025-67633 https://vdp.patchstack.com/database/Wordpress/Plugin/greenhouse-job-board/vulnerability/wordpress-greenhouse-job-board-plugin-2-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
captivateaudio--Captivate Sync Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Blind SQL Injection. This issue affects Captivate Sync: from n/a through <= 3.2.2. 2025-12-24 not yet calculated CVE-2025-68570 https://vdp.patchstack.com/database/Wordpress/Plugin/captivatesync-trade/vulnerability/wordpress-captivate-sync-plugin-3-2-2-sql-injection-vulnerability?_s_id=cve
 
codepeople--WP Time Slots Booking Form Missing Authorization vulnerability in codepeople WP Time Slots Booking Form wp-time-slots-booking-form allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Time Slots Booking Form: from n/a through <= 1.2.38. 2025-12-24 not yet calculated CVE-2025-68569 https://vdp.patchstack.com/database/Wordpress/Plugin/wp-time-slots-booking-form/vulnerability/wordpress-wp-time-slots-booking-form-plugin-1-2-38-broken-access-control-vulnerability?_s_id=cve
 
Constantin Boiangiu--Vimeotheque Cross-Site Request Forgery (CSRF) vulnerability in Constantin Boiangiu Vimeotheque codeflavors-vimeo-video-post-lite allows Cross Site Request Forgery. This issue affects Vimeotheque: from n/a through <= 2.3.5.2. 2025-12-24 not yet calculated CVE-2025-68584 https://vdp.patchstack.com/database/Wordpress/Plugin/codeflavors-vimeo-video-post-lite/vulnerability/wordpress-vimeotheque-plugin-2-3-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
continuwuity--continuwuity Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to version 0.10.10, continuwuity prior to version 0.5.0, Grapevine prior to commit `9a50c244`, and tuwunel prior to version 1.4.8. The flaw exists because the server fails to validate the origin of a signing request, provided the event's state_key is a valid user ID belonging to the target server. Attackers can forge "leave" events for any user on the target server. This forcibly removes users (including admins and bots) from rooms. This allows denial of service and/or the removal of technical protections for a room (including policy servers, if all users on the policy server are removed). Attackers can forge "invite" events from a victim user to themselves, provided they have an account on a server where there is an account that has the power level to send invites. This allows the attacker to join private or invite-only rooms accessible by the victim, exposing confidential conversation history and room state. Attackers can forge "ban" events from a victim user to any user below the victim user's power level, provided the victim has the power level to issue bans AND the target of the ban resides on the same server as the victim. This allows the attacker to ban anyone in a room who is on the same server as the vulnerable one, however cannot exploit this to ban users on other servers or the victim themself. Conduit fixes the issue in version 0.10.10. continuwuity fixes the issue in commits `7fa4fa98` and `b2bead67`, released in 0.5.0. tuwunel fixes the issue in commit `dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3`, released in 1.4.8. Grapevine fixes the issue in commit `9a50c2448abba6e2b7d79c64243bb438b351616c`. As a workaround, block access to the `PUT /_matrix/federation/v2/invite/{roomId}/{eventId}` endpoint using your reverse proxy. 2025-12-23 not yet calculated CVE-2025-68667 https://github.com/continuwuity/continuwuity/security/advisories/GHSA-22fw-4jq7-g8r8
https://github.com/matrix-construct/tuwunel/commit/dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3
https://forgejo.ellis.link/continuwuation/continuwuity/commit/7fa4fa98628593c1a963f5aa8dbc3657d604b047
https://forgejo.ellis.link/continuwuation/continuwuity/commit/b2bead67ac8bc45de9a612578f295e5b7fc6c2b5
https://gitlab.com/famedly/conduit/-/releases/v0.10.10
https://gitlab.computer.surgery/matrix/grapevine/-/commit/9a50c2448abba6e2b7d79c64243bb438b351616c
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in backup operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. 2025-12-23 not yet calculated CVE-2025-66209 https://github.com/0xrakan/coolify-cve-2025-66209-66213
https://github.com/coollabsio/coolify/pull/7375
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in import operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. 2025-12-23 not yet calculated CVE-2025-66210 https://github.com/0xrakan/coolify-cve-2025-66209-66213
https://github.com/coollabsio/coolify/pull/7375
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. 2025-12-23 not yet calculated CVE-2025-66211 https://github.com/0xrakan/coolify-cve-2025-66209-66213
https://github.com/coollabsio/coolify/pull/7375
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Proxy configuration filenames are passed to shell commands without proper escaping, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. 2025-12-23 not yet calculated CVE-2025-66212 https://github.com/0xrakan/coolify-cve-2025-66209-66213
https://github.com/coollabsio/coolify/pull/7375
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
 
coollabsio--coolify Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The file_storage_directory_source parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. Version 4.0.0-beta.451 fixes the issue. 2025-12-23 not yet calculated CVE-2025-66213 https://github.com/0xrakan/coolify-cve-2025-66209-66213
https://github.com/coollabsio/coolify/pull/7375
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
 
creativeinteractivemedia--Real 3D FlipBook Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite allows Stored XSS. This issue affects Real 3D FlipBook: from n/a through <= 4.11.4. 2025-12-24 not yet calculated CVE-2025-68512 https://vdp.patchstack.com/database/Wordpress/Plugin/real3d-flipbook-lite/vulnerability/wordpress-real-3d-flipbook-plugin-4-11-4-cross-site-scripting-xss-vulnerability?_s_id=cve
 
CRM Perks--Integration for Contact Form 7 HubSpot Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Blind SQL Injection. This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.2. 2025-12-24 not yet calculated CVE-2025-68590 https://vdp.patchstack.com/database/Wordpress/Plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-4-2-sql-injection-vulnerability?_s_id=cve
 
Deciso--OPNsense Deciso OPNsense diag_backup.php filename Directory Traversal Arbitrary File Creation Vulnerability. This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Deciso OPNsense. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of backup configuration files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create files in the context of root. Was ZDI-CAN-28133. 2025-12-23 not yet calculated CVE-2025-13698 ZDI-25-1022
vendor-provided URL
 
Delta Electronics--DVP-12SE DVP-12SE - Modbus/TCP Cleartext Transmission of Sensitive Information 2025-12-26 not yet calculated CVE-2025-62578 https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00021_DVP-12SE%20ModbusTCP%20Cleartext%20Transmission%20of%20Sensitive%20Info.pdf
 
DeluxeThemes--Userpro Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Userpro: from n/a through <= 5.1.9. 2025-12-24 not yet calculated CVE-2025-68608 https://vdp.patchstack.com/database/Wordpress/Plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-9-broken-access-control-vulnerability?_s_id=cve
 
DreamFactory--DreamFactory DreamFactory saveZipFile Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of DreamFactory. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the saveZipFile method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26589. 2025-12-23 not yet calculated CVE-2025-13700 ZDI-25-1024
vendor-provided URL
 
Ecommerce Platforms--Gift Hunt Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ecommerce Platforms Gift Hunt gift-hunt allows Stored XSS. This issue affects Gift Hunt: from n/a through <= 2.0.2. 2025-12-24 not yet calculated CVE-2025-67631 https://vdp.patchstack.com/database/Wordpress/Plugin/gift-hunt/vulnerability/wordpress-gift-hunt-plugin-2-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
eigent-ai--eigent Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary code on the victim's machine or server through a specific interaction (1-click). This issue has been patched in version 0.0.61. 2025-12-27 not yet calculated CVE-2025-68952 https://github.com/eigent-ai/eigent/security/advisories/GHSA-pwcx-28p4-rmq4
 
Embeds For YouTube Plugin Support--YouTube Embed Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Embeds For YouTube Plugin Support YouTube Embed youtube-embed allows Stored XSS. This issue affects YouTube Embed: from n/a through <= 5.4. 2025-12-24 not yet calculated CVE-2025-68599 https://vdp.patchstack.com/database/Wordpress/Plugin/youtube-embed/vulnerability/wordpress-youtube-embed-plugin-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve
 
espressif--esp-idf ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the ESP-IDF Bluetooth host stack (BlueDroid), the function bta_dm_sdp_result() used a fixed-size array uuid_list[32][MAX_UUID_SIZE] to store discovered service UUIDs during the SDP (Service Discovery Protocol) process. On modern Bluetooth devices, it is possible for the number of available services to exceed this fixed limit (32). In such cases, if more than 32 services are discovered, subsequent writes to uuid_list could exceed the bounds of the array, resulting in a potential out-of-bounds write condition. 2025-12-26 not yet calculated CVE-2025-68473 https://github.com/espressif/esp-idf/security/advisories/GHSA-hmjj-rjvv-w8pq
https://github.com/espressif/esp-idf/commit/3286e45349b0b5c2b1422ef7e8d088b95eef895d
https://github.com/espressif/esp-idf/commit/4d928f2265c394d2abc85024228e920a5b26bcab
https://github.com/espressif/esp-idf/commit/5b3185168dae83d42aa0852689422fffd931f16c
https://github.com/espressif/esp-idf/commit/6453f57a954458ad8ffd6e4bf2d9e76b73fac0f1
https://github.com/espressif/esp-idf/commit/6ca6f422dafaffcb88fa56cc458ce92d96be3b2e
https://github.com/espressif/esp-idf/commit/9889edd799cf369e082df9d01adba961d64693ed
https://github.com/espressif/esp-idf/commit/ecb86d353640cf1375bf97db32e702ba59c551b6
 
espressif--esp-idf ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRC_MIN_CMD_LEN (20 bytes). However, the actual fixed header data written before the vendor payload exceeds this value. This totals 29 bytes written before p_msg->p_vendor_data is copied. Using the old AVRC_MIN_CMD_LEN could allow an out-of-bounds write if vendor_len approaches the buffer limit. For commands where vendor_len is large, the original buffer allocation may be insufficient, causing writes beyond the allocated memory. This can lead to memory corruption, crashes, or other undefined behavior. The overflow could be larger when assertions are disabled. 2025-12-26 not yet calculated CVE-2025-68474 https://github.com/espressif/esp-idf/security/advisories/GHSA-43gh-7r4f-qp57
https://github.com/espressif/esp-idf/commit/0b0b59f2e19cb99dfa1b28c284d1c5c1d276a132
https://github.com/espressif/esp-idf/commit/565fa98d0cfd58102204c1cb636747e17ee59845
https://github.com/espressif/esp-idf/commit/8262ee807d5cd425f66304f703eeb3382fb888c0
https://github.com/espressif/esp-idf/commit/a6c1bc5e3e91ad1cb964ce2c178ee40a5d10a4a0
https://github.com/espressif/esp-idf/commit/aa0e3d75db995b7137b55349fc92ee684b47092d
https://github.com/espressif/esp-idf/commit/b9ba1e29b65536ab4b670ac099585d09adce0376
 
Essekia--Tablesome Insertion of Sensitive Information Into Sent Data vulnerability in Essekia Tablesome tablesome allows Retrieve Embedded Sensitive Data. This issue affects Tablesome: from n/a through <= 1.1.35.1. 2025-12-24 not yet calculated CVE-2025-68516 https://vdp.patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-35-1-sensitive-data-exposure-vulnerability?_s_id=cve
 
Essekia--Tablesome Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tablesome: from n/a through <= 1.1.35.1. 2025-12-24 not yet calculated CVE-2025-68517 https://vdp.patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-35-1-broken-access-control-vulnerability?_s_id=cve
 
FolioVision--FV Simpler SEO Missing Authorization vulnerability in FolioVision FV Simpler SEO fv-all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FV Simpler SEO: from n/a through <= 1.9.6. 2025-12-24 not yet calculated CVE-2025-68579 https://vdp.patchstack.com/database/Wordpress/Plugin/fv-all-in-one-seo-pack/vulnerability/wordpress-fv-simpler-seo-plugin-1-9-6-broken-access-control-vulnerability?_s_id=cve
 
Forgejo--Forgejo Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later. 2025-12-25 not yet calculated CVE-2025-68937 https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.md
https://codeberg.org/forgejo/forgejo/milestone/29156
https://codeberg.org/forgejo/forgejo/milestone/27340
https://codeberg.org/forgejo/security-announcements/issues/43
https://blog.gitea.com/release-of-1.24.7/
 
FreshRSS--FreshRSS FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are the sole credential for "keep me logged in" functionality. This issue has been patched in version 1.28.0. 2025-12-26 not yet calculated CVE-2025-68932 https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j9wc-gwc6-p786
https://github.com/FreshRSS/FreshRSS/pull/8061
https://github.com/FreshRSS/FreshRSS/commit/57e1a375cbd2db9741ff19167813344f8eff5772
 
Funnelforms--Funnelforms Free Missing Authorization vulnerability in Funnelforms Funnelforms Free funnelforms-free allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Funnelforms Free: from n/a through <= 3.8. 2025-12-24 not yet calculated CVE-2025-68582 https://vdp.patchstack.com/database/Wordpress/Plugin/funnelforms-free/vulnerability/wordpress-funnelforms-free-plugin-3-8-broken-access-control-vulnerability?_s_id=cve
 
GIMP--GIMP GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PNM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28273. 2025-12-23 not yet calculated CVE-2025-14422 ZDI-25-1136
vendor-provided URL
 
GIMP--GIMP GIMP LBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of LBM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28311. 2025-12-23 not yet calculated CVE-2025-14423 ZDI-25-1137
vendor-provided URL
 
GIMP--GIMP GIMP XCF File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XCF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28376. 2025-12-23 not yet calculated CVE-2025-14424 ZDI-25-1138
vendor-provided URL
 
GIMP--GIMP GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28248. 2025-12-23 not yet calculated CVE-2025-14425 ZDI-25-1139
vendor-provided URL
 
Gora Tech--Cooked Missing Authorization vulnerability in Gora Tech Cooked cooked allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cooked: from n/a through <= 1.11.2. 2025-12-24 not yet calculated CVE-2025-68586 https://vdp.patchstack.com/database/Wordpress/Plugin/cooked/vulnerability/wordpress-cooked-plugin-1-11-2-broken-access-control-vulnerability?_s_id=cve
 
Hanwha Vision Co., Ltd.--Device Manager Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in Device Manager that a hardcoded encryption key for sensitive information. An attacker can use key to decrypt sensitive information. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. 2025-12-26 not yet calculated CVE-2025-52601 https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf
 
Hanwha Vision Co., Ltd.--QNV-C8012 Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has found a flaw that camera's client service does not perform certificate validation. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. 2025-12-26 not yet calculated CVE-2025-52598 https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf
 
Hanwha Vision Co., Ltd.--QNV-C8012 Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered Inadequate of permission management for camera guest account. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. 2025-12-26 not yet calculated CVE-2025-52599 https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf
 
Hanwha Vision Co., Ltd.--QNV-C8012 Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in camera video analytics that Improper input validation. This vulnerability could allow an attacker to execute specific commands on the user's host PC.The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. 2025-12-26 not yet calculated CVE-2025-52600 https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf
 
Hanwha Vision Co., Ltd.--QNV-C8012 Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered that validation of incoming XML format request messages is inadequate. This vulnerability could allow an attacker to XSS on the user's browser. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. 2025-12-26 not yet calculated CVE-2025-8075 https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf
 
HasThemes--WC Builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes WC Builder wc-builder allows Stored XSS. This issue affects WC Builder: from n/a through <= 1.2.0. 2025-12-24 not yet calculated CVE-2025-68533 https://vdp.patchstack.com/database/Wordpress/Plugin/wc-builder/vulnerability/wordpress-wc-builder-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Hugging Face--Accelerate Hugging Face Accelerate Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Accelerate. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27985. 2025-12-23 not yet calculated CVE-2025-14925 ZDI-25-1140
 
Hugging Face--Diffusers Hugging Face Diffusers CogView4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Diffusers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27424. 2025-12-23 not yet calculated CVE-2025-14922 ZDI-25-1142
 
Hugging Face--smolagents Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of pickle data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28312. 2025-12-23 not yet calculated CVE-2025-14931 ZDI-25-1143
 
Hugging Face--Transformers Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423. 2025-12-23 not yet calculated CVE-2025-14920 ZDI-25-1150
 
Hugging Face--Transformers Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424. 2025-12-23 not yet calculated CVE-2025-14921 ZDI-25-1149
 
Hugging Face--Transformers Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27984. 2025-12-23 not yet calculated CVE-2025-14924 ZDI-25-1141
 
Hugging Face--Transformers Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28251. 2025-12-23 not yet calculated CVE-2025-14926 ZDI-25-1147
 
Hugging Face--Transformers Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. . Was ZDI-CAN-28252. 2025-12-23 not yet calculated CVE-2025-14927 ZDI-25-1148
 
Hugging Face--Transformers Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28253. 2025-12-23 not yet calculated CVE-2025-14928 ZDI-25-1146
 
Hugging Face--Transformers Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28308. 2025-12-23 not yet calculated CVE-2025-14929 ZDI-25-1144
 
Hugging Face--Transformers Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309. 2025-12-23 not yet calculated CVE-2025-14930 ZDI-25-1145
 
icc0rz--H5P Missing Authorization vulnerability in icc0rz H5P h5p allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects H5P: from n/a through <= 1.16.1. 2025-12-24 not yet calculated CVE-2025-68505 https://vdp.patchstack.com/database/Wordpress/Plugin/h5p/vulnerability/wordpress-h5p-plugin-1-16-1-broken-access-control-vulnerability?_s_id=cve
 
Icegram--Icegram Express Pro Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection. This issue affects Icegram Express Pro: from n/a through <= 5.9.11. 2025-12-24 not yet calculated CVE-2025-68038 https://vdp.patchstack.com/database/Wordpress/Plugin/email-subscribers-premium/vulnerability/wordpress-icegram-express-pro-plugin-5-9-11-php-object-injection-vulnerability?_s_id=cve
 
IceWarp--IceWarp IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of IceWarp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a parameter passed to the gmaps webpage. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25441. 2025-12-23 not yet calculated CVE-2025-14499 ZDI-25-1071
vendor-provided URL
 
IceWarp--IceWarp IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the X-File-Operation header. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27394. 2025-12-23 not yet calculated CVE-2025-14500 ZDI-25-1072
 
integrationclaspo--Popup Builder: Exit-Intent pop-up, Spin the Wheel, Newsletter signup, Email Capture & Lead Generation forms maker Missing Authorization vulnerability in integrationclaspo Popup Builder: Exit-Intent pop-up, Spin the Wheel, Newsletter signup, Email Capture &amp; Lead Generation forms maker claspo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Popup Builder: Exit-Intent pop-up, Spin the Wheel, Newsletter signup, Email Capture &amp; Lead Generation forms maker: from n/a through <= 1.0.5. 2025-12-24 not yet calculated CVE-2025-68568 https://vdp.patchstack.com/database/Wordpress/Plugin/claspo/vulnerability/wordpress-popup-builder-exit-intent-pop-up-spin-the-wheel-newsletter-signup-email-capture-lead-generation-forms-maker-plugin-1-0-5-broken-access-control-vulnerability?_s_id=cve
 
JayBee--Twitch Player Missing Authorization vulnerability in JayBee Twitch Player ttv-easy-embed-player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Twitch Player: from n/a through <= 2.1.3. 2025-12-24 not yet calculated CVE-2025-68565 https://vdp.patchstack.com/database/Wordpress/Plugin/ttv-easy-embed-player/vulnerability/wordpress-twitch-player-plugin-2-1-3-broken-access-control-vulnerability?_s_id=cve
 
Jeff Starr--User Submitted Posts URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Jeff Starr User Submitted Posts user-submitted-posts allows Phishing. This issue affects User Submitted Posts: from n/a through <= 20251121. 2025-12-24 not yet calculated CVE-2025-68509 https://vdp.patchstack.com/database/Wordpress/Plugin/user-submitted-posts/vulnerability/wordpress-user-submitted-posts-plugin-20251121-open-redirection-vulnerability?_s_id=cve
 
Jegstudio--Gutenverse Form Missing Authorization vulnerability in Jegstudio Gutenverse Form gutenverse-form allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gutenverse Form: from n/a through <= 2.3.1. 2025-12-24 not yet calculated CVE-2025-68511 https://vdp.patchstack.com/database/Wordpress/Plugin/gutenverse-form/vulnerability/wordpress-gutenverse-form-plugin-2-3-1-broken-access-control-vulnerability?_s_id=cve
 
jnunemaker--httparty httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd. 2025-12-23 not yet calculated CVE-2025-68696 https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4
https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240
 
Johnson Controls--IQ Panels2, 2+, IQHub, IQPanel 4, PowerG Use of a weak pseudo-random number generator, which may allow an attacker to read or inject encrypted PowerG packets. 2025-12-22 not yet calculated CVE-2025-26379 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02
 
Johnson Controls--IQ Panels2, 2+, IQHub, IQPanel 4, PowerG Due to Nonce reuse, attackers can perform reply attack or decrypt captured packets. 2025-12-22 not yet calculated CVE-2025-61739 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02
 
Johnson Controls--IQ Panels2, 2+, IQHub, IQPanel 4, PowerG Authentication issue that does not verify the source of a packet which could allow an attacker to create a denial-of-service condition or modify the configuration of the device. 2025-12-22 not yet calculated CVE-2025-61740 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02
 
Johnson Controls--IQPanel2, IQHub,IQPanel2+,IQPanel 4,PowerG Under certain circumstances, attacker can capture the network key, read or write encrypted packets on the PowerG network. 2025-12-22 not yet calculated CVE-2025-61738 https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
 
Johnson Controls--iSTAR Ultra, iSTAR Ultra SE Under certain circumstances a successful exploitation could result in access to the device. 2025-12-24 not yet calculated CVE-2025-43875 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-01
 
Johnson Controls--iSTAR Ultra, iSTAR Ultra SE Under certain circumstances a successful exploitation could result in access to the device. 2025-12-24 not yet calculated CVE-2025-43876 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-01
 
kedacore--keda KEDA is a Kubernetes-based Event Driven Autoscaling component. Prior to versions 2.17.3 and 2.18.3, an Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authentication. The vulnerability stems from an incorrect or insufficient path validation when loading the Service Account Token specified in spec.hashiCorpVault.credential.serviceAccount. An attacker with permissions to create or modify a TriggerAuthentication resource can exfiltrate the content of any file from the node's filesystem (where the KEDA pod resides) by directing the file's content to a server under their control, as part of the Vault authentication request. The potential impact includes the exfiltration of sensitive system information, such as secrets, keys, or the content of files like /etc/passwd. This issue has been patched in versions 2.17.3 and 2.18.3. 2025-12-22 not yet calculated CVE-2025-68476 https://github.com/kedacore/keda/security/advisories/GHSA-c4p6-qg4m-9jmr
https://github.com/kedacore/keda/commit/15c5677f65f809b9b6b59a52f4cf793db0a510fd
 
Kodezen LLC--Academy LMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kodezen LLC Academy LMS academy allows Stored XSS. This issue affects Academy LMS: from n/a through <= 3.4.0. 2025-12-24 not yet calculated CVE-2025-68527 https://vdp.patchstack.com/database/Wordpress/Plugin/academy/vulnerability/wordpress-academy-lms-plugin-3-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Leap13--Premium Addons for Elementor Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Retrieve Embedded Sensitive Data. This issue affects Premium Addons for Elementor: from n/a through <= 4.11.53. 2025-12-24 not yet calculated CVE-2025-68494 https://vdp.patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-53-sensitive-data-exposure-vulnerability?_s_id=cve
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mrp: introduce active flags to prevent UAF when applicant uninit The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 Write at addr f9ff000024df6058 by task syz-fuzzer/2256 Pointer tag: [f9], memory tag: [fe] CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- ge01d50cbd6ee #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x1a8/0x4a0 mm/kasan/report.c:395 kasan_report+0x94/0xb4 mm/kasan/report.c:495 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 do_bad_area arch/arm64/mm/fault.c:473 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 hlist_add_head include/linux/list.h:929 [inline] enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 mod_timer+0x14/0x20 kernel/time/timer.c:1161 mrp_periodic_timer_arm net/802/mrp.c:614 [inline] mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 expire_timers+0x98/0xc4 kernel/time/timer.c:1519 To fix it, we can introduce a new active flags to make sure the timer will not restart. 2025-12-24 not yet calculated CVE-2022-50697 https://git.kernel.org/stable/c/98f53e591940e4c3818be358c5dc684d5b30cb56
https://git.kernel.org/stable/c/aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9
https://git.kernel.org/stable/c/78d48bc41f7726113c9f114268d3ab11212814da
https://git.kernel.org/stable/c/aadb1507a77b060c529edfeaf67f803e31461f24
https://git.kernel.org/stable/c/755eb0879224ffc2a43de724554aeaf0e51e5a64
https://git.kernel.org/stable/c/5d5a481a7fd0234f617535dc464ea010804a1129
https://git.kernel.org/stable/c/1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6
https://git.kernel.org/stable/c/563e45fd5046045cc194af3ba17f5423e1c98170
https://git.kernel.org/stable/c/ab0377803dafc58f1e22296708c1c28e309414d6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ASoC: da7219: Fix an error handling path in da7219_register_dai_clks() If clk_hw_register() fails, the corresponding clk should not be unregistered. To handle errors from loops, clean up partial iterations before doing the goto. So add a clk_hw_unregister(). Then use a while (--i >= 0) loop in the unwind section. 2025-12-24 not yet calculated CVE-2022-50698 https://git.kernel.org/stable/c/4993c1511d66326f1037bc5156b024a6a96d23ef
https://git.kernel.org/stable/c/f5f1f5ee5048cfa7bd07f496b33bd2cfc198a176
https://git.kernel.org/stable/c/ec692f0b51006de1138cd1f82cae625f0d2888d1
https://git.kernel.org/stable/c/cefce8bee0e988f9a005fe40705b98a25cfb7f9d
https://git.kernel.org/stable/c/abb4e4349afe7eecdb0499582f1c777031e3a7c8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context() The following warning was triggered on a hardware environment: SELinux: Converting 162 SID table entries... BUG: sleeping function called from invalid context at __might_sleep+0x60/0x74 0x0 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1 Call trace: dump_backtrace+0x0/0x1c8 show_stack+0x18/0x28 dump_stack+0xe8/0x15c ___might_sleep+0x168/0x17c __might_sleep+0x60/0x74 __kmalloc_track_caller+0xa0/0x7dc kstrdup+0x54/0xac convert_context+0x48/0x2e4 sidtab_context_to_sid+0x1c4/0x36c security_context_to_sid_core+0x168/0x238 security_context_to_sid_default+0x14/0x24 inode_doinit_use_xattr+0x164/0x1e4 inode_doinit_with_dentry+0x1c0/0x488 selinux_d_instantiate+0x20/0x34 security_d_instantiate+0x70/0xbc d_splice_alias+0x4c/0x3c0 ext4_lookup+0x1d8/0x200 [ext4] __lookup_slow+0x12c/0x1e4 walk_component+0x100/0x200 path_lookupat+0x88/0x118 filename_lookup+0x98/0x130 user_path_at_empty+0x48/0x60 vfs_statx+0x84/0x140 vfs_fstatat+0x20/0x30 __se_sys_newfstatat+0x30/0x74 __arm64_sys_newfstatat+0x1c/0x2c el0_svc_common.constprop.0+0x100/0x184 do_el0_svc+0x1c/0x2c el0_svc+0x20/0x34 el0_sync_handler+0x80/0x17c el0_sync+0x13c/0x140 SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is not valid (left unmapped). It was found that within a critical section of spin_lock_irqsave in sidtab_context_to_sid(), convert_context() (hooked by sidtab_convert_params.func) might cause the process to sleep via allocating memory with GFP_KERNEL, which is problematic. As Ondrej pointed out [1], convert_context()/sidtab_convert_params.func has another caller sidtab_convert_tree(), which is okay with GFP_KERNEL. Therefore, fix this problem by adding a gfp_t argument for convert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC properly in individual callers. [PM: wrap long BUG() output lines, tweak subject line] 2025-12-24 not yet calculated CVE-2022-50699 https://git.kernel.org/stable/c/2723875e9d677401d775a03a72abab7e9538c20c
https://git.kernel.org/stable/c/3006766d247bc93a25b34e92fff2f75bda597e2e
https://git.kernel.org/stable/c/277378631d26477451424cc73982b977961f3d8b
https://git.kernel.org/stable/c/abe3c631447dcd1ba7af972fe6f054bee6f136fa
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: Delay the unmapping of the buffer On WCN3990, we are seeing a rare scenario where copy engine hardware is sending a copy complete interrupt to the host driver while still processing the buffer that the driver has sent, this is leading into an SMMU fault triggering kernel panic. This is happening on copy engine channel 3 (CE3) where the driver normally enqueues WMI commands to the firmware. Upon receiving a copy complete interrupt, host driver will immediately unmap and frees the buffer presuming that hardware has processed the buffer. In the issue case, upon receiving copy complete interrupt, host driver will unmap and free the buffer but since hardware is still accessing the buffer (which in this case got unmapped in parallel), SMMU hardware will trigger an SMMU fault resulting in a kernel panic. In order to avoid this, as a work around, add a delay before unmapping the copy engine source DMA buffer. This is conditionally done for WCN3990 and only for the CE3 channel where issue is seen. Below is the crash signature: wifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled context fault: fsr=0x402, iova=0x7fdfd8ac0, fsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled context fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003, cbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error received: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091: cmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149 remoteproc remoteproc0: crash detected in 4080000.remoteproc: type fatal error <3> remoteproc remoteproc0: handling crash #1 in 4080000.remoteproc pc : __arm_lpae_unmap+0x500/0x514 lr : __arm_lpae_unmap+0x4bc/0x514 sp : ffffffc011ffb530 x29: ffffffc011ffb590 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000004 x25: 0000000000000003 x24: ffffffc011ffb890 x23: ffffffa762ef9be0 x22: ffffffa77244ef00 x21: 0000000000000009 x20: 00000007fff7c000 x19: 0000000000000003 x18: 0000000000000000 x17: 0000000000000004 x16: ffffffd7a357d9f0 x15: 0000000000000000 x14: 00fd5d4fa7ffffff x13: 000000000000000e x12: 0000000000000000 x11: 00000000ffffffff x10: 00000000fffffe00 x9 : 000000000000017c x8 : 000000000000000c x7 : 0000000000000000 x6 : ffffffa762ef9000 x5 : 0000000000000003 x4 : 0000000000000004 x3 : 0000000000001000 x2 : 00000007fff7c000 x1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace: __arm_lpae_unmap+0x500/0x514 __arm_lpae_unmap+0x4bc/0x514 __arm_lpae_unmap+0x4bc/0x514 arm_lpae_unmap_pages+0x78/0xa4 arm_smmu_unmap_pages+0x78/0x104 __iommu_unmap+0xc8/0x1e4 iommu_unmap_fast+0x38/0x48 __iommu_dma_unmap+0x84/0x104 iommu_dma_free+0x34/0x50 dma_free_attrs+0xa4/0xd0 ath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c [ath10k_core] ath10k_halt+0x11c/0x180 [ath10k_core] ath10k_stop+0x54/0x94 [ath10k_core] drv_stop+0x48/0x1c8 [mac80211] ieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c [mac80211] __dev_open+0xb4/0x174 __dev_change_flags+0xc4/0x1dc dev_change_flags+0x3c/0x7c devinet_ioctl+0x2b4/0x580 inet_ioctl+0xb0/0x1b4 sock_do_ioctl+0x4c/0x16c compat_ifreq_ioctl+0x1cc/0x35c compat_sock_ioctl+0x110/0x2ac __arm64_compat_sys_ioctl+0xf4/0x3e0 el0_svc_common+0xb4/0x17c el0_svc_compat_handler+0x2c/0x58 el0_svc_compat+0x8/0x2c Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1 2025-12-24 not yet calculated CVE-2022-50700 https://git.kernel.org/stable/c/c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a
https://git.kernel.org/stable/c/79a124b588aadb5a22695542778de14366ff3219
https://git.kernel.org/stable/c/acd4324e5f1f11351630234297f95076f0ac9a2f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host SDIO may need addtional 511 bytes to align bus operation. If the tailroom of this skb is not big enough, we would access invalid memory region. For low level operation, increase skb size to keep valid memory access in SDIO host. Error message: [69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0 [69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451 [69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W OE 6.1.0-rc5 #1 [69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300] [69.951] Call Trace: [69.951] <TASK> [69.952] dump_stack_lvl+0x49/0x63 [69.952] print_report+0x171/0x4a8 [69.952] kasan_report+0xb4/0x130 [69.952] kasan_check_range+0x149/0x1e0 [69.952] memcpy+0x24/0x70 [69.952] sg_copy_buffer+0xe9/0x1a0 [69.952] sg_copy_to_buffer+0x12/0x20 [69.952] __command_write_data.isra.0+0x23c/0xbf0 [vub300] [69.952] vub300_cmndwork_thread+0x17f3/0x58b0 [vub300] [69.952] process_one_work+0x7ee/0x1320 [69.952] worker_thread+0x53c/0x1240 [69.952] kthread+0x2b8/0x370 [69.952] ret_from_fork+0x1f/0x30 [69.952] </TASK> [69.952] Allocated by task 854: [69.952] kasan_save_stack+0x26/0x50 [69.952] kasan_set_track+0x25/0x30 [69.952] kasan_save_alloc_info+0x1b/0x30 [69.952] __kasan_kmalloc+0x87/0xa0 [69.952] __kmalloc_node_track_caller+0x63/0x150 [69.952] kmalloc_reserve+0x31/0xd0 [69.952] __alloc_skb+0xfc/0x2b0 [69.952] __mt76_mcu_msg_alloc+0xbf/0x230 [mt76] [69.952] mt76_mcu_send_and_get_msg+0xab/0x110 [mt76] [69.952] __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76] [69.952] mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib] [69.952] mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib] [69.952] mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common] [69.952] mt7921s_mcu_init+0x45/0x80 [mt7921s] [69.953] mt7921_init_work+0xe1/0x2a0 [mt7921_common] [69.953] process_one_work+0x7ee/0x1320 [69.953] worker_thread+0x53c/0x1240 [69.953] kthread+0x2b8/0x370 [69.953] ret_from_fork+0x1f/0x30 [69.953] The buggy address belongs to the object at ffff88811c9ce800 which belongs to the cache kmalloc-2k of size 2048 [69.953] The buggy address is located 0 bytes to the right of 2048-byte region [ffff88811c9ce800, ffff88811c9cf000) [69.953] Memory state around the buggy address: [69.953] ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [69.953] ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [69.953] >ffff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [69.953] ^ [69.953] ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [69.953] ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 2025-12-24 not yet calculated CVE-2022-50701 https://git.kernel.org/stable/c/8b5174a7f25d03df0ffa171ff86de383a89e8e89
https://git.kernel.org/stable/c/0b358e36433d2c46a65488a146bf8b4623fc5bbb
https://git.kernel.org/stable/c/aec4cf2ea0797e28f18f8dbe01943a56d987fe56
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init() Inject fault while probing module, if device_register() fails in vdpasim_net_init() or vdpasim_blk_init(), but the refcount of kobject is not decreased to 0, the name allocated in dev_set_name() is leaked. Fix this by calling put_device(), so that name can be freed in callback function kobject_cleanup(). (vdpa_sim_net) unreferenced object 0xffff88807eebc370 (size 16): comm "modprobe", pid 3848, jiffies 4362982860 (age 18.153s) hex dump (first 16 bytes): 76 64 70 61 73 69 6d 5f 6e 65 74 00 6b 6b 6b a5 vdpasim_net.kkk. backtrace: [<ffffffff8174f19e>] __kmalloc_node_track_caller+0x4e/0x150 [<ffffffff81731d53>] kstrdup+0x33/0x60 [<ffffffff83a5d421>] kobject_set_name_vargs+0x41/0x110 [<ffffffff82d87aab>] dev_set_name+0xab/0xe0 [<ffffffff82d91a23>] device_add+0xe3/0x1a80 [<ffffffffa0270013>] 0xffffffffa0270013 [<ffffffff81001c27>] do_one_initcall+0x87/0x2e0 [<ffffffff813739cb>] do_init_module+0x1ab/0x640 [<ffffffff81379d20>] load_module+0x5d00/0x77f0 [<ffffffff8137bc40>] __do_sys_finit_module+0x110/0x1b0 [<ffffffff83c4d505>] do_syscall_64+0x35/0x80 [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 (vdpa_sim_blk) unreferenced object 0xffff8881070c1250 (size 16): comm "modprobe", pid 6844, jiffies 4364069319 (age 17.572s) hex dump (first 16 bytes): 76 64 70 61 73 69 6d 5f 62 6c 6b 00 6b 6b 6b a5 vdpasim_blk.kkk. backtrace: [<ffffffff8174f19e>] __kmalloc_node_track_caller+0x4e/0x150 [<ffffffff81731d53>] kstrdup+0x33/0x60 [<ffffffff83a5d421>] kobject_set_name_vargs+0x41/0x110 [<ffffffff82d87aab>] dev_set_name+0xab/0xe0 [<ffffffff82d91a23>] device_add+0xe3/0x1a80 [<ffffffffa0220013>] 0xffffffffa0220013 [<ffffffff81001c27>] do_one_initcall+0x87/0x2e0 [<ffffffff813739cb>] do_init_module+0x1ab/0x640 [<ffffffff81379d20>] load_module+0x5d00/0x77f0 [<ffffffff8137bc40>] __do_sys_finit_module+0x110/0x1b0 [<ffffffff83c4d505>] do_syscall_64+0x35/0x80 [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 2025-12-24 not yet calculated CVE-2022-50702 https://git.kernel.org/stable/c/586e6fd7d581f987f7d0d2592edf0b26397e783e
https://git.kernel.org/stable/c/5be953e353fe421f2983e1fd37f07fba97edbffc
https://git.kernel.org/stable/c/337c24d817e28dd454ca22f1063dfad20822426e
https://git.kernel.org/stable/c/aeca7ff254843d49a8739f07f7dab1341450111d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() There are two refcount leak bugs in qcom_smsm_probe(): (1) The 'local_node' is escaped out from for_each_child_of_node() as the break of iteration, we should call of_node_put() for it in error path or when it is not used anymore. (2) The 'node' is escaped out from for_each_available_child_of_node() as the 'goto', we should call of_node_put() for it in goto target. 2025-12-24 not yet calculated CVE-2022-50703 https://git.kernel.org/stable/c/1bbe75d466e5118b7d49ef4a346c3ce5742da4e8
https://git.kernel.org/stable/c/bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43
https://git.kernel.org/stable/c/42df28994eba7b56c762f7bbe7efd5611a1cd15b
https://git.kernel.org/stable/c/1e3ed59370c712df436791efed120f0c082aa9bc
https://git.kernel.org/stable/c/39781c98ad46b4e85053345dff797240c1ed7935
https://git.kernel.org/stable/c/96e0028debdd07a6d582f0dfadf9a3ec2b5fffff
https://git.kernel.org/stable/c/8fb6112bd49c0e49f2cf51604231d85ff00284bb
https://git.kernel.org/stable/c/ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d
https://git.kernel.org/stable/c/af8f6f39b8afd772fda4f8e61823ef8c021bf382
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix use-after-free during usb config switch In the process of switching USB config from rndis to other config, if the hardware does not support the ->pullup callback, or the hardware encounters a low probability fault, both of them may cause the ->pullup callback to fail, which will then cause a system panic (use after free). The gadget drivers sometimes need to be unloaded regardless of the hardware's behavior. Analysis as follows: ======================================================================= (1) write /config/usb_gadget/g1/UDC "none" gether_disconnect+0x2c/0x1f8 rndis_disable+0x4c/0x74 composite_disconnect+0x74/0xb0 configfs_composite_disconnect+0x60/0x7c usb_gadget_disconnect+0x70/0x124 usb_gadget_unregister_driver+0xc8/0x1d8 gadget_dev_desc_UDC_store+0xec/0x1e4 (2) rm /config/usb_gadget/g1/configs/b.1/f1 rndis_deregister+0x28/0x54 rndis_free+0x44/0x7c usb_put_function+0x14/0x1c config_usb_cfg_unlink+0xc4/0xe0 configfs_unlink+0x124/0x1c8 vfs_unlink+0x114/0x1dc (3) rmdir /config/usb_gadget/g1/functions/rndis.gs4 panic+0x1fc/0x3d0 do_page_fault+0xa8/0x46c do_mem_abort+0x3c/0xac el1_sync_handler+0x40/0x78 0xffffff801138f880 rndis_close+0x28/0x34 eth_stop+0x74/0x110 dev_close_many+0x48/0x194 rollback_registered_many+0x118/0x814 unregister_netdev+0x20/0x30 gether_cleanup+0x1c/0x38 rndis_attr_release+0xc/0x14 kref_put+0x74/0xb8 configfs_rmdir+0x314/0x374 If gadget->ops->pullup() return an error, function rndis_close() will be called, then it will causes a use-after-free problem. ======================================================================= 2025-12-24 not yet calculated CVE-2022-50704 https://git.kernel.org/stable/c/30e926aa835ac2e6ad05822e4cb75833feb0d99f
https://git.kernel.org/stable/c/99a58ac42d9b6911834b0224b6782aea0c311346
https://git.kernel.org/stable/c/afdc12887f2b2ecf20d065a7d81ad29824155083
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: defer fsnotify calls to task context We can't call these off the kiocb completion as that might be off soft/hard irq context. Defer the calls to when we process the task_work for this request. That avoids valid complaints like: stack backtrace: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_usage_bug kernel/locking/lockdep.c:3961 [inline] valid_state kernel/locking/lockdep.c:3973 [inline] mark_lock_irq kernel/locking/lockdep.c:4176 [inline] mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632 mark_lock kernel/locking/lockdep.c:4596 [inline] mark_usage kernel/locking/lockdep.c:4527 [inline] __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007 lock_acquire kernel/locking/lockdep.c:5666 [inline] lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631 __fs_reclaim_acquire mm/page_alloc.c:4674 [inline] fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688 might_alloc include/linux/sched/mm.h:271 [inline] slab_pre_alloc_hook mm/slab.h:700 [inline] slab_alloc mm/slab.c:3278 [inline] __kmem_cache_alloc_lru mm/slab.c:3471 [inline] kmem_cache_alloc+0x39/0x520 mm/slab.c:3491 fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline] fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline] fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948 send_to_group fs/notify/fsnotify.c:360 [inline] fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570 __fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230 fsnotify_parent include/linux/fsnotify.h:77 [inline] fsnotify_file include/linux/fsnotify.h:99 [inline] fsnotify_access include/linux/fsnotify.h:309 [inline] __io_complete_rw_common+0x485/0x720 io_uring/rw.c:195 io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228 iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline] iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178 bio_endio+0x5f9/0x780 block/bio.c:1564 req_bio_endio block/blk-mq.c:695 [inline] blk_update_request+0x3fc/0x1300 block/blk-mq.c:825 scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541 scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971 scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022 __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240 2025-12-24 not yet calculated CVE-2022-50705 https://git.kernel.org/stable/c/89a410dbd0f159ddd308f19d6eb682fc753e4771
https://git.kernel.org/stable/c/2a853c206e553dd9c0a55c22858fd6a446d93e15
https://git.kernel.org/stable/c/b000145e9907809406d8164c3b2b8861d95aecd1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/ieee802154: don't warn zero-sized raw_sendmsg() syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1], for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting __dev_queue_xmit() with skb->len == 0. Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was able to return 0, don't call __dev_queue_xmit() if packet length is 0. ---------- #include <sys/socket.h> #include <netinet/in.h> int main(int argc, char *argv[]) { struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) }; struct iovec iov = { }; struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 }; sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0); return 0; } ---------- Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't redirect packets with invalid pkt_len") should be reverted, for skb->len == 0 was acceptable for at least PF_IEEE802154 socket. 2025-12-24 not yet calculated CVE-2022-50706 https://git.kernel.org/stable/c/4a36de8947794fa21435d1e916e089095f3246a8
https://git.kernel.org/stable/c/791489a5c56396ddfed75fc525066d4738dace46
https://git.kernel.org/stable/c/34f31a2b667914ab701ca725554a0b447809d7ef
https://git.kernel.org/stable/c/df0da3fc131132b6c32a15c4da4ffa3a5aea1af2
https://git.kernel.org/stable/c/9974d220c5073d035b5469d1d8ecd71da86c7afd
https://git.kernel.org/stable/c/b12e924a2f5b960373459c8f8a514f887adf5cac
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session() 'vc_ctrl_req' is alloced in virtio_crypto_alg_skcipher_close_session(), and should be freed in the invalid ctrl_status->status error handling case. Otherwise there is a memory leak. 2025-12-24 not yet calculated CVE-2022-50707 https://git.kernel.org/stable/c/79026a2d0a1b080257773d22a493f9bcab8c65be
https://git.kernel.org/stable/c/67fb59ff1384e338679c0eb7a43c83ce8868c9fa
https://git.kernel.org/stable/c/0871df190fe6723464efe0f493d476411616f553
https://git.kernel.org/stable/c/b1d65f717cd6305a396a8738e022c6f7c65cfbe8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: fix potential resource leak in ssip_pn_open() ssip_pn_open() claims the HSI client's port with hsi_claim_port(). When hsi_register_port_event() gets some error and returns a negetive value, the HSI client's port should be released with hsi_release_port(). Fix it by calling hsi_release_port() when hsi_register_port_event() fails. 2025-12-24 not yet calculated CVE-2022-50708 https://git.kernel.org/stable/c/78b0ef14896f843c45372f9bbdb6f6070f977eaf
https://git.kernel.org/stable/c/e78b45b3eeee1cec77c794fcbf0512537c20b1dc
https://git.kernel.org/stable/c/b28dbcb379e6a7f80262c2732a57681b1ee548ca
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with pkt_len = 0 but ath9k_hif_usb_rx_stream() uses __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb with uninitialized memory and ath9k_htc_rx_msg() is reading from uninitialized memory. Since bytes accessed by ath9k_htc_rx_msg() is not known until ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in ath9k_hif_usb_rx_stream(). We have two choices. One is to workaround by adding __GFP_ZERO so that ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose the latter. Note that I'm not sure threshold condition is correct, for I can't find details on possible packet length used by this protocol. 2025-12-24 not yet calculated CVE-2022-50709 https://git.kernel.org/stable/c/f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a
https://git.kernel.org/stable/c/84242f15f911f34aec9b22f99d1e9bff19723dbe
https://git.kernel.org/stable/c/2c485f4f2a64258acc5228e78ffb828c68d9e770
https://git.kernel.org/stable/c/9661724f6206bd606ecf13acada676a9975d230b
https://git.kernel.org/stable/c/b1b4144508adfc585e43856b31baaf9008a3beb4
https://git.kernel.org/stable/c/0d2649b288b7b9484e3d4380c0d6c4720a17e473
https://git.kernel.org/stable/c/4891a50f5ed8bfcb8f2a4b816b0676f398687783
https://git.kernel.org/stable/c/b383e8abed41cc6ff1a3b34de75df9397fa4878c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ice: set tx_tstamps when creating new Tx rings via ethtool When the user changes the number of queues via ethtool, the driver allocates new rings. This allocation did not initialize tx_tstamps. This results in the tx_tstamps field being zero (due to kcalloc allocation), and would result in a NULL pointer dereference when attempting a transmit timestamp on the new ring. 2025-12-24 not yet calculated CVE-2022-50710 https://git.kernel.org/stable/c/624f03a027f2b18647cc4f1a7a81920a1e4e0201
https://git.kernel.org/stable/c/13180cb88a7be5ee389f65f6ab9f78e46f7722b2
https://git.kernel.org/stable/c/9eb5fff6b0e78819c758892282da5faa915724d0
https://git.kernel.org/stable/c/b3b173745c8cab1e24d6821488b60abed3acb24d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix possible memory leak in mtk_probe() If mtk_wed_add_hw() has been called, mtk_wed_exit() needs be called in error path or removing module to free the memory allocated in mtk_wed_add_hw(). 2025-12-24 not yet calculated CVE-2022-50711 https://git.kernel.org/stable/c/96bde7c4f5683d8c1c809ddb781ef3fdec9b7215
https://git.kernel.org/stable/c/b3d0d98179d62f9d55635a600679c4fa362baf8d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: devlink: hold region lock when flushing snapshots Netdevsim triggers a splat on reload, when it destroys regions with snapshots pending: WARNING: CPU: 1 PID: 787 at net/core/devlink.c:6291 devlink_region_snapshot_del+0x12e/0x140 CPU: 1 PID: 787 Comm: devlink Not tainted 6.1.0-07460-g7ae9888d6e1c #580 RIP: 0010:devlink_region_snapshot_del+0x12e/0x140 Call Trace: <TASK> devl_region_destroy+0x70/0x140 nsim_dev_reload_down+0x2f/0x60 [netdevsim] devlink_reload+0x1f7/0x360 devlink_nl_cmd_reload+0x6ce/0x860 genl_family_rcv_msg_doit.isra.0+0x145/0x1c0 This is the locking assert in devlink_region_snapshot_del(), we're supposed to be holding the region->snapshot_lock here. 2025-12-24 not yet calculated CVE-2022-50712 https://git.kernel.org/stable/c/49383d4e59bb704341aaa1d51440ccce58270e61
https://git.kernel.org/stable/c/6298cab4d80bfdb6fe01fe31fd9f0ba26317fdae
https://git.kernel.org/stable/c/b4cafb3d2c740f8d1b1234b43ac4a60e5291c960
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: clk: visconti: Fix memory leak in visconti_register_pll() @pll->rate_table has allocated memory by kmemdup(), if clk_hw_register() fails, it should be freed, otherwise it will cause memory leak issue, this patch fixes it. 2025-12-24 not yet calculated CVE-2022-50713 https://git.kernel.org/stable/c/70af9bf13be1716eac452c8a29ce6fe6b957a5db
https://git.kernel.org/stable/c/f0f1982ddfb418bf7bf05dadebae5c6869a41d41
https://git.kernel.org/stable/c/b55226f8553d255f5002c751c7c6ba9291f34bf2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921e: fix rmmod crash in driver reload test In insmod/rmmod stress test, the following crash dump shows up immediately. The problem is caused by missing mt76_dev in mt7921_pci_remove(). We should make sure the drvdata is ready before probe() finished. [168.862789] ================================================================== [168.862797] BUG: KASAN: user-memory-access in try_to_grab_pending+0x59/0x480 [168.862805] Write of size 8 at addr 0000000000006df0 by task rmmod/5361 [168.862812] CPU: 7 PID: 5361 Comm: rmmod Tainted: G OE 5.19.0-rc6 #1 [168.862816] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, 05/04/2020 [168.862820] Call Trace: [168.862822] <TASK> [168.862825] dump_stack_lvl+0x49/0x63 [168.862832] print_report.cold+0x493/0x6b7 [168.862845] kasan_report+0xa7/0x120 [168.862857] kasan_check_range+0x163/0x200 [168.862861] __kasan_check_write+0x14/0x20 [168.862866] try_to_grab_pending+0x59/0x480 [168.862870] __cancel_work_timer+0xbb/0x340 [168.862898] cancel_work_sync+0x10/0x20 [168.862902] mt7921_pci_remove+0x61/0x1c0 [mt7921e] [168.862909] pci_device_remove+0xa3/0x1d0 [168.862914] device_remove+0xc4/0x170 [168.862920] device_release_driver_internal+0x163/0x300 [168.862925] driver_detach+0xc7/0x1a0 [168.862930] bus_remove_driver+0xeb/0x2d0 [168.862935] driver_unregister+0x71/0xb0 [168.862939] pci_unregister_driver+0x30/0x230 [168.862944] mt7921_pci_driver_exit+0x10/0x1b [mt7921e] [168.862949] __x64_sys_delete_module+0x2f9/0x4b0 [168.862968] do_syscall_64+0x38/0x90 [168.862973] entry_SYSCALL_64_after_hwframe+0x63/0xcd Test steps: 1. insmode 2. do not ifup 3. rmmod quickly (within 1 second) 2025-12-24 not yet calculated CVE-2022-50714 https://git.kernel.org/stable/c/1034d8e08508830161377f136a060e78fc24f2a5
https://git.kernel.org/stable/c/ccda3ebdae719d348f90563b6719fba4929ae283
https://git.kernel.org/stable/c/b5a62d612b7baf6e09884e4de94decb6391d6a9d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: md/raid1: stop mdx_raid1 thread when raid1 array run failed fail run raid1 array when we assemble array with the inactive disk only, but the mdx_raid1 thread were not stop, Even if the associated resources have been released. it will caused a NULL dereference when we do poweroff. This causes the following Oops: [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070 [ 287.594762] #PF: supervisor read access in kernel mode [ 287.599912] #PF: error_code(0x0000) - not-present page [ 287.605061] PGD 0 P4D 0 [ 287.607612] Oops: 0000 [#1] SMP NOPTI [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0 [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022 [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod] [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ...... [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202 [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000 [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800 [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800 [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500 [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000 [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0 [ 287.713033] Call Trace: [ 287.715498] raid1d+0x6c/0xbbb [raid1] [ 287.719256] ? __schedule+0x1ff/0x760 [ 287.722930] ? schedule+0x3b/0xb0 [ 287.726260] ? schedule_timeout+0x1ed/0x290 [ 287.730456] ? __switch_to+0x11f/0x400 [ 287.734219] md_thread+0xe9/0x140 [md_mod] [ 287.738328] ? md_thread+0xe9/0x140 [md_mod] [ 287.742601] ? wait_woken+0x80/0x80 [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod] [ 287.751064] kthread+0x11a/0x140 [ 287.754300] ? kthread_park+0x90/0x90 [ 287.757974] ret_from_fork+0x1f/0x30 In fact, when raid1 array run fail, we need to do md_unregister_thread() before raid1_free(). 2025-12-24 not yet calculated CVE-2022-50715 https://git.kernel.org/stable/c/d684ceb77311410aeaf5189d321f9f564838c49a
https://git.kernel.org/stable/c/110f14a7b2eb5b8aa9df5af2d629524f2a07d543
https://git.kernel.org/stable/c/0c7c7468c3ae222e297b7dc74d6ccb69c4d0183c
https://git.kernel.org/stable/c/19d5a0e17aba92b10d895e40ec782768cf00da23
https://git.kernel.org/stable/c/10d713532ffc67b13df61ed9c138a8ce0a186236
https://git.kernel.org/stable/c/a3cc41e05e8af340a2a759b168c29fffdb9194eb
https://git.kernel.org/stable/c/22be44212cad8be96860346882d8e694b0b437b6
https://git.kernel.org/stable/c/d26364596db8f8b55277b2afb3952e05a4057a21
https://git.kernel.org/stable/c/b611ad14006e5be2170d9e8e611bf49dff288911
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out syzkaller reported use-after-free with the stack trace like below [1]: [ 38.960489][ C3] ================================================================== [ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 [ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 [ 38.966363][ C3] [ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18 [ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 [ 38.969959][ C3] Call Trace: [ 38.970841][ C3] <IRQ> [ 38.971663][ C3] dump_stack_lvl+0xfc/0x174 [ 38.972620][ C3] print_report.cold+0x2c3/0x752 [ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.974644][ C3] kasan_report+0xb1/0x1d0 [ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240 [ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0 [ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430 [ 38.981266][ C3] dummy_timer+0x140c/0x34e0 [ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0 [ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.986242][ C3] ? lock_release+0x51c/0x790 [ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70 [ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130 [ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 38.990777][ C3] ? lock_acquire+0x472/0x550 [ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.993138][ C3] ? lock_acquire+0x472/0x550 [ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230 [ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0 [ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0 [ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0 [ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0 [ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0 [ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10 [ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40 [ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0 [ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0 [ 39.016196][ C3] __do_softirq+0x1d2/0x9be [ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190 [ 39.019004][ C3] irq_exit_rcu+0x5/0x20 [ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0 [ 39.021965][ C3] </IRQ> [ 39.023237][ C3] <TASK> In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below (there are other functions which finally call ar5523_cmd()): ar5523_probe() -> ar5523_host_available() -> ar5523_cmd_read() -> ar5523_cmd() If ar5523_cmd() timed out, then ar5523_host_available() failed and ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb() might touch the freed structure. This patch fixes this issue by canceling in-flight tx cmd if submitted urb timed out. 2025-12-24 not yet calculated CVE-2022-50716 https://git.kernel.org/stable/c/c9ba3fbf6a488da6cad1d304c5234bd8d729eba3
https://git.kernel.org/stable/c/340524ae7b53a72cf5d9e7bd7790433422b3b12f
https://git.kernel.org/stable/c/6447beefd21326a3f4719ec2ea511df797f6c820
https://git.kernel.org/stable/c/7360b323e0343ea099091d4ae09576dbe1f09516
https://git.kernel.org/stable/c/8af52492717e3538eba3f81d012b1476af8a89a6
https://git.kernel.org/stable/c/3eca9697c2f3905dea3ad2fc536ebaa1fbd735bd
https://git.kernel.org/stable/c/601ae89375033ac4870c086e24ba03f235d38e55
https://git.kernel.org/stable/c/9aef34e1ae35a87e5f6a22278c17823b7ce64c88
https://git.kernel.org/stable/c/b6702a942a069c2a975478d719e98d83cdae1797
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds check on Transfer Tag ttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(), add a bounds check to avoid out-of-bounds access. 2025-12-24 not yet calculated CVE-2022-50717 https://git.kernel.org/stable/c/0d150ccd55dbfad36f55855b40b381884c98456e
https://git.kernel.org/stable/c/d5bb45f47b37d10f010355686b28c9ebacb361d4
https://git.kernel.org/stable/c/ec8adf767e1cfa7031f853b8c71ba1963f07df15
https://git.kernel.org/stable/c/fcf82e4553db911d10234ff2390cfd0e2aa854e4
https://git.kernel.org/stable/c/752593d04637ebdc87fd29cba81897f21ae053f0
https://git.kernel.org/stable/c/b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix pci device refcount leak As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So before returning from amdgpu_device_resume|suspend_display_audio(), pci_dev_put() is called to avoid refcount leak. 2025-12-24 not yet calculated CVE-2022-50718 https://git.kernel.org/stable/c/3725a8f26bdbc38dfdf545836117f1e069277c91
https://git.kernel.org/stable/c/02105f0b3021ee5853b2fa50853c42f35fc01cfd
https://git.kernel.org/stable/c/f13661b72a61708cecb06562f8acff068a4f31f7
https://git.kernel.org/stable/c/d7352b410471cbebf6350b2990bae82bb0d59a76
https://git.kernel.org/stable/c/b85e285e3d6352b02947fc1b72303673dfacb0aa
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: line6: fix stack overflow in line6_midi_transmit Correctly calculate available space including the size of the chunk buffer. This fixes a buffer overflow when multiple MIDI sysex messages are sent to a PODxt device. 2025-12-24 not yet calculated CVE-2022-50719 https://git.kernel.org/stable/c/b026af92b2cea907c780f7168c730c816cd33311
https://git.kernel.org/stable/c/49cb7737e733013ec86aa77ed2e19b94a68eaa05
https://git.kernel.org/stable/c/0c76087449ee4ed45a88b10017d02c6694caedb1
https://git.kernel.org/stable/c/25e8c6ecb46843a955f254b8f0d77894e4a53dc4
https://git.kernel.org/stable/c/66f359ad66d49f75d39ac729f9114dabf90b81bb
https://git.kernel.org/stable/c/0c9118e381ff538874e00fd4e66a768273c150fb
https://git.kernel.org/stable/c/61e4be4a60cc6de723f8c574ddbcb3025eb44cac
https://git.kernel.org/stable/c/389d34c2a8b52acc351fd932ed4bea41fee5a39b
https://git.kernel.org/stable/c/b8800d324abb50160560c636bfafe2c81001b66c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: x86/apic: Don't disable x2APIC if locked The APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC (or x2APIC). X2APIC mode is mostly compatible with legacy APIC, but it disables the memory-mapped APIC interface in favor of one that uses MSRs. The APIC mode is controlled by the EXT bit in the APIC MSR. The MMIO/xAPIC interface has some problems, most notably the APIC LEAK [1]. This bug allows an attacker to use the APIC MMIO interface to extract data from the SGX enclave. Introduce support for a new feature that will allow the BIOS to lock the APIC in x2APIC mode. If the APIC is locked in x2APIC mode and the kernel tries to disable the APIC or revert to legacy APIC mode a GP fault will occur. Introduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle the new locked mode when the LEGACY_XAPIC_DISABLED bit is set by preventing the kernel from trying to disable the x2APIC. On platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are enabled the LEGACY_XAPIC_DISABLED will be set by the BIOS. If legacy APIC is required, then it SGX and TDX need to be disabled in the BIOS. [1]: https://aepicleak.com/aepicleak.pdf 2025-12-24 not yet calculated CVE-2022-50720 https://git.kernel.org/stable/c/05785ba834f23272f9d23427ae4a80ac505a5296
https://git.kernel.org/stable/c/dd1241e00addbf0b95f6cd6ce32152692820657e
https://git.kernel.org/stable/c/b8d1d163604bd1e600b062fb00de5dc42baa355f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom-adm: fix wrong calling convention for prep_slave_sg The calling convention for pre_slave_sg is to return NULL on error and provide an error log to the system. Qcom-adm instead provide error pointer when an error occur. This indirectly cause kernel panic for example for the nandc driver that checks only if the pointer returned by device_prep_slave_sg is not NULL. Returning an error pointer makes nandc think the device_prep_slave_sg function correctly completed and makes the kernel panics later in the code. While nandc is the one that makes the kernel crash, it was pointed out that the real problem is qcom-adm not following calling convention for that function. To fix this, drop returning error pointer and return NULL with an error log. 2025-12-24 not yet calculated CVE-2022-50721 https://git.kernel.org/stable/c/5653bd0200944e5803fa8e32dc36aa49931312f9
https://git.kernel.org/stable/c/9a041174c58a226e713f6cebd41eccec7a5cfa72
https://git.kernel.org/stable/c/b9d2140c3badf4107973ad77c5a0ec3075705c85
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: ipu3-imgu: Fix NULL pointer dereference in active selection access What the IMGU driver did was that it first acquired the pointers to active and try V4L2 subdev state, and only then figured out which one to use. The problem with that approach and a later patch (see Fixes: tag) is that as sd_state argument to v4l2_subdev_get_try_crop() et al is NULL, there is now an attempt to dereference that. Fix this. Also rewrap lines a little. 2025-12-24 not yet calculated CVE-2022-50722 https://git.kernel.org/stable/c/5265cc1202a31f7097691c3483a0d60d624424a5
https://git.kernel.org/stable/c/740717b756c17190dc2d2ad4c6de1e63f214e0c9
https://git.kernel.org/stable/c/b9eb3ab6f30bf32f7326909f17949ccb11bab514
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bnxt_en: fix memory leak in bnxt_nvm_test() Free the kzalloc'ed buffer before returning in the success path. 2025-12-24 not yet calculated CVE-2022-50723 https://git.kernel.org/stable/c/be083d97031712a2e16fd915ddb8fe1a6cb1fbc5
https://git.kernel.org/stable/c/ba077d683d45190afc993c1ce45bcdbfda741a40
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix resource leak in regulator_register() I got some resource leak reports while doing fault injection test: OF: ERROR: memory leak, expected refcount 1 instead of 100, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@64/regulators/buck1 unreferenced object 0xffff88810deea000 (size 512): comm "490-i2c-rt5190a", pid 253, jiffies 4294859840 (age 5061.046s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff a0 1e 00 a1 ff ff ff ff ................ backtrace: [<00000000d78541e2>] kmalloc_trace+0x21/0x110 [<00000000b343d153>] device_private_init+0x32/0xd0 [<00000000be1f0c70>] device_add+0xb2d/0x1030 [<00000000e3e6344d>] regulator_register+0xaf2/0x12a0 [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0 [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator] unreferenced object 0xffff88810b617b80 (size 32): comm "490-i2c-rt5190a", pid 253, jiffies 4294859904 (age 5060.983s) hex dump (first 32 bytes): 72 65 67 75 6c 61 74 6f 72 2e 32 38 36 38 2d 53 regulator.2868-S 55 50 50 4c 59 00 ff ff 29 00 00 00 2b 00 00 00 UPPLY...)...+... backtrace: [<000000009da9280d>] __kmalloc_node_track_caller+0x44/0x1b0 [<0000000025c6a4e5>] kstrdup+0x3a/0x70 [<00000000790efb69>] create_regulator+0xc0/0x4e0 [<0000000005ed203a>] regulator_resolve_supply+0x2d4/0x440 [<0000000045796214>] regulator_register+0x10b3/0x12a0 [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0 [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator] After calling regulator_resolve_supply(), the 'rdev->supply' is set by set_supply(), after this set, in the error path, the resources need be released, so call regulator_put() to avoid the leaks. 2025-12-24 not yet calculated CVE-2022-50724 https://git.kernel.org/stable/c/35593d60b1622834984c43add7646d4069671aa9
https://git.kernel.org/stable/c/6a03c31d08f95dca9633a552de167b9e625833a8
https://git.kernel.org/stable/c/c4c64d8abd656b9807b63178750fa91454602b86
https://git.kernel.org/stable/c/90b713aadc1240bf2dd03d610d6c1d016a9123a2
https://git.kernel.org/stable/c/f86b2f216636790d5922458578825e4628fb570f
https://git.kernel.org/stable/c/ba62319a42c50e6254e98b3f316464fac8e77968
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init() KASAN reports a use-after-free: BUG: KASAN: use-after-free in dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] Call Trace: ... dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] vidtv_bridge_probe+0x7bf/0xa40 [dvb_vidtv_bridge] platform_probe+0xb6/0x170 ... Allocated by task 1238: ... dvb_register_device+0x1a7/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] ... Freed by task 1238: dvb_register_device+0x6d2/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] ... It is because the error handling in vidtv_bridge_dvb_init() is wrong. First, vidtv_bridge_dmx(dev)_init() will clean themselves when fail, but goto fail_dmx(_dev): calls release functions again, which causes use-after-free. Also, in fail_fe, fail_tuner_probe and fail_demod_probe, j = i will cause out-of-bound when i finished its loop (i == NUM_FE). And the loop releasing is wrong, although now NUM_FE is 1 so it won't cause problem. Fix this by correctly releasing everything. 2025-12-24 not yet calculated CVE-2022-50725 https://git.kernel.org/stable/c/0369af6fe33d4053899b121b32e91f870b2cf0ae
https://git.kernel.org/stable/c/c290aa527fd832d278c6388a3ba53a9890fbd74a
https://git.kernel.org/stable/c/06398ce69571a43a8a0dd0f1bfe35d221f726a6a
https://git.kernel.org/stable/c/8a204a0b4a0d105229735222c515759ea2b126c1
https://git.kernel.org/stable/c/ba8d9405935097e296bcf7a942c3a01df0edb865
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix possible use-after-free in async command interface mlx5_cmd_cleanup_async_ctx should return only after all its callback handlers were completed. Before this patch, the below race between mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and lead to a use-after-free: 1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e. elevated by 1, a single inflight callback). 2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1. 3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and is about to call wake_up(). 4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns immediately as the condition (num_inflight == 0) holds. 5. mlx5_cmd_cleanup_async_ctx returns. 6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx object. 7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed object. Fix it by syncing using a completion object. Mark it completed when num_inflight reaches 0. Trace: BUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270 Read of size 4 at addr ffff888139cd12f4 by task swapper/5/0 CPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x57/0x7d print_report.cold+0x2d5/0x684 ? do_raw_spin_lock+0x23d/0x270 kasan_report+0xb1/0x1a0 ? do_raw_spin_lock+0x23d/0x270 do_raw_spin_lock+0x23d/0x270 ? rwlock_bug.part.0+0x90/0x90 ? __delete_object+0xb8/0x100 ? lock_downgrade+0x6e0/0x6e0 _raw_spin_lock_irqsave+0x43/0x60 ? __wake_up_common_lock+0xb9/0x140 __wake_up_common_lock+0xb9/0x140 ? __wake_up_common+0x650/0x650 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kasan_set_track+0x21/0x30 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kfree+0x1ba/0x520 ? do_raw_spin_unlock+0x54/0x220 mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core] ? dump_command+0xcc0/0xcc0 [mlx5_core] ? lockdep_hardirqs_on_prepare+0x400/0x400 ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core] cmd_comp_notifier+0x7e/0xb0 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 ? irq_release+0x140/0x140 [mlx5_core] irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x1f2/0x620 handle_irq_event+0xb2/0x1d0 handle_edge_irq+0x21e/0xb00 __common_interrupt+0x79/0x1a0 common_interrupt+0x78/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:default_idle+0x42/0x60 Code: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 <c3> 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00 RSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242 RAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110 RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc RBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3 R10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005 R13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000 ? default_idle_call+0xcc/0x450 default_idle_call+0xec/0x450 do_idle+0x394/0x450 ? arch_cpu_idle_exit+0x40/0x40 ? do_idle+0x17/0x450 cpu_startup_entry+0x19/0x20 start_secondary+0x221/0x2b0 ? set_cpu_sibling_map+0x2070/0x2070 secondary_startup_64_no_verify+0xcd/0xdb </TASK> Allocated by task 49502: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 kvmalloc_node+0x48/0xe0 mlx5e_bulk_async_init+0x35/0x110 [mlx5_core] mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core] mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core] mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core] mlx5e_detach_netdev+0x1c ---truncated--- 2025-12-24 not yet calculated CVE-2022-50726 https://git.kernel.org/stable/c/69dd3ad406c49aa69ce4852c15231ac56af8caf9
https://git.kernel.org/stable/c/bbcc06933f35651294ea1e963757502312c2171f
https://git.kernel.org/stable/c/ab3de780c176bb91995c6166a576b370d9726e17
https://git.kernel.org/stable/c/0aa3ee1e4e5c9ed5dda11249450d609c3072c54e
https://git.kernel.org/stable/c/bacd22df95147ed673bec4692ab2d4d585935241
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: efct: Fix possible memleak in efct_device_init() In efct_device_init(), when efct_scsi_reg_fc_transport() fails, efct_scsi_tgt_driver_exit() is not called to release memory for efct_scsi_tgt_driver_init() and causes memleak: unreferenced object 0xffff8881020ce000 (size 2048): comm "modprobe", pid 465, jiffies 4294928222 (age 55.872s) backtrace: [<0000000021a1ef1b>] kmalloc_trace+0x27/0x110 [<000000004c3ed51c>] target_register_template+0x4fd/0x7b0 [target_core_mod] [<00000000f3393296>] efct_scsi_tgt_driver_init+0x18/0x50 [efct] [<00000000115de533>] 0xffffffffc0d90011 [<00000000d608f646>] do_one_initcall+0xd0/0x4e0 [<0000000067828cf1>] do_init_module+0x1cc/0x6a0 ... 2025-12-24 not yet calculated CVE-2022-50727 https://git.kernel.org/stable/c/038359eeccffaf0de4c1c9c51ee19cc5649619a1
https://git.kernel.org/stable/c/0c6e6bb30229b1297ac0fd7ede2941d2322fc736
https://git.kernel.org/stable/c/c7e96168a8ca3be96c4959475164bef31115f07e
https://git.kernel.org/stable/c/bb0cd225dd37df1f4a22e36dad59ff33178ecdfc
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: s390/lcs: Fix return type of lcs_start_xmit() With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = lcs_start_xmit, ^~~~~~~~~~~~~~ drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = lcs_start_xmit, ^~~~~~~~~~~~~~ ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of 'netdev_tx_t', not 'int'. Adjust the return type of lcs_start_xmit() to match the prototype's to resolve the warning and potential CFI failure, should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. 2025-12-24 not yet calculated CVE-2022-50728 https://git.kernel.org/stable/c/7b4da3fcd513b8e67823eb80da37aad99b3339c1
https://git.kernel.org/stable/c/d49cc2b705711fb8fb849e7c660929b2100360b7
https://git.kernel.org/stable/c/e684215d8a903752e2b0cc946517fb61e57a880a
https://git.kernel.org/stable/c/20022d551f2064a194d8e0acb6cd7a85094a17b2
https://git.kernel.org/stable/c/ebc3c77785dc8b5b626309c0032a38fbb139287a
https://git.kernel.org/stable/c/5ad774fb823c24bbeb21a15a67103ea7a6f5b928
https://git.kernel.org/stable/c/69669820844f81a77b6db24b86581320ae4d17af
https://git.kernel.org/stable/c/cda74cdc280ba35c8993e7517bac5c257ff36f18
https://git.kernel.org/stable/c/bb16db8393658e0978c3f0d30ae069e878264fa3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix resource leak in ksmbd_session_rpc_open() When ksmbd_rpc_open() fails then it must call ksmbd_rpc_id_free() to undo the result of ksmbd_ipc_id_alloc(). 2025-12-24 not yet calculated CVE-2022-50729 https://git.kernel.org/stable/c/31c1b5d3000cdff70b98d5af045271e09079bec1
https://git.kernel.org/stable/c/9cb49b95c05df09b369d1ec1f378b5c92109433c
https://git.kernel.org/stable/c/f9ed133381eba883c5e0059063d5b3ca7cac6d41
https://git.kernel.org/stable/c/bc044414fa0326a4e5c3c509c00b1fcaf621b5f4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext4: silence the warning when evicting inode with dioread_nolock When evicting an inode with default dioread_nolock, it could be raced by the unwritten extents converting kworker after writeback some new allocated dirty blocks. It convert unwritten extents to written, the extents could be merged to upper level and free extent blocks, so it could mark the inode dirty again even this inode has been marked I_FREEING. But the inode->i_io_list check and warning in ext4_evict_inode() missing this corner case. Fortunately, ext4_evict_inode() will wait all extents converting finished before this check, so it will not lead to inode use-after-free problem, every thing is OK besides this warning. The WARN_ON_ONCE was originally designed for finding inode use-after-free issues in advance, but if we add current dioread_nolock case in, it will become not quite useful, so fix this warning by just remove this check. ====== WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227 ext4_evict_inode+0x875/0xc60 ... RIP: 0010:ext4_evict_inode+0x875/0xc60 ... Call Trace: <TASK> evict+0x11c/0x2b0 iput+0x236/0x3a0 do_unlinkat+0x1b4/0x490 __x64_sys_unlinkat+0x4c/0xb0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa933c1115b ====== rm kworker ext4_end_io_end() vfs_unlink() ext4_unlink() ext4_convert_unwritten_io_end_vec() ext4_convert_unwritten_extents() ext4_map_blocks() ext4_ext_map_blocks() ext4_ext_try_to_merge_up() __mark_inode_dirty() check !I_FREEING locked_inode_to_wb_and_lock_list() iput() iput_final() evict() ext4_evict_inode() truncate_inode_pages_final() //wait release io_end inode_io_list_move_locked() ext4_release_io_end() trigger WARN_ON_ONCE() 2025-12-24 not yet calculated CVE-2022-50730 https://git.kernel.org/stable/c/bdc698ce91f232fd5eb11d2373e9f82f687314b8
https://git.kernel.org/stable/c/0d041b7251c13679a0f6c7926751ce1d8a7237c1
https://git.kernel.org/stable/c/3b893cc9a8d8b4e486a6639f5e107b56b7197d2e
https://git.kernel.org/stable/c/b085fb43feede48ebf80ab7e2dd150c8d9902932
https://git.kernel.org/stable/c/bc12ac98ea2e1b70adc6478c8b473a0003b659d3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: akcipher - default implementation for setting a private key Changes from v1: * removed the default implementation from set_pub_key: it is assumed that an implementation must always have this callback defined as there are no use case for an algorithm, which doesn't need a public key Many akcipher implementations (like ECDSA) support only signature verifications, so they don't have all callbacks defined. Commit 78a0324f4a53 ("crypto: akcipher - default implementations for request callbacks") introduced default callbacks for sign/verify operations, which just return an error code. However, these are not enough, because before calling sign the caller would likely call set_priv_key first on the instantiated transform (as the in-kernel testmgr does). This function does not have a default stub, so the kernel crashes, when trying to set a private key on an akcipher, which doesn't support signature generation. I've noticed this, when trying to add a KAT vector for ECDSA signature to the testmgr. With this patch the testmgr returns an error in dmesg (as it should) instead of crashing the kernel NULL ptr dereference. 2025-12-24 not yet calculated CVE-2022-50731 https://git.kernel.org/stable/c/95c4e20adc3ea00d1594a2a05d9b187ed12ffa8e
https://git.kernel.org/stable/c/a1354bdd191d533211b7cb723aa76a66f516f197
https://git.kernel.org/stable/c/779a9930f3e152c82699feb389a0e6d6644e747e
https://git.kernel.org/stable/c/85bc736a18b872f54912e8bb70682d11770aece0
https://git.kernel.org/stable/c/f9058178597059d6307efe96a7916600f8ede08c
https://git.kernel.org/stable/c/bc155c6c188c2f0c5749993b1405673d25a80389
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: staging: rtl8192u: Fix use after free in ieee80211_rx() We cannot dereference the "skb" pointer after calling ieee80211_monitor_rx(), because it is a use after free. 2025-12-24 not yet calculated CVE-2022-50732 https://git.kernel.org/stable/c/9c03db0ec84b7964a11b20706665c99a5fead332
https://git.kernel.org/stable/c/fdc62d31d50e4ce5d8f363fcb8299ba0e00ee6fd
https://git.kernel.org/stable/c/a0df8d44b555ae09729d6533fd4532977563c7b9
https://git.kernel.org/stable/c/288ada16a93aab5aa2ebea8190aafdb35b716854
https://git.kernel.org/stable/c/daa8045a991363ccdae5615d170f35aa1135e7a7
https://git.kernel.org/stable/c/b0aaec894a909c88117c8bda6c7c9b26cf7c744b
https://git.kernel.org/stable/c/de174163c0d319ff06d622e79130a0017c8f5a6e
https://git.kernel.org/stable/c/73df1172bbcc8d45cd28e3b1a9ca2edb2f9f7ce6
https://git.kernel.org/stable/c/bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: idmouse: fix an uninit-value in idmouse_open In idmouse_create_image, if any ftip_command fails, it will go to the reset label. However, this leads to the data in bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check for valid image incurs an uninitialized dereference. Fix this by moving the check before reset label since this check only be valid if the data after bulk_in_buffer[HEADER] has concrete data. Note that this is found by KMSAN, so only kernel compilation is tested. 2025-12-24 not yet calculated CVE-2022-50733 https://git.kernel.org/stable/c/b3304a6df957cc89a0590cb505388d659bf3db4c
https://git.kernel.org/stable/c/7dad42032f68718259590b0cc7654e9a95ff9762
https://git.kernel.org/stable/c/f589b667567fde4f81d6e6c40f42b9f2224690ea
https://git.kernel.org/stable/c/1eae30c0113dde7522088231584d62415011a035
https://git.kernel.org/stable/c/b8bbae3236ab7dccc66c42bc3f7cdbcfc0786e54
https://git.kernel.org/stable/c/20b8c456df584ebb2387dc23d40ebe4ff334417c
https://git.kernel.org/stable/c/6163a5ae097bc78fa26c243fb384537e25610fd7
https://git.kernel.org/stable/c/adad163d1cff248a5df9f7cec50158e6ca89f33b
https://git.kernel.org/stable/c/bce2b0539933e485d22d6f6f076c0fcd6f185c4c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nvmem: core: Fix memleak in nvmem_register() dev_set_name will alloc memory for nvmem->dev.kobj.name in nvmem_register, when nvmem_validate_keepouts failed, nvmem's memory will be freed and return, but nobody will free memory for nvmem->dev.kobj.name, there will be memleak, so moving nvmem_validate_keepouts() after device_register() and let the device core deal with cleaning name in error cases. 2025-12-24 not yet calculated CVE-2022-50734 https://git.kernel.org/stable/c/9391cc3a787a58aa224a6440d7f244d780ba2896
https://git.kernel.org/stable/c/2bd2774df0ce37920b23819a860a66fdbdd90823
https://git.kernel.org/stable/c/b6054b9b239a493672f853b034570cca93ba7a88
https://git.kernel.org/stable/c/bd1244561fa2a4531ded40dbf09c9599084f8b29
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: do not run mt76u_status_worker if the device is not running Fix the following NULL pointer dereference avoiding to run mt76u_status_worker thread if the device is not running yet. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 98 Comm: kworker/u2:2 Not tainted 5.14.0+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: mt76 mt76u_tx_status_data RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0 Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7 RSP: 0018:ffffc900005af988 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8 R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: mt76x02_send_tx_status+0x1d2/0xeb0 mt76x02_tx_status_data+0x8e/0xd0 mt76u_tx_status_data+0xe1/0x240 process_one_work+0x92b/0x1460 worker_thread+0x95/0xe00 kthread+0x3a1/0x480 ret_from_fork+0x1f/0x30 Modules linked in: --[ end trace 8df5d20fc5040f65 ]-- RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0 Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7 RSP: 0018:ffffc900005af988 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8 R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0 PKRU: 55555554 Moreover move stat_work schedule out of the for loop. 2025-12-24 not yet calculated CVE-2022-50735 https://git.kernel.org/stable/c/69346de0eb956fb92949b9473de4647d9c34a54f
https://git.kernel.org/stable/c/58fdd84a89b121b761dbfb8a196356e007376ca4
https://git.kernel.org/stable/c/f5ac749a0b21beee55d87d0b05de36976b22dff9
https://git.kernel.org/stable/c/bd5dac7ced5a7c9faa4dc468ac9560c3256df845
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix immediate work request flush to completion queue Correctly set send queue element opcode during immediate work request flushing in post sendqueue operation, if the QP is in ERROR state. An undefined ocode value results in out-of-bounds access to an array for mapping the opcode between siw internal and RDMA core representation in work completion generation. It resulted in a KASAN BUG report of type 'global-out-of-bounds' during NFSoRDMA testing. This patch further fixes a potential case of a malicious user which may write undefined values for completion queue elements status or opcode, if the CQ is memory mapped to user land. It avoids the same out-of-bounds access to arrays for status and opcode mapping as described above. 2025-12-24 not yet calculated CVE-2022-50736 https://git.kernel.org/stable/c/6af043089d3f1210776d19b6fdabea610d4c7699
https://git.kernel.org/stable/c/75af03fdf35acf15a3977f7115f6b8d10dff4bc7
https://git.kernel.org/stable/c/f8d8fbd3b6d6cc3f25790cca5cffe8ded512fef6
https://git.kernel.org/stable/c/355d2eca68c10d713a42f68e62044b3d1c300471
https://git.kernel.org/stable/c/f3d26a8589dfdeff328779b511f71fb90b10005e
https://git.kernel.org/stable/c/bdf1da5df9da680589a7f74448dd0a94dd3e1446
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Validate index root when initialize NTFS security This enhances the sanity check for $SDH and $SII while initializing NTFS security, guarantees these index root are legit. [ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320 [ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 [ 162.460851] [ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42 [ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 162.462609] Call Trace: [ 162.462954] <TASK> [ 162.463276] dump_stack_lvl+0x49/0x63 [ 162.463822] print_report.cold+0xf5/0x689 [ 162.464608] ? unwind_get_return_address+0x3a/0x60 [ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320 [ 162.466975] kasan_report+0xa7/0x130 [ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0 [ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320 [ 162.468536] __asan_load2+0x68/0x90 [ 162.468923] hdr_find_e.isra.0+0x10c/0x320 [ 162.469282] ? cmp_uints+0xe0/0xe0 [ 162.469557] ? cmp_sdh+0x90/0x90 [ 162.469864] ? ni_find_attr+0x214/0x300 [ 162.470217] ? ni_load_mi+0x80/0x80 [ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.470931] ? ntfs_bread_run+0x190/0x190 [ 162.471307] ? indx_get_root+0xe4/0x190 [ 162.471556] ? indx_get_root+0x140/0x190 [ 162.471833] ? indx_init+0x1e0/0x1e0 [ 162.472069] ? fnd_clear+0x115/0x140 [ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100 [ 162.472731] indx_find+0x184/0x470 [ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0 [ 162.474429] ? indx_find_buffer+0x2d0/0x2d0 [ 162.474704] ? do_syscall_64+0x3b/0x90 [ 162.474962] dir_search_u+0x196/0x2f0 [ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450 [ 162.475661] ? ntfs_security_init+0x3d6/0x440 [ 162.475906] ? is_sd_valid+0x180/0x180 [ 162.476191] ntfs_extend_init+0x13f/0x2c0 [ 162.476496] ? ntfs_fix_post_read+0x130/0x130 [ 162.476861] ? iput.part.0+0x286/0x320 [ 162.477325] ntfs_fill_super+0x11e0/0x1b50 [ 162.477709] ? put_ntfs+0x1d0/0x1d0 [ 162.477970] ? vsprintf+0x20/0x20 [ 162.478258] ? set_blocksize+0x95/0x150 [ 162.478538] get_tree_bdev+0x232/0x370 [ 162.478789] ? put_ntfs+0x1d0/0x1d0 [ 162.479038] ntfs_fs_get_tree+0x15/0x20 [ 162.479374] vfs_get_tree+0x4c/0x130 [ 162.479729] path_mount+0x654/0xfe0 [ 162.480124] ? putname+0x80/0xa0 [ 162.480484] ? finish_automount+0x2e0/0x2e0 [ 162.480894] ? putname+0x80/0xa0 [ 162.481467] ? kmem_cache_free+0x1c4/0x440 [ 162.482280] ? putname+0x80/0xa0 [ 162.482714] do_mount+0xd6/0xf0 [ 162.483264] ? path_mount+0xfe0/0xfe0 [ 162.484782] ? __kasan_check_write+0x14/0x20 [ 162.485593] __x64_sys_mount+0xca/0x110 [ 162.486024] do_syscall_64+0x3b/0x90 [ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.487141] RIP: 0033:0x7f9d374e948a [ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a [ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0 [ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020 [ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0 [ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff [ 162.493644] </TASK> [ 162.493908] [ 162.494214] The buggy address belongs to the physical page: [ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc [ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) [ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000 [ 162.498928] raw: 0000000000000000 0000000000240000 0 ---truncated--- 2025-12-24 not yet calculated CVE-2022-50737 https://git.kernel.org/stable/c/d7ce7bb6881aae186e50f57eea935cff8d504751
https://git.kernel.org/stable/c/24ee53c6bce15500db22f2a7aee9dd830e806c90
https://git.kernel.org/stable/c/d6379ce242960a8e9ecd6ff76f476d9336c21f16
https://git.kernel.org/stable/c/bfcdbae0523bd95eb75a739ffb6221a37109881e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vhost-vdpa: fix an iotlb memory leak Before commit 3d5698793897 ("vhost-vdpa: introduce asid based IOTLB") we called vhost_vdpa_iotlb_unmap(v, iotlb, 0ULL, 0ULL - 1) during release to free all the resources allocated when processing user IOTLB messages through vhost_vdpa_process_iotlb_update(). That commit changed the handling of IOTLB a bit, and we accidentally removed some code called during the release. We partially fixed this with commit 037d4305569a ("vhost-vdpa: call vhost_vdpa_cleanup during the release") but a potential memory leak is still there as showed by kmemleak if the application does not send VHOST_IOTLB_INVALIDATE or crashes: unreferenced object 0xffff888007fbaa30 (size 16): comm "blkio-bench", pid 914, jiffies 4294993521 (age 885.500s) hex dump (first 16 bytes): 40 73 41 07 80 88 ff ff 00 00 00 00 00 00 00 00 @sA............. backtrace: [<0000000087736d2a>] kmem_cache_alloc_trace+0x142/0x1c0 [<0000000060740f50>] vhost_vdpa_process_iotlb_msg+0x68c/0x901 [vhost_vdpa] [<0000000083e8e205>] vhost_chr_write_iter+0xc0/0x4a0 [vhost] [<000000008f2f414a>] vhost_vdpa_chr_write_iter+0x18/0x20 [vhost_vdpa] [<00000000de1cd4a0>] vfs_write+0x216/0x4b0 [<00000000a2850200>] ksys_write+0x71/0xf0 [<00000000de8e720b>] __x64_sys_write+0x19/0x20 [<0000000018b12cbb>] do_syscall_64+0x3f/0x90 [<00000000986ec465>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Let's fix this calling vhost_vdpa_iotlb_unmap() on the whole range in vhost_vdpa_remove_as(). We move that call before vhost_dev_cleanup() since we need a valid v->vdev.mm in vhost_vdpa_pa_unmap(). vhost_iotlb_reset() call can be removed, since vhost_vdpa_iotlb_unmap() on the whole range removes all the entries. The kmemleak log reported was observed with a vDPA device that has `use_va` set to true (e.g. VDUSE). This patch has been tested with both types of devices. 2025-12-24 not yet calculated CVE-2022-50738 https://git.kernel.org/stable/c/4e92cb33bfb51eee5f28bb10846c46f266a4bb67
https://git.kernel.org/stable/c/a2907867e2c86067accd2f011d6f23ee5533aa6c
https://git.kernel.org/stable/c/c070c1912a83432530cbb4271d5b9b11fa36b67a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add null pointer check for inode operations This adds a sanity check for the i_op pointer of the inode which is returned after reading Root directory MFT record. We should check the i_op is valid before trying to create the root dentry, otherwise we may encounter a NPD while mounting a image with a funny Root directory MFT record. [ 114.484325] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 114.484811] #PF: supervisor read access in kernel mode [ 114.485084] #PF: error_code(0x0000) - not-present page [ 114.485606] PGD 0 P4D 0 [ 114.485975] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 114.486570] CPU: 0 PID: 237 Comm: mount Tainted: G B 6.0.0-rc4 #28 [ 114.486977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 114.488169] RIP: 0010:d_flags_for_inode+0xe0/0x110 [ 114.488816] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 [ 114.490326] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 [ 114.490695] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea [ 114.490986] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020 [ 114.491364] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05 [ 114.491675] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000 [ 114.491954] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750 [ 114.492397] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 [ 114.492797] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 114.493150] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0 [ 114.493671] Call Trace: [ 114.493890] <TASK> [ 114.494075] __d_instantiate+0x24/0x1c0 [ 114.494505] d_instantiate.part.0+0x35/0x50 [ 114.494754] d_make_root+0x53/0x80 [ 114.494998] ntfs_fill_super+0x1232/0x1b50 [ 114.495260] ? put_ntfs+0x1d0/0x1d0 [ 114.495499] ? vsprintf+0x20/0x20 [ 114.495723] ? set_blocksize+0x95/0x150 [ 114.495964] get_tree_bdev+0x232/0x370 [ 114.496272] ? put_ntfs+0x1d0/0x1d0 [ 114.496502] ntfs_fs_get_tree+0x15/0x20 [ 114.496859] vfs_get_tree+0x4c/0x130 [ 114.497099] path_mount+0x654/0xfe0 [ 114.497507] ? putname+0x80/0xa0 [ 114.497933] ? finish_automount+0x2e0/0x2e0 [ 114.498362] ? putname+0x80/0xa0 [ 114.498571] ? kmem_cache_free+0x1c4/0x440 [ 114.498819] ? putname+0x80/0xa0 [ 114.499069] do_mount+0xd6/0xf0 [ 114.499343] ? path_mount+0xfe0/0xfe0 [ 114.499683] ? __kasan_check_write+0x14/0x20 [ 114.500133] __x64_sys_mount+0xca/0x110 [ 114.500592] do_syscall_64+0x3b/0x90 [ 114.500930] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 114.501294] RIP: 0033:0x7fdc898e948a [ 114.501542] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 114.502716] RSP: 002b:00007ffd793e58f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 114.503175] RAX: ffffffffffffffda RBX: 0000564b2228f060 RCX: 00007fdc898e948a [ 114.503588] RDX: 0000564b2228f260 RSI: 0000564b2228f2e0 RDI: 0000564b22297ce0 [ 114.504925] RBP: 0000000000000000 R08: 0000564b2228f280 R09: 0000000000000020 [ 114.505484] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564b22297ce0 [ 114.505823] R13: 0000564b2228f260 R14: 0000000000000000 R15: 00000000ffffffff [ 114.506562] </TASK> [ 114.506887] Modules linked in: [ 114.507648] CR2: 0000000000000008 [ 114.508884] ---[ end trace 0000000000000000 ]--- [ 114.509675] RIP: 0010:d_flags_for_inode+0xe0/0x110 [ 114.510140] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 [ 114.511762] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 [ 114.512401] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea [ 114.51 ---truncated--- 2025-12-24 not yet calculated CVE-2022-50739 https://git.kernel.org/stable/c/f62506f5e45afbb01c84c3f28a2878b320a0b0f7
https://git.kernel.org/stable/c/9f24743ddcdd3683b0a6b16e1439ad091dc3489b
https://git.kernel.org/stable/c/a7b23037b38b577d9a4372e0c6b7c9fe808070c1
https://git.kernel.org/stable/c/c1ca8ef0262b25493631ecbd9cb8c9893e1481a1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() Syzkaller reports a long-known leak of urbs in ath9k_hif_usb_dealloc_tx_urbs(). The cause of the leak is that usb_get_urb() is called but usb_free_urb() (or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or urb->ep fields have not been initialized and usb_kill_urb() returns immediately. The patch removes trying to kill urbs located in hif_dev->tx.tx_buf because hif_dev->tx.tx_buf is not supposed to contain urbs which are in pending state (the pending urbs are stored in hif_dev->tx.tx_pending). The tx.tx_lock is acquired so there should not be any changes in the list. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. 2025-12-24 not yet calculated CVE-2022-50740 https://git.kernel.org/stable/c/134ae5eba41294eff76e4be20d6001b8f0192207
https://git.kernel.org/stable/c/472312fef2b9eccaa03bd59e0ab2527da945e736
https://git.kernel.org/stable/c/eddbb8f7620f9f8008b090a6e10c460074ca575a
https://git.kernel.org/stable/c/9850791d389b342ae6e573fe8198db0b4d338352
https://git.kernel.org/stable/c/c3fb3e9a2c0c1a0fa492d90eb19bcfa92a5f884d
https://git.kernel.org/stable/c/d856f7574bcc1d81de565a857caf32f122cd7ce0
https://git.kernel.org/stable/c/c05189a429fdb371dd455c3c466d67ac2ebff152
https://git.kernel.org/stable/c/08aa0537ec8cf29ceccae98acc1a534fc12598c1
https://git.kernel.org/stable/c/c2a94de38c74e86f49124ac14f093d6a5c377a90
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Disable useless interrupt to avoid kernel panic There is a hardware bug that the interrupt STMBUF_HALF may be triggered after or when disable interrupt. It may led to unexpected kernel panic. And interrupt STMBUF_HALF and STMBUF_RTND have no other effect. So disable them and the unused interrupts. meanwhile clear the interrupt status when disable interrupt. 2025-12-24 not yet calculated CVE-2022-50741 https://git.kernel.org/stable/c/ad31bc146f0e4521805695f4f99d8a3c3b2761f6
https://git.kernel.org/stable/c/f1257fc8fc988bdc4b26277f58bbf7b694b531f0
https://git.kernel.org/stable/c/35591c2469953d59abdb16cb7beac834052cdb4f
https://git.kernel.org/stable/c/c3720e65c9013a7b2a5dbb63e6bf6d74a35dd894
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: misc: ocxl: fix possible refcount leak in afu_ioctl() eventfd_ctx_put need to be called to put the refcount that gotten by eventfd_ctx_fdget when ocxl_irq_set_handler fails. 2025-12-24 not yet calculated CVE-2022-50742 https://git.kernel.org/stable/c/fc797285c40a9cc441357abb3521d3e51c743f67
https://git.kernel.org/stable/c/7ba19a60c74fb0057d4daef2fa2cbfc9522f3ba1
https://git.kernel.org/stable/c/11bd8bbdf8f6f5c1145bb158793107a57e3a1f07
https://git.kernel.org/stable/c/843433a02e344d30fbb62dfd834c60631baaa527
https://git.kernel.org/stable/c/66032c43291672bae8b93184d2806f05be3e16df
https://git.kernel.org/stable/c/c3b69ba5114c860d730870c03ab4ee45276e5e35
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: erofs: Fix pcluster memleak when its block address is zero syzkaller reported a memleak: https://syzkaller.appspot.com/bug?id=62f37ff612f0021641eda5b17f056f1668aa9aed unreferenced object 0xffff88811009c7f8 (size 136): ... backtrace: [<ffffffff821db19b>] z_erofs_do_read_page+0x99b/0x1740 [<ffffffff821dee9e>] z_erofs_readahead+0x24e/0x580 [<ffffffff814bc0d6>] read_pages+0x86/0x3d0 ... syzkaller constructed a case: in z_erofs_register_pcluster(), ztailpacking = false and map->m_pa = zero. This makes pcl->obj.index be zero although pcl is not a inline pcluster. Then following path adds refcount for grp, but the refcount won't be put because pcl is inline. z_erofs_readahead() z_erofs_do_read_page() # for another page z_erofs_collector_begin() erofs_find_workgroup() erofs_workgroup_get() Since it's illegal for the block address of a non-inlined pcluster to be zero, add check here to avoid registering the pcluster which would be leaked. 2025-12-24 not yet calculated CVE-2022-50743 https://git.kernel.org/stable/c/ac54c1f7b288d83b6ba1e320efff24ecc21309cd
https://git.kernel.org/stable/c/618e712b99c78d1004b70a1a9ab0a4830d0b2673
https://git.kernel.org/stable/c/c42c0ffe81176940bd5dead474216b7198d77675
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs During I/O and simultaneous cat of /sys/kernel/debug/lpfc/fnX/rx_monitor, a hard lockup similar to the call trace below may occur. The spin_lock_bh in lpfc_rx_monitor_report is not protecting from timer interrupts as expected, so change the strength of the spin lock to _irq. Kernel panic - not syncing: Hard LOCKUP CPU: 3 PID: 110402 Comm: cat Kdump: loaded exception RIP: native_queued_spin_lock_slowpath+91 [IRQ stack] native_queued_spin_lock_slowpath at ffffffffb814e30b _raw_spin_lock at ffffffffb89a667a lpfc_rx_monitor_record at ffffffffc0a73a36 [lpfc] lpfc_cmf_timer at ffffffffc0abbc67 [lpfc] __hrtimer_run_queues at ffffffffb8184250 hrtimer_interrupt at ffffffffb8184ab0 smp_apic_timer_interrupt at ffffffffb8a026ba apic_timer_interrupt at ffffffffb8a01c4f [End of IRQ stack] apic_timer_interrupt at ffffffffb8a01c4f lpfc_rx_monitor_report at ffffffffc0a73c80 [lpfc] lpfc_rx_monitor_read at ffffffffc0addde1 [lpfc] full_proxy_read at ffffffffb83e7fc3 vfs_read at ffffffffb833fe71 ksys_read at ffffffffb83402af do_syscall_64 at ffffffffb800430b entry_SYSCALL_64_after_hwframe at ffffffffb8a000ad 2025-12-24 not yet calculated CVE-2022-50744 https://git.kernel.org/stable/c/2cf66428a2545bb33beb9624124a2377468bb478
https://git.kernel.org/stable/c/cd542900ee5147028bbe603b238efcab8d720838
https://git.kernel.org/stable/c/39761417ea7b654217d6d9085afbf7c87ba3675d
https://git.kernel.org/stable/c/c44e50f4a0ec00c2298f31f91bc2c3e9bbd81c7e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: staging: media: tegra-video: fix device_node use after free At probe time this code path is followed: * tegra_csi_init * tegra_csi_channels_alloc * for_each_child_of_node(node, channel) -- iterates over channels * automatically gets 'channel' * tegra_csi_channel_alloc() * saves into chan->of_node a pointer to the channel OF node * automatically gets and puts 'channel' * now the node saved in chan->of_node has refcount 0, can disappear * tegra_csi_channels_init * iterates over channels * tegra_csi_channel_init -- uses chan->of_node After that, chan->of_node keeps storing the node until the device is removed. of_node_get() the node and of_node_put() it during teardown to avoid any risk. 2025-12-24 not yet calculated CVE-2022-50745 https://git.kernel.org/stable/c/5451efb2ca30f3c42b9efb8327ce35b62870dbd3
https://git.kernel.org/stable/c/ce50c612458091d926ccb05d7db11d9f93532db2
https://git.kernel.org/stable/c/6512c9498fcb97e7c760e3ef86b2272f2c0f765f
https://git.kernel.org/stable/c/0fd003d3c708c80350a815eaf37b8e1114b976cf
https://git.kernel.org/stable/c/c4d344163c3a7f90712525f931a6c016bbb35e18
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: erofs: validate the extent length for uncompressed pclusters syzkaller reported a KASAN use-after-free: https://syzkaller.appspot.com/bug?extid=2ae90e873e97f1faf6f2 The referenced fuzzed image actually has two issues: - m_pa == 0 as a non-inlined pcluster; - The logical length is longer than its physical length. The first issue has already been addressed. This patch addresses the second issue by checking the extent length validity. 2025-12-24 not yet calculated CVE-2022-50746 https://git.kernel.org/stable/c/dc8b6bd587b13b85aff6e9d36cdfcd3f955cac9e
https://git.kernel.org/stable/c/40c73b2ea9611b5388807be406f30f5e4e1162da
https://git.kernel.org/stable/c/c505feba4c0d76084e56ec498ce819f02a7043ae
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: hfs: Fix OOB Write in hfs_asc2mac Syzbot reported a OOB Write bug: loop0: detected capacity change from 0 to 64 ================================================================== BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 If in->len is much larger than HFS_NAMELEN(31) which is the maximum length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In that case, when the dst reaches the boundary, the srclen is still greater than 0, which causes a OOB write. Fix this by adding a check on dstlen in while() before writing to dst address. 2025-12-24 not yet calculated CVE-2022-50747 https://git.kernel.org/stable/c/8399318b13dc9e0569dee07ba2994098926d4fb2
https://git.kernel.org/stable/c/95040de81c629cd8d3c6ab5b50a8bd5088068303
https://git.kernel.org/stable/c/ba8f0ca386dd15acf5a93cbac932392c7818eab4
https://git.kernel.org/stable/c/6a95b17e4d4cd2d8278559f930b447f8c9c8cff9
https://git.kernel.org/stable/c/cff9fefdfbf5744afbb6d70bff2b49ec2065d23d
https://git.kernel.org/stable/c/7af9cb8cbb81308ce4b06cc7164267faccbf75dd
https://git.kernel.org/stable/c/ae21b03f904736eb2aa9bd119d2a14e741f1681f
https://git.kernel.org/stable/c/88579c158e026860c61c4192531e8bc42f4bc642
https://git.kernel.org/stable/c/c53ed55cb275344086e32a7080a6b19cb183650b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipc: mqueue: fix possible memory leak in init_mqueue_fs() commit db7cfc380900 ("ipc: Free mq_sysctls if ipc namespace creation failed") Here's a similar memory leak to the one fixed by the patch above. retire_mq_sysctls need to be called when init_mqueue_fs fails after setup_mq_sysctls. 2025-12-24 not yet calculated CVE-2022-50748 https://git.kernel.org/stable/c/a1f321051e0dcf2415fb94f81fdc5044cad4c1d6
https://git.kernel.org/stable/c/55b3709c6d68e32cd3fdd2a630b1f4c97d51b17c
https://git.kernel.org/stable/c/c579d60f0d0cd87552f64fdebe68b5d941d20309
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: acct: fix potential integer overflow in encode_comp_t() The integer overflow is descripted with following codes: > 317 static comp_t encode_comp_t(u64 value) > 318 { > 319 int exp, rnd; ...... > 341 exp <<= MANTSIZE; > 342 exp += value; > 343 return exp; > 344 } Currently comp_t is defined as type of '__u16', but the variable 'exp' is type of 'int', so overflow would happen when variable 'exp' in line 343 is greater than 65535. 2025-12-24 not yet calculated CVE-2022-50749 https://git.kernel.org/stable/c/e93f995a591c352d35d89c518c54f790e1537754
https://git.kernel.org/stable/c/cf60bbca1b83a7e0927e36dbf178328982927886
https://git.kernel.org/stable/c/1750a0983c455a9b3badd848471fc8d58cb61f67
https://git.kernel.org/stable/c/a815a3e019456c94b03bd183e7ac22fd29e9e6fd
https://git.kernel.org/stable/c/6edd0cdee5780fd5f43356b72b29a2a6d48ef6da
https://git.kernel.org/stable/c/ebe16676e1dcaa4556ec4d36ca40c82e99e88cfa
https://git.kernel.org/stable/c/2224897d8187dc22a83e05d9361efcccf67bcf12
https://git.kernel.org/stable/c/0aac6e60c464a5f942f995428e67f8ae1c422250
https://git.kernel.org/stable/c/c5f31c655bcc01b6da53b836ac951c1556245305
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure In case mipi_dsi_attach() fails, call drm_panel_remove() to avoid memory leak. 2025-12-24 not yet calculated CVE-2022-50750 https://git.kernel.org/stable/c/0b7c47b7f358f932159a9d5beec9616ef8a0c6b4
https://git.kernel.org/stable/c/576828e59a0e03bbc763872912b04f3e3a1b3311
https://git.kernel.org/stable/c/13fc167e1645c43c631d7752d98e377f0e4cbb15
https://git.kernel.org/stable/c/23fddf78eac8d79c56f93ab69b6c47a0816967c9
https://git.kernel.org/stable/c/465611e812587e72bf235034edce0e51be3d6809
https://git.kernel.org/stable/c/c62102165dd79284d42383d2f7ed17301bd8e629
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: configfs: fix possible memory leak in configfs_create_dir() kmemleak reported memory leaks in configfs_create_dir(): unreferenced object 0xffff888009f6af00 (size 192): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163) configfs_register_subsystem (fs/configfs/dir.c:1857) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... unreferenced object 0xffff888003ba7180 (size 96): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194) configfs_make_dirent (fs/configfs/dir.c:248) configfs_create_dir (fs/configfs/dir.c:296) configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852) configfs_register_subsystem (fs/configfs/dir.c:1881) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... This is because the refcount is not correct in configfs_make_dirent(). For normal stage, the refcount is changing as: configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() configfs_new_dirent() # set s_count = 1 dentry->d_fsdata = configfs_get(sd); # s_count = 2 ... configfs_unregister_subsystem() configfs_remove_dir() remove_dir() configfs_remove_dirent() # s_count = 1 dput() ... *dentry_unlink_inode()* configfs_d_iput() # s_count = 0, release However, if we failed in configfs_create(): configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() # s_count = 2 ... configfs_create() # fail ->out_remove: configfs_remove_dirent(dentry) configfs_put(sd) # s_count = 1 return PTR_ERR(inode); There is no inode in the error path, so the configfs_d_iput() is lost and makes sd and fragment memory leaked. To fix this, when we failed in configfs_create(), manually call configfs_put(sd) to keep the refcount correct. 2025-12-24 not yet calculated CVE-2022-50751 https://git.kernel.org/stable/c/90c38f57a821499391526b15cc944c265bd24e48
https://git.kernel.org/stable/c/74ac7c9ee2d486c501e7864c903f5098fc477acd
https://git.kernel.org/stable/c/07f82dca112262b169bec0001378126439cab776
https://git.kernel.org/stable/c/8bc77754224a2c8581727ffe2e958119b4e27c8f
https://git.kernel.org/stable/c/c72eb6e6e49a71f7598740786568fafdd013a227
https://git.kernel.org/stable/c/c65234b283a65cfbfc94619655e820a5e55199eb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk() When running chunk-sized reads on disks with badblocks duplicate bio free/puts are observed: ============================================================================= BUG bio-200 (Not tainted): Object already free ----------------------------------------------------------------------------- Allocated in mempool_alloc_slab+0x17/0x20 age=3 cpu=2 pid=7504 __slab_alloc.constprop.0+0x5a/0xb0 kmem_cache_alloc+0x31e/0x330 mempool_alloc_slab+0x17/0x20 mempool_alloc+0x100/0x2b0 bio_alloc_bioset+0x181/0x460 do_mpage_readpage+0x776/0xd00 mpage_readahead+0x166/0x320 blkdev_readahead+0x15/0x20 read_pages+0x13f/0x5f0 page_cache_ra_unbounded+0x18d/0x220 force_page_cache_ra+0x181/0x1c0 page_cache_sync_ra+0x65/0xb0 filemap_get_pages+0x1df/0xaf0 filemap_read+0x1e1/0x700 blkdev_read_iter+0x1e5/0x330 vfs_read+0x42a/0x570 Freed in mempool_free_slab+0x17/0x20 age=3 cpu=2 pid=7504 kmem_cache_free+0x46d/0x490 mempool_free_slab+0x17/0x20 mempool_free+0x66/0x190 bio_free+0x78/0x90 bio_put+0x100/0x1a0 raid5_make_request+0x2259/0x2450 md_handle_request+0x402/0x600 md_submit_bio+0xd9/0x120 __submit_bio+0x11f/0x1b0 submit_bio_noacct_nocheck+0x204/0x480 submit_bio_noacct+0x32e/0xc70 submit_bio+0x98/0x1a0 mpage_readahead+0x250/0x320 blkdev_readahead+0x15/0x20 read_pages+0x13f/0x5f0 page_cache_ra_unbounded+0x18d/0x220 Slab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff) CPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: raid5wq raid5_do_work Call Trace: <TASK> dump_stack_lvl+0x5a/0x78 dump_stack+0x10/0x16 print_trailer+0x158/0x165 object_err+0x35/0x50 free_debug_processing.cold+0xb7/0xbe __slab_free+0x1ae/0x330 kmem_cache_free+0x46d/0x490 mempool_free_slab+0x17/0x20 mempool_free+0x66/0x190 bio_free+0x78/0x90 bio_put+0x100/0x1a0 mpage_end_io+0x36/0x150 bio_endio+0x2fd/0x360 md_end_io_acct+0x7e/0x90 bio_endio+0x2fd/0x360 handle_failed_stripe+0x960/0xb80 handle_stripe+0x1348/0x3760 handle_active_stripes.constprop.0+0x72a/0xaf0 raid5_do_work+0x177/0x330 process_one_work+0x616/0xb20 worker_thread+0x2bd/0x6f0 kthread+0x179/0x1b0 ret_from_fork+0x22/0x30 </TASK> The double free is caused by an unnecessary bio_put() in the if(is_badblock(...)) error path in raid5_read_one_chunk(). The error path was moved ahead of bio_alloc_clone() in c82aa1b76787c ("md/raid5: move checking badblock before clone bio in raid5_read_one_chunk"). The previous code checked and freed align_bio which required a bio_put. After the move that is no longer needed as raid_bio is returned to the control of the common io path which performs its own endio resulting in a double free on bad device blocks. 2025-12-24 not yet calculated CVE-2022-50752 https://git.kernel.org/stable/c/7a37c58ee72e1fadd22c4ee990cb74c2ca2280e7
https://git.kernel.org/stable/c/c0fd5d4d8fd7b1a50306d7a23c720cf808f41fdf
https://git.kernel.org/stable/c/21a9c7354aa59e97e26ece5f0a609c8bfa43020d
https://git.kernel.org/stable/c/c66a6f41e09ad386fd2cce22b9cded837bbbc704
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on summary info As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216456 BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs] Read of size 4 at addr ffff8881464dcd80 by task mount/1013 CPU: 3 PID: 1013 Comm: mount Tainted: G W 6.0.0-rc4 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x5e print_report.cold+0xf3/0x68d kasan_report+0xa8/0x130 recover_data+0x63ae/0x6ae0 [f2fs] f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs] f2fs_fill_super+0x4665/0x61e0 [f2fs] mount_bdev+0x2cf/0x3b0 legacy_get_tree+0xed/0x1d0 vfs_get_tree+0x81/0x2b0 path_mount+0x47e/0x19d0 do_mount+0xce/0xf0 __x64_sys_mount+0x12c/0x1a0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: in fuzzed image, SSA table is corrupted: ofs_in_node is larger than ADDRS_PER_PAGE(), result in out-of-range access on 4k-size page. - recover_data - do_recover_data - check_index_in_prev_nodes - f2fs_data_blkaddr This patch adds sanity check on summary info in recovery and GC flow in where the flows rely on them. After patch: [ 29.310883] F2FS-fs (loop0): Inconsistent ofs_in_node:65286 in summary, ino:0, nid:6, max:1018 2025-12-24 not yet calculated CVE-2022-50753 https://git.kernel.org/stable/c/c99860f9a75079f339ed7670425b1ac58f26e2ff
https://git.kernel.org/stable/c/4a8e8bf280703e04e0b9d91f101e1fdd9a5bd09e
https://git.kernel.org/stable/c/73687c53919f49dff3852155621dab7a35c52854
https://git.kernel.org/stable/c/e168f819bfa42459b14f479e55ebd550bcc78899
https://git.kernel.org/stable/c/0922ad64ccefa3e483e84355942b86e13c8fea68
https://git.kernel.org/stable/c/c6ad7fd16657ebd34a87a97d9588195aae87597d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: apparmor: fix a memleak in multi_transaction_new() In multi_transaction_new(), the variable t is not freed or passed out on the failure of copy_from_user(t->data, buf, size), which could lead to a memleak. Fix this bug by adding a put_multi_transaction(t) in the error path. 2025-12-24 not yet calculated CVE-2022-50754 https://git.kernel.org/stable/c/11d5fe7da67c3334cefc981297fd5defb78df15c
https://git.kernel.org/stable/c/95e6adc6a7a4761ddf69ad713e55a06a3206309d
https://git.kernel.org/stable/c/eb0f78e28cbc8f97439c0a4c80ee5160c1df5ce6
https://git.kernel.org/stable/c/935d86b29093e75b6c547d90b3979c2c2d23f1c4
https://git.kernel.org/stable/c/775a37ffa9f4681c4ad84c8634a7eec8af7098d4
https://git.kernel.org/stable/c/88989932c2269ea66074f52a6213598838f8b9e7
https://git.kernel.org/stable/c/3d27a436e294ac5d7a51bd5348ca63a42a468b35
https://git.kernel.org/stable/c/c73275cf6834787ca090317f1d20dbfa3b7f05aa
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: udf: Avoid double brelse() in udf_rename() syzbot reported a warning like below [1]: VFS: brelse: Trying to free free buffer WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0 ... Call Trace: <TASK> invalidate_bh_lru+0x99/0x150 smp_call_function_many_cond+0xe2a/0x10c0 ? generic_remap_file_range_prep+0x50/0x50 ? __brelse+0xa0/0xa0 ? __mutex_lock+0x21c/0x12d0 ? smp_call_on_cpu+0x250/0x250 ? rcu_read_lock_sched_held+0xb/0x60 ? lock_release+0x587/0x810 ? __brelse+0xa0/0xa0 ? generic_remap_file_range_prep+0x50/0x50 on_each_cpu_cond_mask+0x3c/0x80 blkdev_flush_mapping+0x13a/0x2f0 blkdev_put_whole+0xd3/0xf0 blkdev_put+0x222/0x760 deactivate_locked_super+0x96/0x160 deactivate_super+0xda/0x100 cleanup_mnt+0x222/0x3d0 task_work_run+0x149/0x240 ? task_work_cancel+0x30/0x30 do_exit+0xb29/0x2a40 ? reacquire_held_locks+0x4a0/0x4a0 ? do_raw_spin_lock+0x12a/0x2b0 ? mm_update_next_owner+0x7c0/0x7c0 ? rwlock_bug.part.0+0x90/0x90 ? zap_other_threads+0x234/0x2d0 do_group_exit+0xd0/0x2a0 __x64_sys_exit_group+0x3a/0x50 do_syscall_64+0x34/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that brelse() is called on both ofibh.sbh and ofibh.ebh by udf_find_entry() when it returns NULL. However, brelse() is called by udf_rename(), too. So, b_count on buffer_head becomes unbalanced. This patch fixes the issue by not calling brelse() by udf_rename() when udf_find_entry() returns NULL. 2025-12-24 not yet calculated CVE-2022-50755 https://git.kernel.org/stable/c/78eba2778ae10fb2a9d450e14d26eb6f6bf1f906
https://git.kernel.org/stable/c/9d2cad69547abea961fa80426d600b861de1952b
https://git.kernel.org/stable/c/d6da7ec0f94f5208c848e0e94b70f54a0bd9c587
https://git.kernel.org/stable/c/156d440dea97deada629bb51cb17887abd862605
https://git.kernel.org/stable/c/40dba68d418237b1ae2beaa06d46a94dd946278e
https://git.kernel.org/stable/c/e7a6a53c871460727be09f4414ccb29fb8697526
https://git.kernel.org/stable/c/4fca09045509f5bde8fc28e68fbca38cb4bdcf2e
https://git.kernel.org/stable/c/090bf49833c51da297ec74f98ad2bf44daea9311
https://git.kernel.org/stable/c/c791730f2554a9ebb8f18df9368dc27d4ebc38c2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix mempool alloc size Convert the max size to bytes to match the units of the divisor that calculates the worst-case number of PRP entries. The result is used to determine how many PRP Lists are required. The code was previously rounding this to 1 list, but we can require 2 in the worst case. In that scenario, the driver would corrupt memory beyond the size provided by the mempool. While unlikely to occur (you'd need a 4MB in exactly 127 phys segments on a queue that doesn't support SGLs), this memory corruption has been observed by kfence. 2025-12-24 not yet calculated CVE-2022-50756 https://git.kernel.org/stable/c/dfb6d54893d544151e7f480bc44cfe7823f5ad23
https://git.kernel.org/stable/c/9141144b37f30e3e7fa024bcfa0a13011e546ba9
https://git.kernel.org/stable/c/e1777b4286e526c58b4ee699344b0ad85aaf83a0
https://git.kernel.org/stable/c/b1814724e0d7162bdf4799f2d565381bc2251c63
https://git.kernel.org/stable/c/c89a529e823d51dd23c7ec0c047c7a454a428541
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: camss: Clean up received buffers on failed start of streaming It is required to return the received buffers, if streaming can not be started. For instance media_pipeline_start() may fail with EPIPE, if a link validation between entities is not passed, and in such a case a user gets a kernel warning: WARNING: CPU: 1 PID: 520 at drivers/media/common/videobuf2/videobuf2-core.c:1592 vb2_start_streaming+0xec/0x160 <snip> Call trace: vb2_start_streaming+0xec/0x160 vb2_core_streamon+0x9c/0x1a0 vb2_ioctl_streamon+0x68/0xbc v4l_streamon+0x30/0x3c __video_do_ioctl+0x184/0x3e0 video_usercopy+0x37c/0x7b0 video_ioctl2+0x24/0x40 v4l2_ioctl+0x4c/0x70 The fix is to correct the error path in video_start_streaming() of camss. 2025-12-24 not yet calculated CVE-2022-50757 https://git.kernel.org/stable/c/75954cde8a5ca84003b24b6bf83197240935bd74
https://git.kernel.org/stable/c/04c734c716a97f1493b1edac41316aaed1d2a9d9
https://git.kernel.org/stable/c/fe443b3fe36cd23d4f5dc6d825d34322e7c89f0c
https://git.kernel.org/stable/c/3d5cab726e3b370fea1b6e67183f0e13c409ce5c
https://git.kernel.org/stable/c/d1c44928bb3ca0ec88e7ad5937a2a26a259aede6
https://git.kernel.org/stable/c/f05326a440dc31b91b688b2f3f15b7347894a50b
https://git.kernel.org/stable/c/24df4fa3e795fb4b15fd4d3c036596e0978d265a
https://git.kernel.org/stable/c/c8f3582345e6a69da65ab588f7c4c2d1685b0e80
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: staging: vt6655: fix potential memory leak In function device_init_td0_ring, memory is allocated for member td_info of priv->apTD0Rings[i], with i increasing from 0. In case of allocation failure, the memory is freed in reversed order, with i decreasing to 0. However, the case i=0 is left out and thus memory is leaked. Modify the memory freeing loop to include the case i=0. 2025-12-24 not yet calculated CVE-2022-50758 https://git.kernel.org/stable/c/e741e38aa98704fbb959650ecd270b71b2670680
https://git.kernel.org/stable/c/16a45e78a687eb6c69acc4e62b94b6508b0bfbda
https://git.kernel.org/stable/c/1b3cebeca99e8e0aa4fa57faac8dbf41e967317a
https://git.kernel.org/stable/c/ff8551d411f12b5abc5ca929ab87643afa8a9588
https://git.kernel.org/stable/c/fb5f569bcda8f87bd47d8030bfae343d757fa3ea
https://git.kernel.org/stable/c/cfdf139258614ef65b0f68b857ada5328fb7c0e5
https://git.kernel.org/stable/c/c8ff91535880d41b49699b3829fb6151942de29e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5648: Free V4L2 fwnode data on unbind The V4L2 fwnode data structure doesn't get freed on unbind, which leads to a memleak. 2025-12-24 not yet calculated CVE-2022-50759 https://git.kernel.org/stable/c/4a34fd4d9b548789d4a2018940edbec86282ed3b
https://git.kernel.org/stable/c/3a54b72868930f07935accaf95ec4df639324940
https://git.kernel.org/stable/c/c95770e4fc172696dcb1450893cda7d6324d96fc
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() As comment of pci_get_class() says, it returns a pci_device with its refcount increased and decreased the refcount for the input parameter @from if it is not NULL. If we break the loop in amdgpu_atrm_get_bios() with 'pdev' not NULL, we need to call pci_dev_put() to decrease the refcount. Add the missing pci_dev_put() to avoid refcount leak. 2025-12-24 not yet calculated CVE-2022-50760 https://git.kernel.org/stable/c/6611feef35c0c8c4d297b28a7fc6ab3a2c47eca7
https://git.kernel.org/stable/c/da7c78ea9e62bb65273d3ff19a3866ec205bfe18
https://git.kernel.org/stable/c/3360125d721c91d697c71201f18f042ff743e936
https://git.kernel.org/stable/c/981024abf5fe605c94d4f906f65d1b3408d628be
https://git.kernel.org/stable/c/7c1ddf7c664b5bc91f14b1bdeaa45520ef1760e4
https://git.kernel.org/stable/c/8f2d2badf8ca5e7e7c30d88840b695c8af7286f3
https://git.kernel.org/stable/c/9d4057d0452243917e12eb19f1599c96f2f05b14
https://git.kernel.org/stable/c/a8b54ad7106c0604c4adc4933138b3557739bce0
https://git.kernel.org/stable/c/ca54639c7752edf1304d92ff4d0c049d4efc9ba0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: x86/xen: Fix memory leak in xen_init_lock_cpu() In xen_init_lock_cpu(), the @name has allocated new string by kasprintf(), if bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead to a memory leak issue, fix it. 2025-12-24 not yet calculated CVE-2022-50761 https://git.kernel.org/stable/c/9278bdbb566656b3704704f8dd6cbc24a6fcc569
https://git.kernel.org/stable/c/07764d00c869a3390bd4f80412cc8b0e669e6c58
https://git.kernel.org/stable/c/53ff99c76be611acea37d33133c9136969914865
https://git.kernel.org/stable/c/29198f667f4486f9e227e11faf1411fcf4c82a66
https://git.kernel.org/stable/c/70e7f308d7a8e915c7fbc0f1d959968eab8000cd
https://git.kernel.org/stable/c/70966d6b0f59f795b08a70adf5e4478348ecbfbb
https://git.kernel.org/stable/c/798fc3cf98ca07e448956f39295c5d686ab4b054
https://git.kernel.org/stable/c/b44457b83a034efef58ffa5f3131d4615f1a9837
https://git.kernel.org/stable/c/ca84ce153d887b1dc8b118029976cc9faf2a9b40
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Avoid UBSAN error on true_sectors_per_clst() syzbot reported UBSAN error as below: [ 76.901829][ T6677] ================================================================================ [ 76.903908][ T6677] UBSAN: shift-out-of-bounds in fs/ntfs3/super.c:675:13 [ 76.905363][ T6677] shift exponent -247 is negative This patch avoid this error. 2025-12-24 not yet calculated CVE-2022-50762 https://git.kernel.org/stable/c/4b51f27d4448c84957bce190292f75d4896d56b3
https://git.kernel.org/stable/c/8fe280ae85177c2323ae8c9849ff27a3a6b69506
https://git.kernel.org/stable/c/95afb464c86c6e9e95ea9e595282fa6f693072e8
https://git.kernel.org/stable/c/caad9dd8792a2622737b7273cb34835fd9536cd2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/octeontx - prevent integer overflows The "code_length" value comes from the firmware file. If your firmware is untrusted realistically there is probably very little you can do to protect yourself. Still we try to limit the damage as much as possible. Also Smatch marks any data read from the filesystem as untrusted and prints warnings if it not capped correctly. The "code_length * 2" can overflow. The round_up(ucode_size, 16) + sizeof() expression can overflow too. Prevent these overflows. 2025-12-24 not yet calculated CVE-2022-50763 https://git.kernel.org/stable/c/7bfa7d67735381715c98091194e81e7685f9b7db
https://git.kernel.org/stable/c/12acfa1059ad69aa352ddb2bf23ba1b831aff15f
https://git.kernel.org/stable/c/8f5eee162e55175d9dac98b5e9b8da76449d2257
https://git.kernel.org/stable/c/e7ff7a46baafd38d7ed45604397e650d61f5db8d
https://git.kernel.org/stable/c/caca37cf6c749ff0303f68418cfe7b757a4e0697
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipv6/sit: use DEV_STATS_INC() to avoid data-races syzbot/KCSAN reported that multiple cpus are updating dev->stats.tx_error concurrently. This is because sit tunnels are NETIF_F_LLTX, meaning their ndo_start_xmit() is not protected by a spinlock. While original KCSAN report was about tx path, rx path has the same issue. 2025-12-24 not yet calculated CVE-2022-50764 https://git.kernel.org/stable/c/222cc04356984f3f98acfa756a69d4bed7c501ac
https://git.kernel.org/stable/c/4eed93bb3e57b8cc78d17166a14e40a73276015a
https://git.kernel.org/stable/c/207501a986831174df09a36a8cb62a28f92f0dc8
https://git.kernel.org/stable/c/cb34b7cf17ecf33499c9298943f85af247abc1e9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RISC-V: kexec: Fix memory leak of elf header buffer This is reported by kmemleak detector: unreferenced object 0xff2000000403d000 (size 4096): comm "kexec", pid 146, jiffies 4294900633 (age 64.792s) hex dump (first 32 bytes): 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............ 04 00 f3 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000566ca97c>] kmemleak_vmalloc+0x3c/0xbe [<00000000979283d8>] __vmalloc_node_range+0x3ac/0x560 [<00000000b4b3712a>] __vmalloc_node+0x56/0x62 [<00000000854f75e2>] vzalloc+0x2c/0x34 [<00000000e9a00db9>] crash_prepare_elf64_headers+0x80/0x30c [<0000000067e8bf48>] elf_kexec_load+0x3e8/0x4ec [<0000000036548e09>] kexec_image_load_default+0x40/0x4c [<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322 [<0000000040c62c03>] ret_from_syscall+0x0/0x2 In elf_kexec_load(), a buffer is allocated via vzalloc() to store elf headers. While it's not freed back to system when kdump kernel is reloaded or unloaded, or when image->elf_header is successfully set and then fails to load kdump kernel for some reason. Fix it by freeing the buffer in arch_kimage_file_post_load_cleanup(). 2025-12-24 not yet calculated CVE-2022-50765 https://git.kernel.org/stable/c/090bfcfc9f14d05154893c67eeaecc56e894fbae
https://git.kernel.org/stable/c/cdea2da6787583ecca43594132533a2ac8d7cd21
https://git.kernel.org/stable/c/cbc32023ddbdf4baa3d9dc513a2184a84080a5a2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer syzbot is reporting uninit-value in btrfs_clean_tree_block() [1], for commit bc877d285ca3dba2 ("btrfs: Deduplicate extent_buffer init code") missed that btrfs_set_header_generation() in btrfs_init_new_buffer() must not be moved to after clean_tree_block() because clean_tree_block() is calling btrfs_header_generation() since commit 55c69072d6bd5be1 ("Btrfs: Fix extent_buffer usage when nodesize != leafsize"). Since memzero_extent_buffer() will reset "struct btrfs_header" part, we can't move btrfs_set_header_generation() to before memzero_extent_buffer(). Just re-add btrfs_set_header_generation() before btrfs_clean_tree_block(). 2025-12-24 not yet calculated CVE-2022-50766 https://git.kernel.org/stable/c/0a408c6212c16b9a2a1141d3c531247582ef8101
https://git.kernel.org/stable/c/a687c2890fe4a2acaac6941fa4097a1264d8f3eb
https://git.kernel.org/stable/c/89bc41c92d10b905c60f6ec13c9ef664a3555c54
https://git.kernel.org/stable/c/cbddcc4fa3443fe8cfb2ff8e210deb1f6a0eea38
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: Fix several use-after-free bugs Several types of UAFs can occur when physically removing a USB device. Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and in this function, there is kref_put() that finally calls ufx_free(). This fix prevents multiple UAFs. 2025-12-24 not yet calculated CVE-2022-50767 https://git.kernel.org/stable/c/6f2075ea883e5d7730d0c9ebb1bb8e7a1a7e953f
https://git.kernel.org/stable/c/3f40852d671072836fb7ae331a1f28a24223c4e8
https://git.kernel.org/stable/c/70faf9d9b6cc74418716bbf76fe75bd2da10ad4a
https://git.kernel.org/stable/c/5385af2f89bc352fb70753ab41b2bb036190141f
https://git.kernel.org/stable/c/d9ddfeb01fb95ffbbc7031d46a5ee2a5e45cbb86
https://git.kernel.org/stable/c/cc6a7249842fceda7574ceb63275a2d5e99d2862
https://git.kernel.org/stable/c/8d924b262f3178a9b17c17d4306a9f426c508bd9
https://git.kernel.org/stable/c/cc67482c9e5f2c80d62f623bcc347c29f9f648e1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Correct device removal for multi-actuator devices Correct device count for multi-actuator drives which can cause kernel panics. 2025-12-24 not yet calculated CVE-2022-50768 https://git.kernel.org/stable/c/e8e9e0c28901d34beb193b5ece52eb7c656f4042
https://git.kernel.org/stable/c/d1c8b86b4ab7e8588a8cfadbdd6f20adbb15c938
https://git.kernel.org/stable/c/cc9befcbbb5ebce77726f938508700d913530035
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mmc: mxcmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(). 2025-12-24 not yet calculated CVE-2022-50769 https://git.kernel.org/stable/c/5f35c038c9f4d258b3cf77885a2730f1417d63e7
https://git.kernel.org/stable/c/1cf0c1e58738b97e2de207846105b6a5d46622ee
https://git.kernel.org/stable/c/b8bdb3fd13d5cd1e86d22fd3f803a742fd88af89
https://git.kernel.org/stable/c/32eb502c972dfc34413c9147418b3d94d870c2b8
https://git.kernel.org/stable/c/3904eb97bb78fdca3e16d30a38ce5697b9686110
https://git.kernel.org/stable/c/2d496050ded83b13b16f05e1fc0329b0210d2493
https://git.kernel.org/stable/c/d37474ab9a79149075f0823315c6d45dd983a78c
https://git.kernel.org/stable/c/d2ead18bc7cc166220cab5a744a05c5b69431a12
https://git.kernel.org/stable/c/cde600af7b413c9fe03e85c58c4279df90e91d13
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix memory leak in ocfs2_mount_volume() There is a memory leak reported by kmemleak: unreferenced object 0xffff88810cc65e60 (size 32): comm "mount.ocfs2", pid 23753, jiffies 4302528942 (age 34735.105s) hex dump (first 32 bytes): 10 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff8170f73d>] __kmalloc+0x4d/0x150 [<ffffffffa0ac3f51>] ocfs2_compute_replay_slots+0x121/0x330 [ocfs2] [<ffffffffa0b65165>] ocfs2_check_volume+0x485/0x900 [ocfs2] [<ffffffffa0b68129>] ocfs2_mount_volume.isra.0+0x1e9/0x650 [ocfs2] [<ffffffffa0b7160b>] ocfs2_fill_super+0xe0b/0x1740 [ocfs2] [<ffffffff818e1fe2>] mount_bdev+0x312/0x400 [<ffffffff819a086d>] legacy_get_tree+0xed/0x1d0 [<ffffffff818de82d>] vfs_get_tree+0x7d/0x230 [<ffffffff81957f92>] path_mount+0xd62/0x1760 [<ffffffff81958a5a>] do_mount+0xca/0xe0 [<ffffffff81958d3c>] __x64_sys_mount+0x12c/0x1a0 [<ffffffff82f26f15>] do_syscall_64+0x35/0x80 [<ffffffff8300006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 This call stack is related to two problems. Firstly, the ocfs2 super uses "replay_map" to trace online/offline slots, in order to recover offline slots during recovery and mount. But when ocfs2_truncate_log_init() returns an error in ocfs2_mount_volume(), the memory of "replay_map" will not be freed in error handling path. Secondly, the memory of "replay_map" will not be freed if d_make_root() returns an error in ocfs2_fill_super(). But the memory of "replay_map" will be freed normally when completing recovery and mount in ocfs2_complete_mount_recovery(). Fix the first problem by adding error handling path to free "replay_map" when ocfs2_truncate_log_init() fails. And fix the second problem by calling ocfs2_free_replay_slots(osb) in the error handling path "out_dismount". In addition, since ocfs2_free_replay_slots() is static, it is necessary to remove its static attribute and declare it in header file. 2025-12-24 not yet calculated CVE-2022-50770 https://git.kernel.org/stable/c/7ef516888c4d30ae41bfcd79e7077d86d92794c5
https://git.kernel.org/stable/c/2b7e59ed2e77136e9360274f8f0fc208a003e95c
https://git.kernel.org/stable/c/8059e200259e9c483d715fc2df6340c227c3e196
https://git.kernel.org/stable/c/4efe1d2db731bad19891e2fb9b338724b1f598cc
https://git.kernel.org/stable/c/50ab0ca3aff4da26037113d69f5a756d8c1a92cd
https://git.kernel.org/stable/c/ce2fcf1516d674a174d9b34d1e1024d64de9fba3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state() Running rcutorture with non-zero fqs_duration module parameter in a kernel built with CONFIG_PREEMPTION=y results in the following splat: BUG: using __this_cpu_read() in preemptible [00000000] code: rcu_torture_fqs/398 caller is __this_cpu_preempt_check+0x13/0x20 CPU: 3 PID: 398 Comm: rcu_torture_fqs Not tainted 6.0.0-rc1-yoctodev-standard+ Call Trace: <TASK> dump_stack_lvl+0x5b/0x86 dump_stack+0x10/0x16 check_preemption_disabled+0xe5/0xf0 __this_cpu_preempt_check+0x13/0x20 rcu_force_quiescent_state.part.0+0x1c/0x170 rcu_force_quiescent_state+0x1e/0x30 rcu_torture_fqs+0xca/0x160 ? rcu_torture_boost+0x430/0x430 kthread+0x192/0x1d0 ? kthread_complete_and_exit+0x30/0x30 ret_from_fork+0x22/0x30 </TASK> The problem is that rcu_force_quiescent_state() uses __this_cpu_read() in preemptible code instead of the proper raw_cpu_read(). This commit therefore changes __this_cpu_read() to raw_cpu_read(). 2025-12-24 not yet calculated CVE-2022-50771 https://git.kernel.org/stable/c/3d92527a919edd1aa381bdd6c299dd75a8167396
https://git.kernel.org/stable/c/5a52380b8193cf8be6c4a6b94b86ef64ed80c0dc
https://git.kernel.org/stable/c/98a5b1265a36e9d843a51ddd6c9fa02da50d2c57
https://git.kernel.org/stable/c/a74af9b937707b42c3fd041aae1ed4ce2f337307
https://git.kernel.org/stable/c/80a3e7ab477b3655615fc1627c88c248d4ad28d9
https://git.kernel.org/stable/c/ceb1c8c9b8aa9199da46a0f29d2d5f08d9b44c15
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: netdevsim: fix memory leak in nsim_bus_dev_new() If device_register() failed in nsim_bus_dev_new(), the value of reference in nsim_bus_dev->dev is 1. obj->name in nsim_bus_dev->dev will not be released. unreferenced object 0xffff88810352c480 (size 16): comm "echo", pid 5691, jiffies 4294945921 (age 133.270s) hex dump (first 16 bytes): 6e 65 74 64 65 76 73 69 6d 31 00 00 00 00 00 00 netdevsim1...... backtrace: [<000000005e2e5e26>] __kmalloc_node_track_caller+0x3a/0xb0 [<0000000094ca4fc8>] kvasprintf+0xc3/0x160 [<00000000aad09bcc>] kvasprintf_const+0x55/0x180 [<000000009bac868d>] kobject_set_name_vargs+0x56/0x150 [<000000007c1a5d70>] dev_set_name+0xbb/0xf0 [<00000000ad0d126b>] device_add+0x1f8/0x1cb0 [<00000000c222ae24>] new_device_store+0x3b6/0x5e0 [<0000000043593421>] bus_attr_store+0x72/0xa0 [<00000000cbb1833a>] sysfs_kf_write+0x106/0x160 [<00000000d0dedb8a>] kernfs_fop_write_iter+0x3a8/0x5a0 [<00000000770b66e2>] vfs_write+0x8f0/0xc80 [<0000000078bb39be>] ksys_write+0x106/0x210 [<00000000005e55a4>] do_syscall_64+0x35/0x80 [<00000000eaa40bbc>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 2025-12-24 not yet calculated CVE-2022-50772 https://git.kernel.org/stable/c/77579e4065295071fbd9662f03430dca5b50b086
https://git.kernel.org/stable/c/cf2010aa1c739bab067cbc90b690d28eaa0b47da
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt I got a null-ptr-defer error report when I do the following tests on the qemu platform: make defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m, CONFIG_SND_MTS64=m Then making test scripts: cat>test_mod1.sh<<EOF modprobe snd-mts64 modprobe snd-mts64 EOF Executing the script, perhaps several times, we will get a null-ptr-defer report, as follow: syzkaller:~# ./test_mod.sh snd_mts64: probe of snd_mts64.0 failed with error -5 modprobe: ERROR: could not insert 'snd_mts64': No such device BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 0 PID: 205 Comm: modprobe Not tainted 6.1.0-rc8-00588-g76dcd734eca2 #6 Call Trace: <IRQ> snd_mts64_interrupt+0x24/0xa0 [snd_mts64] parport_irq_handler+0x37/0x50 [parport] __handle_irq_event_percpu+0x39/0x190 handle_irq_event_percpu+0xa/0x30 handle_irq_event+0x2f/0x50 handle_edge_irq+0x99/0x1b0 __common_interrupt+0x5d/0x100 common_interrupt+0xa0/0xc0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30 parport_claim+0xbd/0x230 [parport] snd_mts64_probe+0x14a/0x465 [snd_mts64] platform_probe+0x3f/0xa0 really_probe+0x129/0x2c0 __driver_probe_device+0x6d/0xc0 driver_probe_device+0x1a/0xa0 __device_attach_driver+0x7a/0xb0 bus_for_each_drv+0x62/0xb0 __device_attach+0xe4/0x180 bus_probe_device+0x82/0xa0 device_add+0x550/0x920 platform_device_add+0x106/0x220 snd_mts64_attach+0x2e/0x80 [snd_mts64] port_check+0x14/0x20 [parport] bus_for_each_dev+0x6e/0xc0 __parport_register_driver+0x7c/0xb0 [parport] snd_mts64_module_init+0x31/0x1000 [snd_mts64] do_one_initcall+0x3c/0x1f0 do_init_module+0x46/0x1c6 load_module+0x1d8d/0x1e10 __do_sys_finit_module+0xa2/0xf0 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> Kernel panic - not syncing: Fatal exception in interrupt Rebooting in 1 seconds.. The mts wa not initialized during interrupt, we add check for mts to fix this bug. 2025-12-24 not yet calculated CVE-2022-50773 https://git.kernel.org/stable/c/06ec592389f2be3199779ab823c4323dcfd2121f
https://git.kernel.org/stable/c/b471fe61da523a15e4cb60fa81f5a2377e4bad98
https://git.kernel.org/stable/c/7e91667db38abb056da5a496d40fbd044c66bed2
https://git.kernel.org/stable/c/c7e9624d90bf20f1eed6b228949396d614b94020
https://git.kernel.org/stable/c/0649129359219ce6ff380ec401f87308485c6ae3
https://git.kernel.org/stable/c/cba633b24a98d957e8190ef8bc4d4cdb4f6e9313
https://git.kernel.org/stable/c/1a763c748acd5540ccc43306c57c9c6c5fb60884
https://git.kernel.org/stable/c/250eed7b9994d79f9c409f954dbd08e88f5afd83
https://git.kernel.org/stable/c/cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: qat - fix DMA transfer direction When CONFIG_DMA_API_DEBUG is selected, while running the crypto self test on the QAT crypto algorithms, the function add_dma_entry() reports a warning similar to the one below, saying that overlapping mappings are not supported. This occurs in tests where the input and the output scatter list point to the same buffers (i.e. two different scatter lists which point to the same chunks of memory). The logic that implements the mapping uses the flag DMA_BIDIRECTIONAL for both the input and the output scatter lists which leads to overlapped write mappings. These are not supported by the DMA layer. Fix by specifying the correct DMA transfer directions when mapping buffers. For in-place operations where the input scatter list matches the output scatter list, buffers are mapped once with DMA_BIDIRECTIONAL, otherwise input buffers are mapped using the flag DMA_TO_DEVICE and output buffers are mapped with DMA_FROM_DEVICE. Overlapping a read mapping with a write mapping is a valid case in dma-coherent devices like QAT. The function that frees and unmaps the buffers, qat_alg_free_bufl() has been changed accordingly to the changes to the mapping function. DMA-API: 4xxx 0000:06:00.0: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 53 PID: 4362 at kernel/dma/debug.c:570 add_dma_entry+0x1e9/0x270 ... Call Trace: dma_map_page_attrs+0x82/0x2d0 ? preempt_count_add+0x6a/0xa0 qat_alg_sgl_to_bufl+0x45b/0x990 [intel_qat] qat_alg_aead_dec+0x71/0x250 [intel_qat] crypto_aead_decrypt+0x3d/0x70 test_aead_vec_cfg+0x649/0x810 ? number+0x310/0x3a0 ? vsnprintf+0x2a3/0x550 ? scnprintf+0x42/0x70 ? valid_sg_divisions.constprop.0+0x86/0xa0 ? test_aead_vec+0xdf/0x120 test_aead_vec+0xdf/0x120 alg_test_aead+0x185/0x400 alg_test+0x3d8/0x500 ? crypto_acomp_scomp_free_ctx+0x30/0x30 ? __schedule+0x32a/0x12a0 ? ttwu_queue_wakelist+0xbf/0x110 ? _raw_spin_unlock_irqrestore+0x23/0x40 ? try_to_wake_up+0x83/0x570 ? _raw_spin_unlock_irqrestore+0x23/0x40 ? __set_cpus_allowed_ptr_locked+0xea/0x1b0 ? crypto_acomp_scomp_free_ctx+0x30/0x30 cryptomgr_test+0x27/0x50 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 2025-12-24 not yet calculated CVE-2022-50774 https://git.kernel.org/stable/c/426d5bc089e7731e36b514d1beca19e777a2d653
https://git.kernel.org/stable/c/1f1ab76e251521bd2fa5244473efcf663792745d
https://git.kernel.org/stable/c/429348d4f675e9eb418d0829064c4d7d06bd66a3
https://git.kernel.org/stable/c/c4c9d9edf4848aed89516b23b88950b194beff6a
https://git.kernel.org/stable/c/cf5bb835b7c8a5fee7f26455099cca7feb57f5e9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix refcount leak in hns_roce_mmap rdma_user_mmap_entry_get_pgoff() takes the reference. Add missing rdma_user_mmap_entry_put() to release the reference. Acked-by Haoyue Xu <xuhaoyue1@hisilicon.com> 2025-12-24 not yet calculated CVE-2022-50775 https://git.kernel.org/stable/c/fa87cf2e756efe809ee8683d4f282f4de962dab6
https://git.kernel.org/stable/c/8abd2ff2256a2a99c11c7ecdcb5512429933620f
https://git.kernel.org/stable/c/cf6a05c8494a8ae7fec8e5f1229b45ca5b4bcd30
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: clk: st: Fix memory leak in st_of_quadfs_setup() If st_clk_register_quadfs_pll() fails, @lock should be freed before goto @err_exit, otherwise will cause meory leak issue, fix it. 2025-12-24 not yet calculated CVE-2022-50776 https://git.kernel.org/stable/c/081538ae5817631a2b99e8e75cce981060aab29f
https://git.kernel.org/stable/c/f0295209de457049a4a5f3e3985528391bd1ab34
https://git.kernel.org/stable/c/be03875007621fcee96e6f9fd7b9e59c8dfcf6fa
https://git.kernel.org/stable/c/713ad301c2d49e88fe586b57ebac8f220a98e162
https://git.kernel.org/stable/c/efd025f32fce27a8ada9bcb4731e8a84476e5b3d
https://git.kernel.org/stable/c/adf6a00859d014cecf046dc91f75c0e65a544360
https://git.kernel.org/stable/c/335ef7546c77e63154d6ea4d603b11274a85900e
https://git.kernel.org/stable/c/f4731395d6db850127634197863aede188d8e9de
https://git.kernel.org/stable/c/cfd3ffb36f0d566846163118651d868e607300ba
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe of_phy_find_device() return device node with refcount incremented. Call put_device() to relese it when not needed anymore. 2025-12-24 not yet calculated CVE-2022-50777 https://git.kernel.org/stable/c/53526dbc8aa6b95e9fc2ab1e29b1a9145721da24
https://git.kernel.org/stable/c/78b0b1ff525d9be4babf5a148a4de0d50042d95d
https://git.kernel.org/stable/c/00616bd1913a4f879679e02dc08c2f501ca2bd4c
https://git.kernel.org/stable/c/106d0d33c9d1ec4ddeeffc1fdc717ff09953d4ed
https://git.kernel.org/stable/c/4d112f001612c79927c1ecf29522b34c4fa292e0
https://git.kernel.org/stable/c/52841e71253e6ace72751c72560950474a57d04c
https://git.kernel.org/stable/c/ee84d37a5f08ed1121cdd16f8f3ed87552087a21
https://git.kernel.org/stable/c/d039535850ee47079d59527e96be18d8e0daa84b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe a runtime panic while running Android's Compatibility Test Suite's (CTS) android.hardware.input.cts.tests. This is stemming from a strlen() call in hidinput_allocate(). __compiletime_strlen() is implemented in terms of __builtin_object_size(), then does an array access to check for NUL-termination. A quirk of __builtin_object_size() is that for strings whose values are runtime dependent, __builtin_object_size(str, 1 or 0) returns the maximum size of possible values when those sizes are determinable at compile time. Example: static const char *v = "FOO BAR"; static const char *y = "FOO BA"; unsigned long x (int z) { // Returns 8, which is: // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1)) return __builtin_object_size(z ? v : y, 1); } So when FORTIFY_SOURCE is enabled, the current implementation of __compiletime_strlen() will try to access beyond the end of y at runtime using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault. hidinput_allocate() has a local C string whose value is control flow dependent on a switch statement, so __builtin_object_size(str, 1) evaluates to the maximum string length, making all other cases fault on the last character check. hidinput_allocate() could be cleaned up to avoid runtime calls to strlen() since the local variable can only have literal values, so there's no benefit to trying to fortify the strlen call site there. Perform a __builtin_constant_p() check against index 0 earlier in the macro to filter out the control-flow-dependant case. Add a KUnit test for checking the expected behavioral characteristics of FORTIFY_SOURCE internals. 2025-12-24 not yet calculated CVE-2022-50778 https://git.kernel.org/stable/c/ed42391164e6839a48aaf4c53eefda516835e799
https://git.kernel.org/stable/c/5d59ad2bfb35fccfe2ad5e8bb8801f6224d3f7d4
https://git.kernel.org/stable/c/d07c0acb4f41cc42a0d97530946965b3e4fa68c1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() When insert and remove the orangefs module, then debug_help_string will be leaked: unreferenced object 0xffff8881652ba000 (size 4096): comm "insmod", pid 1701, jiffies 4294893639 (age 13218.530s) hex dump (first 32 bytes): 43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key 77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow backtrace: [<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0 [<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs] [<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t] [<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0 [<000000001d0614ae>] do_init_module+0xdf/0x320 [<00000000efef068c>] load_module+0x2f98/0x3330 [<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0 [<00000000a0da6f99>] do_syscall_64+0x35/0x80 [<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 When remove the module, should always free debug_help_string. Should always free the allocated buffer when change the free_debug_help_string. 2025-12-24 not yet calculated CVE-2022-50779 https://git.kernel.org/stable/c/44d3eac26a5e5268d11cc342dc202b0d31505c0a
https://git.kernel.org/stable/c/f2b8a6aac561a49fe02c99683c40a8b87a9f68fc
https://git.kernel.org/stable/c/ba9d3b9cec20957fd86bb1bf525b4ea8b64b2dea
https://git.kernel.org/stable/c/2e7c09121064df93c58bbc49d3d0f608d3f584bd
https://git.kernel.org/stable/c/b8affa0c6405ee968dcb6030bee2cf719a464752
https://git.kernel.org/stable/c/39529b79b023713d4f2d3479dc0ca43ba99df726
https://git.kernel.org/stable/c/3fc221d9a16339a913a0341d3efc7fef339073e1
https://git.kernel.org/stable/c/19be31668552a198e887762e25bdcc560800ecb4
https://git.kernel.org/stable/c/d23417a5bf3a3afc55de5442eb46e1e60458b0a1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed When the ops_init() interface is invoked to initialize the net, but ops->init() fails, data is released. However, the ptr pointer in net->gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked to release the net, invalid address access occurs. The process is as follows: setup_net() ops_init() data = kzalloc(...) ---> alloc "data" net_assign_generic() ---> assign "date" to ptr in net->gen ... ops->init() ---> failed ... kfree(data); ---> ptr in net->gen is invalid ... ops_exit_list() ... nfqnl_nf_hook_drop() *q = nfnl_queue_pernet(net) ---> q is invalid The following is the Call Trace information: BUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280 Read of size 8 at addr ffff88810396b240 by task ip/15855 Call Trace: <TASK> dump_stack_lvl+0x8e/0xd1 print_report+0x155/0x454 kasan_report+0xba/0x1f0 nfqnl_nf_hook_drop+0x264/0x280 nf_queue_nf_hook_drop+0x8b/0x1b0 __nf_unregister_net_hook+0x1ae/0x5a0 nf_unregister_net_hooks+0xde/0x130 ops_exit_list+0xb0/0x170 setup_net+0x7ac/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 </TASK> Allocated by task 15855: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0xa1/0xb0 __kmalloc+0x49/0xb0 ops_init+0xe7/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 15855: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x155/0x1b0 slab_free_freelist_hook+0x11b/0x220 __kmem_cache_free+0xa4/0x360 ops_init+0xb9/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 2025-12-24 not yet calculated CVE-2022-50780 https://git.kernel.org/stable/c/5a2ea549be94924364f6911227d99be86e8cf34a
https://git.kernel.org/stable/c/97ad240fd9aa9214497d14af2b91608e20856cac
https://git.kernel.org/stable/c/c3edc6e808209aa705185f732e682a370981ced1
https://git.kernel.org/stable/c/a1e18acb0246bfb001b08b8b1b830b5ec92a0f13
https://git.kernel.org/stable/c/4a4df5e78712de39d6f90d6a64b5eb48dca03bd5
https://git.kernel.org/stable/c/d266935ac43d57586e311a087510fe6a084af742
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table() In the PP_OD_EDIT_VDDC_CURVE case the "input_index" variable is capped at 2 but not checked for negative values so it results in an out of bounds read. This value comes from the user via sysfs. 2025-12-24 not yet calculated CVE-2022-50781 https://git.kernel.org/stable/c/4d3dc0de9c46d9f73be6bac026e40b893e37ea21
https://git.kernel.org/stable/c/85273b4a7076ed5328c8ace02234e4e7e10972d5
https://git.kernel.org/stable/c/f289a38df0da4cfe4b50d04b1b9c3bc646fecd57
https://git.kernel.org/stable/c/a03625ad11b50429930f4c491d6c97e70f2ba89a
https://git.kernel.org/stable/c/8084bd0a64e278314b733993f388d83a86aa1183
https://git.kernel.org/stable/c/d27252b5706e51188aed7647126e44dcf9e940c1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug_on in __es_tree_search caused by bad quota inode We got a issue as fllows: ================================================================== kernel BUG at fs/ext4/extents_status.c:202! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352 RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0 RSP: 0018:ffffc90001227900 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8 RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001 R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10 R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000 FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ext4_es_cache_extent+0xe2/0x210 ext4_cache_extents+0xd2/0x110 ext4_find_extent+0x5d5/0x8c0 ext4_ext_map_blocks+0x9c/0x1d30 ext4_map_blocks+0x431/0xa50 ext4_getblk+0x82/0x340 ext4_bread+0x14/0x110 ext4_quota_read+0xf0/0x180 v2_read_header+0x24/0x90 v2_check_quota_file+0x2f/0xa0 dquot_load_quota_sb+0x26c/0x760 dquot_load_quota_inode+0xa5/0x190 ext4_enable_quotas+0x14c/0x300 __ext4_fill_super+0x31cc/0x32c0 ext4_fill_super+0x115/0x2d0 get_tree_bdev+0x1d2/0x360 ext4_get_tree+0x19/0x30 vfs_get_tree+0x26/0xe0 path_mount+0x81d/0xfc0 do_mount+0x8d/0xc0 __x64_sys_mount+0xc0/0x160 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> ================================================================== Above issue may happen as follows: ------------------------------------- ext4_fill_super ext4_orphan_cleanup ext4_enable_quotas ext4_quota_enable ext4_iget --> get error inode <5> ext4_ext_check_inode --> Wrong imode makes it escape inspection make_bad_inode(inode) --> EXT4_BOOT_LOADER_INO set imode dquot_load_quota_inode vfs_setup_quota_inode --> check pass dquot_load_quota_sb v2_check_quota_file v2_read_header ext4_quota_read ext4_bread ext4_getblk ext4_map_blocks ext4_ext_map_blocks ext4_find_extent ext4_cache_extents ext4_es_cache_extent __es_tree_search.isra.0 ext4_es_end --> Wrong extents trigger BUG_ON In the above issue, s_usr_quota_inum is set to 5, but inode<5> contains incorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO, the ext4_ext_check_inode check in the ext4_iget function can be bypassed, finally, the extents that are not checked trigger the BUG_ON in the __es_tree_search function. To solve this issue, check whether the inode is bad_inode in vfs_setup_quota_inode(). 2025-12-24 not yet calculated CVE-2022-50782 https://git.kernel.org/stable/c/fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3
https://git.kernel.org/stable/c/1d5524832ff204b8a8cd54ae1628b2122f6e9a8d
https://git.kernel.org/stable/c/98004f926d27eaccdd2d336b7916a42e07392da1
https://git.kernel.org/stable/c/0dcbf4dc3d54aab5990952cfd832042fb300dbe3
https://git.kernel.org/stable/c/794c9175db1f2e5d2a28c326f10bd024dbd944f8
https://git.kernel.org/stable/c/1daff79463d7d76096c84c57cddc30c5d4be2226
https://git.kernel.org/stable/c/d323877484765aaacbb2769b06e355c2041ed115
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mptcp: use proper req destructor for IPv6 Before, only the destructor from TCP request sock in IPv4 was called even if the subflow was IPv6. It is important to use the right destructor to avoid memory leaks with some advanced IPv6 features, e.g. when the request socks contain specific IPv6 options. 2025-12-24 not yet calculated CVE-2022-50783 https://git.kernel.org/stable/c/6eb02c596ec02e5897ae377e065cb7df55337a96
https://git.kernel.org/stable/c/bd5dc96fea4edd16d2e22f41b4dd50a4cfbeb919
https://git.kernel.org/stable/c/092953f3c4cd65f88b27b87a922f6c725f34ee04
https://git.kernel.org/stable/c/1922ea6b0ae2ea0c9a09be0eafafe1cd1069d259
https://git.kernel.org/stable/c/d3295fee3c756ece33ac0d935e172e68c0a4161b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ceph: fix potential use-after-free bug when trimming caps When trimming the caps and just after the 'session->s_cap_lock' is released in ceph_iterate_session_caps() the cap maybe removed by another thread, and when using the stale cap memory in the callbacks it will trigger use-after-free crash. We need to check the existence of the cap just after the 'ci->i_ceph_lock' being acquired. And do nothing if it's already removed. 2025-12-24 not yet calculated CVE-2023-53867 https://git.kernel.org/stable/c/2b2515b8095cf2149bef44383a99d5b5677f1831
https://git.kernel.org/stable/c/448875a73e16ba7d81dec9274ce9d33a12d092fb
https://git.kernel.org/stable/c/ae6e935618d99cdba11eab4714092e7e5f13cf7e
https://git.kernel.org/stable/c/aaf67de78807c59c35bafb5003d4fb457c764800
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mips: bmips: BCM6358: disable RAC flush for TP1 RAC flush causes kernel panics on BCM6358 with EHCI/OHCI when booting from TP1: [ 3.881739] usb 1-1: new high-speed USB device number 2 using ehci-platform [ 3.895011] Reserved instruction in kernel code[#1]: [ 3.900113] CPU: 0 PID: 1 Comm: init Not tainted 5.10.16 #0 [ 3.905829] $ 0 : 00000000 10008700 00000000 77d94060 [ 3.911238] $ 4 : 7fd1f088 00000000 81431cac 81431ca0 [ 3.916641] $ 8 : 00000000 ffffefff 8075cd34 00000000 [ 3.922043] $12 : 806f8d40 f3e812b7 00000000 000d9aaa [ 3.927446] $16 : 7fd1f068 7fd1f080 7ff559b8 81428470 [ 3.932848] $20 : 00000000 00000000 55590000 77d70000 [ 3.938251] $24 : 00000018 00000010 [ 3.943655] $28 : 81430000 81431e60 81431f28 800157fc [ 3.949058] Hi : 00000000 [ 3.952013] Lo : 00000000 [ 3.955019] epc : 80015808 setup_sigcontext+0x54/0x24c [ 3.960464] ra : 800157fc setup_sigcontext+0x48/0x24c [ 3.965913] Status: 10008703 KERNEL EXL IE [ 3.970216] Cause : 00800028 (ExcCode 0a) [ 3.974340] PrId : 0002a010 (Broadcom BMIPS4350) [ 3.979170] Modules linked in: ohci_platform ohci_hcd fsl_mph_dr_of ehci_platform ehci_fsl ehci_hcd gpio_button_hotplug usbcore nls_base usb_common [ 3.992907] Process init (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=77e22ec8) [ 4.000776] Stack : 81431ef4 7fd1f080 81431f28 81428470 7fd1f068 81431edc 7ff559b8 81428470 [ 4.009467] 81431f28 7fd1f080 55590000 77d70000 77d5498c 80015c70 806f0000 8063ae74 [ 4.018149] 08100002 81431f28 0000000a 08100002 81431f28 0000000a 77d6b418 00000003 [ 4.026831] ffffffff 80016414 80080734 81431ecc 81431ecc 00000001 00000000 04000000 [ 4.035512] 77d54874 00000000 00000000 00000000 00000000 00000012 00000002 00000000 [ 4.044196] ... [ 4.046706] Call Trace: [ 4.049238] [<80015808>] setup_sigcontext+0x54/0x24c [ 4.054356] [<80015c70>] setup_frame+0xdc/0x124 [ 4.059015] [<80016414>] do_notify_resume+0x1dc/0x288 [ 4.064207] [<80011b50>] work_notifysig+0x10/0x18 [ 4.069036] [ 4.070538] Code: 8fc300b4 00001025 26240008 <ac820000> ac830004 3c048063 0c0228aa 24846a00 26240010 [ 4.080686] [ 4.082517] ---[ end trace 22a8edb41f5f983b ]--- [ 4.087374] Kernel panic - not syncing: Fatal exception [ 4.092753] Rebooting in 1 seconds.. Because the bootloader (CFE) is not initializing the Read-ahead cache properly on the second thread (TP1). Since the RAC was not initialized properly, we should avoid flushing it at the risk of corrupting the instruction stream as seen in the trace above. 2025-12-24 not yet calculated CVE-2023-53986 https://git.kernel.org/stable/c/d65de5ee8b72868fbbbd39ca73017d0e526fa13a
https://git.kernel.org/stable/c/47a449ec09b4479b89dcc6b27ec3829fc82ffafb
https://git.kernel.org/stable/c/65b723644294f1d79770704162c0e8d1f700b6f1
https://git.kernel.org/stable/c/2cdbcff99f15db86a10672fb220379a1ae46ccae
https://git.kernel.org/stable/c/288c96aa5b5526cd4a946e84ef85e165857693b5
https://git.kernel.org/stable/c/ab327f8acdf8d06601fbf058859a539a9422afff
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ping: Fix potentail NULL deref for /proc/net/icmp. After commit dbca1596bbb0 ("ping: convert to RCU lookups, get rid of rwlock"), we use RCU for ping sockets, but we should use spinlock for /proc/net/icmp to avoid a potential NULL deref mentioned in the previous patch. Let's go back to using spinlock there. Note we can convert ping sockets to use hlist instead of hlist_nulls because we do not use SLAB_TYPESAFE_BY_RCU for ping sockets. 2025-12-24 not yet calculated CVE-2023-53987 https://git.kernel.org/stable/c/5a08a32e624908890aa0a2eb442bb6a7669891a8
https://git.kernel.org/stable/c/176cbb6da28f36506cc60a4bec4ab8df0c16713a
https://git.kernel.org/stable/c/ab5fb73ffa01072b4d8031cc05801fa1cb653bee
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de() Here is a BUG report from syzbot: BUG: KASAN: slab-out-of-bounds in hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806 Read of size 16842960 at addr ffff888079cc0600 by task syz-executor934/3631 Call Trace: memmove+0x25/0x60 mm/kasan/shadow.c:54 hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806 indx_delete_entry+0x74f/0x3670 fs/ntfs3/index.c:2193 ni_remove_name+0x27a/0x980 fs/ntfs3/frecord.c:2910 ntfs_unlink_inode+0x3d4/0x720 fs/ntfs3/inode.c:1712 ntfs_rename+0x41a/0xcb0 fs/ntfs3/namei.c:276 Before using the meta-data in struct INDEX_HDR, we need to check index header valid or not. Otherwise, the corruptedi (or malicious) fs image can cause out-of-bounds access which could make kernel panic. 2025-12-24 not yet calculated CVE-2023-53988 https://git.kernel.org/stable/c/c58ea97aa94f033ee64a8cb6587d84a9849b6216
https://git.kernel.org/stable/c/9163a5b4ed290da4a7d23fa92533e0e81fd0166e
https://git.kernel.org/stable/c/114204d25e1dffdd3a0c1cfbba219afd344f4b4f
https://git.kernel.org/stable/c/4a034ece7e2877673d9085d6e7ed45e6ee40b761
https://git.kernel.org/stable/c/ab84eee4c7ab929996602eda7832854c35a6dda2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: arm64: mm: fix VA-range sanity check Both create_mapping_noalloc() and update_mapping_prot() sanity-check their 'virt' parameter, but the check itself doesn't make much sense. The condition used today appears to be a historical accident. The sanity-check condition: if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } ... can only be true for the KASAN shadow region or the module region, and there's no reason to exclude these specifically for creating and updateing mappings. When arm64 support was first upstreamed in commit: c1cc1552616d0f35 ("arm64: MMU initialisation") ... the condition was: if (virt < VMALLOC_START) { [ ... warning here ... ] return; } At the time, VMALLOC_START was the lowest kernel address, and this was checking whether 'virt' would be translated via TTBR1. Subsequently in commit: 14c127c957c1c607 ("arm64: mm: Flip kernel VA space") ... the condition was changed to: if ((virt >= VA_START) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } This appear to have been a thinko. The commit moved the linear map to the bottom of the kernel address space, with VMALLOC_START being at the halfway point. The old condition would warn for changes to the linear map below this, and at the time VA_START was the end of the linear map. Subsequently we cleaned up the naming of VA_START in commit: 77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END") ... keeping the erroneous condition as: if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } Correct the condition to check against the start of the TTBR1 address space, which is currently PAGE_OFFSET. This simplifies the logic, and more clearly matches the "outside kernel range" message in the warning. 2025-12-24 not yet calculated CVE-2023-53989 https://git.kernel.org/stable/c/9d8d3df71516ec3236d8d93ff029d251377ba4b1
https://git.kernel.org/stable/c/32020fc2a8373d3de35ae6d029d5969a42651e7a
https://git.kernel.org/stable/c/621619f626cbe702ddbdc54117f3868b8ebd8129
https://git.kernel.org/stable/c/b03c7fcc5ed854d0e1b27e9abf12428bfa751a37
https://git.kernel.org/stable/c/ab9b4008092c86dc12497af155a0901cc1156999
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: SMB3: Add missing locks to protect deferred close file list cifs_del_deferred_close function has a critical section which modifies the deferred close file list. We must acquire deferred_lock before calling cifs_del_deferred_close function. 2025-12-24 not yet calculated CVE-2023-53990 https://git.kernel.org/stable/c/0f87e18203bd30f71eb1a65259e28e291b6cc43a
https://git.kernel.org/stable/c/3aa9d065b0685b4e6052f3f2a2462966fdc44fd2
https://git.kernel.org/stable/c/cb36365dac25d546ca4af0eb22acb43c9b4ddfdf
https://git.kernel.org/stable/c/32a046ccaeea6c19965c04a4c521e703f6607924
https://git.kernel.org/stable/c/ab9ddc87a9055c4bebd6524d5d761d605d52e557
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Disallow unallocated resources to be returned In the event that the topology requests resources that have not been created by the system (because they are typically not represented in dpu_mdss_cfg ^1), the resource(s) in global_state (in this case DSC blocks, until their allocation/assignment is being sanity-checked in "drm/msm/dpu: Reject topologies for which no DSC blocks are available") remain NULL but will still be returned out of dpu_rm_get_assigned_resources, where the caller expects to get an array containing num_blks valid pointers (but instead gets these NULLs). To prevent this from happening, where null-pointer dereferences typically result in a hard-to-debug platform lockup, num_blks shouldn't increase past NULL blocks and will print an error and break instead. After all, max_blks represents the static size of the maximum number of blocks whereas the actual amount varies per platform. ^1: which can happen after a git rebase ended up moving additions to _dpu_cfg to a different struct which has the same patch context. Patchwork: https://patchwork.freedesktop.org/patch/517636/ 2025-12-24 not yet calculated CVE-2023-53991 https://git.kernel.org/stable/c/8dbd54d679e3ab37be43bc1ed9f463dbf83a2259
https://git.kernel.org/stable/c/bf661c5e3bc48973acb363c76e3db965d9ed26d0
https://git.kernel.org/stable/c/9e1e236acdc42b5c43ec8d7f03a39537e70cc309
https://git.kernel.org/stable/c/9fe3644c720ac87d150f0bba5a4ae86cae55afaf
https://git.kernel.org/stable/c/abc40122d9a69f56c04efb5a7485795f5ac799d1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: ocb: don't leave if not joined If there's no OCB state, don't ask the driver/mac80211 to leave, since that's just confusing. Since set/clear the chandef state, that's a simple check. 2025-12-24 not yet calculated CVE-2023-53992 https://git.kernel.org/stable/c/d7b0fe3487d203c04ee1bda91a63bd4dd398c350
https://git.kernel.org/stable/c/94332210902967b7d63294b43428c8ed075b20e6
https://git.kernel.org/stable/c/abc76cf552e13cfa88a204b362a86b0e08e95228
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: PCI/DOE: Fix memory leak with CONFIG_DEBUG_OBJECTS=y After a pci_doe_task completes, its work_struct needs to be destroyed to avoid a memory leak with CONFIG_DEBUG_OBJECTS=y. 2025-12-24 not yet calculated CVE-2023-53993 https://git.kernel.org/stable/c/2a0e0f4773fe8032fb17e56f897bee32ce3cdc2b
https://git.kernel.org/stable/c/95628b830952943631d3d74f73f431f501c5d6f5
https://git.kernel.org/stable/c/abf04be0e7071f2bcd39bf97ba407e7d4439785e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ionic: remove WARN_ON to prevent panic_on_warn Remove unnecessary early code development check and the WARN_ON that it uses. The irq alloc and free paths have long been cleaned up and this check shouldn't have stuck around so long. 2025-12-24 not yet calculated CVE-2023-53994 https://git.kernel.org/stable/c/4c7276a6daf7e13a6dd30b0347b3f2c7df4d40bb
https://git.kernel.org/stable/c/f8cc4fd99a325505e15c3da95d6de266efd3d9b5
https://git.kernel.org/stable/c/1417dd787a5e55b410a00a28231b0dcb19172457
https://git.kernel.org/stable/c/dc470466753ad0dd3a8c48aaefa05a992c119b9c
https://git.kernel.org/stable/c/daeaad114cb163ec51bcf14326cb7fe37d368459
https://git.kernel.org/stable/c/abfb2a58a5377ebab717d4362d6180f901b6e5c1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix one memleak in __inet_del_ifa() I got the below warning when do fuzzing test: unregister_netdevice: waiting for bond0 to become free. Usage count = 2 It can be repoduced via: ip link add bond0 type bond sysctl -w net.ipv4.conf.bond0.promote_secondaries=1 ip addr add 4.117.174.103/0 scope 0x40 dev bond0 ip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0 ip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0 ip addr del 4.117.174.103/0 scope 0x40 dev bond0 ip link delete bond0 type bond In this reproduction test case, an incorrect 'last_prim' is found in __inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40) is lost. The memory of the secondary address is leaked and the reference of in_device and net_device is leaked. Fix this problem: Look for 'last_prim' starting at location of the deleted IP and inserting the promoted IP into the location of 'last_prim'. 2025-12-24 not yet calculated CVE-2023-53995 https://git.kernel.org/stable/c/5624f26a3574500ce23929cb2c9976a0dec9920a
https://git.kernel.org/stable/c/7c8ddcdab1b900bed69cad6beef477fff116289e
https://git.kernel.org/stable/c/2f1e86014d0cc084886c36a2d77bc620e2d42618
https://git.kernel.org/stable/c/980f8445479814509a3cd55a8eabaae1c9030a4c
https://git.kernel.org/stable/c/42652af5360d30b43b06057c193739e7dfb18f42
https://git.kernel.org/stable/c/ac28b1ec6135649b5d78b028e47264cb3ebca5ea
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: x86/sev: Make enc_dec_hypercall() accept a size instead of npages enc_dec_hypercall() accepted a page count instead of a size, which forced its callers to round up. As a result, non-page aligned vaddrs caused pages to be spuriously marked as decrypted via the encryption status hypercall, which in turn caused consistent corruption of pages during live migration. Live migration requires accurate encryption status information to avoid migrating pages from the wrong perspective. 2025-12-24 not yet calculated CVE-2023-53996 https://git.kernel.org/stable/c/ba50e7773a99a109a1ea6f753b766a080d3b21cc
https://git.kernel.org/stable/c/6615212d8e131b45bd9705b0d69cc0d2f624666f
https://git.kernel.org/stable/c/8ae7457e71a320867d868f2622d7c643596e4f43
https://git.kernel.org/stable/c/ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: thermal: of: fix double-free on unregistration Since commit 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure"), thermal_zone_device_register() allocates a copy of the tzp argument and frees it when unregistering, so thermal_of_zone_register() now ends up leaking its original tzp and double-freeing the tzp copy. Fix this by locating tzp on stack instead. 2025-12-24 not yet calculated CVE-2023-53997 https://git.kernel.org/stable/c/adce49089412a9ae28f5c666e0bb12fbcd86b3f7
https://git.kernel.org/stable/c/ac4436a5b20e0ef1f608a9ef46c08d5d142f8da6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: hwrng: virtio - Fix race on data_avail and actual data The virtio rng device kicks off a new entropy request whenever the data available reaches zero. When a new request occurs at the end of a read operation, that is, when the result of that request is only needed by the next reader, then there is a race between the writing of the new data and the next reader. This is because there is no synchronisation whatsoever between the writer and the reader. Fix this by writing data_avail with smp_store_release and reading it with smp_load_acquire when we first enter read. The subsequent reads are safe because they're either protected by the first load acquire, or by the completion mechanism. Also remove the redundant zeroing of data_idx in random_recv_done (data_idx must already be zero at this point) and data_avail in request_entropy (ditto). 2025-12-24 not yet calculated CVE-2023-53998 https://git.kernel.org/stable/c/241ef15776a7c8505008db689175b320d345ecd3
https://git.kernel.org/stable/c/a43bcb0b661cbbf3ad797d2aee6b6fd06b8fc69d
https://git.kernel.org/stable/c/77471e4912d3960dafe141e268c44be8024fe4dc
https://git.kernel.org/stable/c/c76d991b6f01a5d931e7053a73bc9524975a5215
https://git.kernel.org/stable/c/22c30022cde6e2c88612b3a499223cfa912f1bc7
https://git.kernel.org/stable/c/318657b4c2077289659f1cd9e2a34f6a3b208e3e
https://git.kernel.org/stable/c/2fc91f156b3f3446a1bce80cf4adedcbf41271c2
https://git.kernel.org/stable/c/ac52578d6e8d300dd50f790f29a24169b1edd26c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, Fix internal port memory leak The flow rule can be splited, and the extra post_act rules are added to post_act table. It's possible to trigger memleak when the rule forwards packets from internal port and over tunnel, in the case that, for example, CT 'new' state offload is allowed. As int_port object is assigned to the flow attribute of post_act rule, and its refcnt is incremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is not called, the refcnt is never decremented, then int_port is never freed. The kmemleak reports the following error: unreferenced object 0xffff888128204b80 (size 64): comm "handler20", pid 50121, jiffies 4296973009 (age 642.932s) hex dump (first 32 bytes): 01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................ 98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA.... backtrace: [<00000000e992680d>] kmalloc_trace+0x27/0x120 [<000000009e945a98>] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core] [<0000000035a537f0>] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core] [<0000000070c2cec6>] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core] [<000000005cc84048>] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core] [<000000004f8a2031>] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core] [<000000007df797dc>] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core] [<0000000016c15cc3>] tc_setup_cb_add+0x1cf/0x410 [<00000000a63305b4>] fl_hw_replace_filter+0x38f/0x670 [cls_flower] [<000000008bc9e77c>] fl_change+0x1fd5/0x4430 [cls_flower] [<00000000e7f766e4>] tc_new_tfilter+0x867/0x2010 [<00000000e101c0ef>] rtnetlink_rcv_msg+0x6fc/0x9f0 [<00000000e1111d44>] netlink_rcv_skb+0x12c/0x360 [<0000000082dd6c8b>] netlink_unicast+0x438/0x710 [<00000000fc568f70>] netlink_sendmsg+0x794/0xc50 [<0000000016e92590>] sock_sendmsg+0xc5/0x190 So fix this by moving int_port cleanup code to the flow attribute free helper, which is used by all the attribute free cases. 2025-12-24 not yet calculated CVE-2023-53999 https://git.kernel.org/stable/c/bc1918bac0f30e3f551ef5649b53062917db55fa
https://git.kernel.org/stable/c/ac5da544a3c2047cbfd715acd9cec8380d7fe5c6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix deadlock issue when externel_lb and reset are executed together When externel_lb and reset are executed together, a deadlock may occur: [ 3147.217009] INFO: task kworker/u321:0:7 blocked for more than 120 seconds. [ 3147.230483] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 3147.238999] task:kworker/u321:0 state:D stack: 0 pid: 7 ppid: 2 flags:0x00000008 [ 3147.248045] Workqueue: hclge hclge_service_task [hclge] [ 3147.253957] Call trace: [ 3147.257093] __switch_to+0x7c/0xbc [ 3147.261183] __schedule+0x338/0x6f0 [ 3147.265357] schedule+0x50/0xe0 [ 3147.269185] schedule_preempt_disabled+0x18/0x24 [ 3147.274488] __mutex_lock.constprop.0+0x1d4/0x5dc [ 3147.279880] __mutex_lock_slowpath+0x1c/0x30 [ 3147.284839] mutex_lock+0x50/0x60 [ 3147.288841] rtnl_lock+0x20/0x2c [ 3147.292759] hclge_reset_prepare+0x68/0x90 [hclge] [ 3147.298239] hclge_reset_subtask+0x88/0xe0 [hclge] [ 3147.303718] hclge_reset_service_task+0x84/0x120 [hclge] [ 3147.309718] hclge_service_task+0x2c/0x70 [hclge] [ 3147.315109] process_one_work+0x1d0/0x490 [ 3147.319805] worker_thread+0x158/0x3d0 [ 3147.324240] kthread+0x108/0x13c [ 3147.328154] ret_from_fork+0x10/0x18 In externel_lb process, the hns3 driver call napi_disable() first, then the reset happen, then the restore process of the externel_lb will fail, and will not call napi_enable(). When doing externel_lb again, napi_disable() will be double call, cause a deadlock of rtnl_lock(). This patch use the HNS3_NIC_STATE_DOWN state to protect the calling of napi_disable() and napi_enable() in externel_lb process, just as the usage in ndo_stop() and ndo_start(). 2025-12-24 not yet calculated CVE-2023-54000 https://git.kernel.org/stable/c/d9f609cb50ebab4aa6341112f406bf9d3928ac81
https://git.kernel.org/stable/c/743f7c1762e098048ede8cdf8c89a118f8d12391
https://git.kernel.org/stable/c/ef2d6bf9695669d31ece9f2ef39dec84874a87c7
https://git.kernel.org/stable/c/ac6257a3ae5db5193b1f19c268e4f72d274ddb88
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: staging: r8712: Fix memory leak in _r8712_init_xmit_priv() In the above mentioned routine, memory is allocated in several places. If the first succeeds and a later one fails, the routine will leak memory. This patch fixes commit 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel"). A potential memory leak in r8712_xmit_resource_alloc() is also addressed. 2025-12-24 not yet calculated CVE-2023-54001 https://git.kernel.org/stable/c/fc511ae405f7ba29fbcb0246061ec15c272386e1
https://git.kernel.org/stable/c/acacdbe0f740ca8c5d5da73d50870903a3ded677
https://git.kernel.org/stable/c/41e05572e871b10dbdc168c76175c97982daf4a4
https://git.kernel.org/stable/c/874555472c736813ba1f4baf0b4c09c8e26d81ea
https://git.kernel.org/stable/c/ac83631230f77dda94154ed0ebfd368fc81c70a3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion of exclop condition when starting balance Balance as exclusive state is compatible with paused balance and device add, which makes some things more complicated. The assertion of valid states when starting from paused balance needs to take into account two more states, the combinations can be hit when there are several threads racing to start balance and device add. This won't typically happen when the commands are started from command line. Scenario 1: With exclusive_operation state == BTRFS_EXCLOP_NONE. Concurrently adding multiple devices to the same mount point and btrfs_exclop_finish executed finishes before assertion in btrfs_exclop_balance, exclusive_operation will changed to BTRFS_EXCLOP_NONE state which lead to assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE || fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD, in fs/btrfs/ioctl.c:456 Call Trace: <TASK> btrfs_exclop_balance+0x13c/0x310 ? memdup_user+0xab/0xc0 ? PTR_ERR+0x17/0x20 btrfs_ioctl_add_dev+0x2ee/0x320 btrfs_ioctl+0x9d5/0x10d0 ? btrfs_ioctl_encoded_write+0xb80/0xb80 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x3c/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Scenario 2: With exclusive_operation state == BTRFS_EXCLOP_BALANCE_PAUSED. Concurrently adding multiple devices to the same mount point and btrfs_exclop_balance executed finish before the latter thread execute assertion in btrfs_exclop_balance, exclusive_operation will changed to BTRFS_EXCLOP_BALANCE_PAUSED state which lead to assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE || fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD || fs_info->exclusive_operation == BTRFS_EXCLOP_NONE, fs/btrfs/ioctl.c:458 Call Trace: <TASK> btrfs_exclop_balance+0x240/0x410 ? memdup_user+0xab/0xc0 ? PTR_ERR+0x17/0x20 btrfs_ioctl_add_dev+0x2ee/0x320 btrfs_ioctl+0x9d5/0x10d0 ? btrfs_ioctl_encoded_write+0xb80/0xb80 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x3c/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd An example of the failed assertion is below, which shows that the paused balance is also needed to be checked. root@syzkaller:/home/xsk# ./repro Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 [ 416.611428][ T7970] BTRFS info (device loop0): fs_info exclusive_operation: 0 Failed to add device /dev/vda, errno 14 [ 416.613973][ T7971] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.615456][ T7972] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.617528][ T7973] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.618359][ T7974] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.622589][ T7975] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.624034][ T7976] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.626420][ T7977] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.627643][ T7978] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.629006][ T7979] BTRFS info (device loop0): fs_info exclusive_operation: 3 [ 416.630298][ T7980] BTRFS info (device loop0): fs_info exclusive_operation: 3 Fai ---truncated--- 2025-12-24 not yet calculated CVE-2023-54002 https://git.kernel.org/stable/c/17eaeee4c5f24946aad0298d51f32981c3161d13
https://git.kernel.org/stable/c/7877dc1136ada770622d22041be306539902951b
https://git.kernel.org/stable/c/6062e9e335a3bf409b5118bfe4cc10aff4b6adb1
https://git.kernel.org/stable/c/ac868bc9d136cde6e3eb5de77019a63d57a540ff
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix GID entry ref leak when create_ah fails If AH create request fails, release sgid_attr to avoid GID entry referrence leak reported while releasing GID table 2025-12-24 not yet calculated CVE-2023-54003 https://git.kernel.org/stable/c/9c46c49ad3ffe84121715d392b5a0a94f9f10669
https://git.kernel.org/stable/c/d1b9b3191697a80aca8e247320eba46f24d41d18
https://git.kernel.org/stable/c/e97ff11b396c320d2cc025b09741ba432fcb20a2
https://git.kernel.org/stable/c/370280c65c28a515b841c9f2c08524f06182510c
https://git.kernel.org/stable/c/632d6baf8884d803e598bf5164008d23fd9b736c
https://git.kernel.org/stable/c/aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). syzbot reported [0] a null-ptr-deref in sk_get_rmem0() while using IPPROTO_UDPLITE (0x88): 14:25:52 executing program 1: r0 = socket$inet6(0xa, 0x80002, 0x88) We had a similar report [1] for probably sk_memory_allocated_add() in __sk_mem_raise_allocated(), and commit c915fe13cbaa ("udplite: fix NULL pointer dereference") fixed it by setting .memory_allocated for udplite_prot and udplitev6_prot. To fix the variant, we need to set either .sysctl_wmem_offset or .sysctl_rmem. Now UDP and UDPLITE share the same value for .memory_allocated, so we use the same .sysctl_wmem_offset for UDP and UDPLITE. [0]: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 RIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline] RIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006 Code: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b RSP: 0018:ffffc90005d7f450 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000 RDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8 RBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000 R13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0 Call Trace: <TASK> __sk_mem_schedule+0x6c/0xe0 net/core/sock.c:3077 udp_rmem_schedule net/ipv4/udp.c:1539 [inline] __udp_enqueue_schedule_skb+0x776/0xb30 net/ipv4/udp.c:1581 __udpv6_queue_rcv_skb net/ipv6/udp.c:666 [inline] udpv6_queue_rcv_one_skb+0xc39/0x16c0 net/ipv6/udp.c:775 udpv6_queue_rcv_skb+0x194/0xa10 net/ipv6/udp.c:793 __udp6_lib_mcast_deliver net/ipv6/udp.c:906 [inline] __udp6_lib_rcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013 ip6_protocol_deliver_rcu+0x2e7/0x1250 net/ipv6/ip6_input.c:437 ip6_input_finish+0x150/0x2f0 net/ipv6/ip6_input.c:482 NF_HOOK include/linux/netfilter.h:303 [inline] NF_HOOK include/linux/netfilter.h:297 [inline] ip6_input+0xa0/0xd0 net/ipv6/ip6_input.c:491 ip6_mc_input+0x40b/0xf50 net/ipv6/ip6_input.c:585 dst_input include/net/dst.h:468 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:303 [inline] NF_HOOK include/linux/netfilter.h:297 [inline] ipv6_rcv+0x250/0x380 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605 netif_receive_skb_internal net/core/dev.c:5691 [inline] netif_receive_skb+0x133/0x7a0 net/core/dev.c:5750 tun_rx_batched+0x4b3/0x7a0 drivers/net/tun.c:1553 tun_get_user+0x2452/0x39c0 drivers/net/tun.c:1989 tun_chr_write_iter+0xdf/0x200 drivers/net/tun.c:2035 call_write_iter include/linux/fs.h:1868 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x945/0xd50 fs/read_write.c:584 ksys_write+0x12b/0x250 fs/read_write.c:637 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 RIP: 0023:0xf7f21579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 ---truncated--- 2025-12-24 not yet calculated CVE-2023-54004 https://git.kernel.org/stable/c/cc56de054d828935aa37734b479f82fa34b5f9bd
https://git.kernel.org/stable/c/7e3ae83371a4809da6fa3f10ccc430eecef3034a
https://git.kernel.org/stable/c/5014b64e369bdf997935b132a1ac4d64b6e47ad4
https://git.kernel.org/stable/c/387bd0a3af3bdd2b16f8dbef0c9fcccac63000a4
https://git.kernel.org/stable/c/2a112f04629f7839e7cb509b27b8d3b735afe255
https://git.kernel.org/stable/c/f04c8eaf45e7dcdfccba936506b1ec592a369fb9
https://git.kernel.org/stable/c/ad42a35bdfc6d3c0fc4cb4027d7b2757ce665665
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: binder: fix memory leak in binder_init() In binder_init(), the destruction of binder_alloc_shrinker_init() is not performed in the wrong path, which will cause memory leaks. So this commit introduces binder_alloc_shrinker_exit() and calls it in the wrong path to fix that. 2025-12-24 not yet calculated CVE-2023-54005 https://git.kernel.org/stable/c/486dd742ba186ea333664c517d6775b06b1448ca
https://git.kernel.org/stable/c/ceb0f8cc987fb3d25c06b9662e08a42f99651207
https://git.kernel.org/stable/c/b97dad01c12169991f895de3d4f61b8115d12bab
https://git.kernel.org/stable/c/d7e5e2b87f5d27469075b6326b6b358e38cd9dcb
https://git.kernel.org/stable/c/03eebad96233397f951d8e9fafd82a1674a77284
https://git.kernel.org/stable/c/f11a26633eb6d3bb24a10b1bacc4e4a9b0c6389f
https://git.kernel.org/stable/c/ee95051c0c1928051f86198bf5e554277a53b26b
https://git.kernel.org/stable/c/adb9743d6a08778b78d62d16b4230346d3508986
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data-race around unix_tot_inflight. unix_tot_inflight is changed under spin_lock(unix_gc_lock), but unix_release_sock() reads it locklessly. Let's use READ_ONCE() for unix_tot_inflight. Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress") BUG: KCSAN: data-race in unix_inflight / unix_release_sock write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1: unix_inflight+0x130/0x180 net/unix/scm.c:64 unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123 unix_scm_to_skb net/unix/af_unix.c:1832 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x148/0x160 net/socket.c:747 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493 ___sys_sendmsg+0xc6/0x140 net/socket.c:2547 __sys_sendmsg+0x94/0x140 net/socket.c:2576 __do_sys_sendmsg net/socket.c:2585 [inline] __se_sys_sendmsg net/socket.c:2583 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0: unix_release_sock+0x608/0x910 net/unix/af_unix.c:671 unix_release+0x59/0x80 net/unix/af_unix.c:1058 __sock_release+0x7d/0x170 net/socket.c:653 sock_close+0x19/0x30 net/socket.c:1385 __fput+0x179/0x5e0 fs/file_table.c:321 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x116/0x1a0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0x00000000 -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 2025-12-24 not yet calculated CVE-2023-54006 https://git.kernel.org/stable/c/31b46d5e7c4e295bd112960614a66a177a057dca
https://git.kernel.org/stable/c/20aa8325464d8905450089eed96ca102a074d853
https://git.kernel.org/stable/c/5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840
https://git.kernel.org/stable/c/cf29b42766ad4af2ae6a449f583796951551b48d
https://git.kernel.org/stable/c/e5edc6e44a882c0458878ab10eaddfe60ac34e57
https://git.kernel.org/stable/c/2d8933ca863e252fb09ad0be483255e3dfeb1f54
https://git.kernel.org/stable/c/afc284a4a781defbb12b2a40427fae34c3d20e17
https://git.kernel.org/stable/c/ade32bd8a738d7497ffe9743c46728db26740f78
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vmci_host: fix a race condition in vmci_host_poll() causing GPF During fuzzing, a general protection fault is observed in vmci_host_poll(). general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf] RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926 <- omitting registers -> Call Trace: <TASK> lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162 add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22 poll_wait include/linux/poll.h:49 [inline] vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174 vfs_poll include/linux/poll.h:88 [inline] do_pollfd fs/select.c:873 [inline] do_poll fs/select.c:921 [inline] do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015 __do_sys_ppoll fs/select.c:1121 [inline] __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Example thread interleaving that causes the general protection fault is as follows: CPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context) ----- ----- // Read uninitialized context context = vmci_host_dev->context; // Initialize context vmci_host_dev->context = vmci_ctx_create(); vmci_host_dev->ct_type = VMCIOBJ_CONTEXT; if (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) { // Dereferencing the wrong pointer poll_wait(..., &context->host_context); } In this scenario, vmci_host_poll() reads vmci_host_dev->context first, and then reads vmci_host_dev->ct_type to check that vmci_host_dev->context is initialized. However, since these two reads are not atomically executed, there is a chance of a race condition as described above. To fix this race condition, read vmci_host_dev->context after checking the value of vmci_host_dev->ct_type so that vmci_host_poll() always reads an initialized context. 2025-12-24 not yet calculated CVE-2023-54007 https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3
https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc
https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b
https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c
https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9
https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92
https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448
https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: virtio_vdpa: build affinity masks conditionally We try to build affinity mask via create_affinity_masks() unconditionally which may lead several issues: - the affinity mask is not used for parent without affinity support (only VDUSE support the affinity now) - the logic of create_affinity_masks() might not work for devices other than block. For example it's not rare in the networking device where the number of queues could exceed the number of CPUs. Such case breaks the current affinity logic which is based on group_cpus_evenly() who assumes the number of CPUs are not less than the number of groups. This can trigger a warning[1]: if (ret >= 0) WARN_ON(nr_present + nr_others < numgrps); Fixing this by only build the affinity masks only when - Driver passes affinity descriptor, driver like virtio-blk can make sure to limit the number of queues when it exceeds the number of CPUs - Parent support affinity setting config ops This help to avoid the warning. More optimizations could be done on top. [1] [ 682.146655] WARNING: CPU: 6 PID: 1550 at lib/group_cpus.c:400 group_cpus_evenly+0x1aa/0x1c0 [ 682.146668] CPU: 6 PID: 1550 Comm: vdpa Not tainted 6.5.0-rc5jason+ #79 [ 682.146671] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [ 682.146673] RIP: 0010:group_cpus_evenly+0x1aa/0x1c0 [ 682.146676] Code: 4c 89 e0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc e8 1b c4 74 ff 48 89 ef e8 13 ac 98 ff 4c 89 e7 45 31 e4 e8 08 ac 98 ff eb c2 <0f> 0b eb b6 e8 fd 05 c3 00 45 31 e4 eb e5 cc cc cc cc cc cc cc cc [ 682.146679] RSP: 0018:ffffc9000215f498 EFLAGS: 00010293 [ 682.146682] RAX: 000000000001f1e0 RBX: 0000000000000041 RCX: 0000000000000000 [ 682.146684] RDX: ffff888109922058 RSI: 0000000000000041 RDI: 0000000000000030 [ 682.146686] RBP: ffff888109922058 R08: ffffc9000215f498 R09: ffffc9000215f4a0 [ 682.146687] R10: 00000000000198d0 R11: 0000000000000030 R12: ffff888107e02800 [ 682.146689] R13: 0000000000000030 R14: 0000000000000030 R15: 0000000000000041 [ 682.146692] FS: 00007fef52315740(0000) GS:ffff888237380000(0000) knlGS:0000000000000000 [ 682.146695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 682.146696] CR2: 00007fef52509000 CR3: 0000000110dbc004 CR4: 0000000000370ee0 [ 682.146698] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 682.146700] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 682.146701] Call Trace: [ 682.146703] <TASK> [ 682.146705] ? __warn+0x7b/0x130 [ 682.146709] ? group_cpus_evenly+0x1aa/0x1c0 [ 682.146712] ? report_bug+0x1c8/0x1e0 [ 682.146717] ? handle_bug+0x3c/0x70 [ 682.146721] ? exc_invalid_op+0x14/0x70 [ 682.146723] ? asm_exc_invalid_op+0x16/0x20 [ 682.146727] ? group_cpus_evenly+0x1aa/0x1c0 [ 682.146729] ? group_cpus_evenly+0x15c/0x1c0 [ 682.146731] create_affinity_masks+0xaf/0x1a0 [ 682.146735] virtio_vdpa_find_vqs+0x83/0x1d0 [ 682.146738] ? __pfx_default_calc_sets+0x10/0x10 [ 682.146742] virtnet_find_vqs+0x1f0/0x370 [ 682.146747] virtnet_probe+0x501/0xcd0 [ 682.146749] ? vp_modern_get_status+0x12/0x20 [ 682.146751] ? get_cap_addr.isra.0+0x10/0xc0 [ 682.146754] virtio_dev_probe+0x1af/0x260 [ 682.146759] really_probe+0x1a5/0x410 2025-12-24 not yet calculated CVE-2023-54008 https://git.kernel.org/stable/c/5f2592243ccd5bb5341f59be409ccfdd586841f3
https://git.kernel.org/stable/c/628b53fc66ca1910a3cb53c3c7e44e59750c3668
https://git.kernel.org/stable/c/ae15aceaa98ad9499763923f7890e345d9f46b60
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path The cdns_i2c_master_xfer() function gets a runtime PM reference when the function is entered. This reference is released when the function is exited. There is currently one error path where the function exits directly, which leads to a leak of the runtime PM reference. Make sure that this error path also releases the runtime PM reference. 2025-12-24 not yet calculated CVE-2023-54009 https://git.kernel.org/stable/c/fd7bf900c3215c77f6d779d1532faa22b79f2430
https://git.kernel.org/stable/c/2d65599ad1e4f195bbb80752cd5cbc2f1a018dba
https://git.kernel.org/stable/c/a712b5a95270e62209f5c2201c774f708f75234e
https://git.kernel.org/stable/c/d0dc6553b5f2b1272c01b0eba5fe2fd89cc59f44
https://git.kernel.org/stable/c/5b14d7c6ba0ba5d167f5ef588ca6dfe1af6dd0aa
https://git.kernel.org/stable/c/ae1664f04f504a998737f5bb563f16b44357bcca
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects ACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4 ACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause null pointer dereference later. 2025-12-24 not yet calculated CVE-2023-54010 https://git.kernel.org/stable/c/c9fcb2cfcbd4d7018d9f659f5b670f5b727d1968
https://git.kernel.org/stable/c/35d67ffad6f5d78dbd800d354f5334c7b71a19e0
https://git.kernel.org/stable/c/c409eb45f5ddae2e3b3faa76cefc87f3cd0d0e88
https://git.kernel.org/stable/c/978e0d05547ae707d51a942fc7e85a34e181ee6f
https://git.kernel.org/stable/c/d997c920a5305b37f0b8a40501b5aca10d099ecd
https://git.kernel.org/stable/c/fee6133490091492dc66bcf71479bd53bd17a7d2
https://git.kernel.org/stable/c/ed2e1e85644ca3d351324e9927a538c8af4df654
https://git.kernel.org/stable/c/ae5a0eccc85fc960834dd66e3befc2728284b86c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix an issue found by KASAN Write only correct size (32 instead of 64 bytes). 2025-12-24 not yet calculated CVE-2023-54011 https://git.kernel.org/stable/c/abfe73c16b295f2213e9bfc0a1df232056032448
https://git.kernel.org/stable/c/c8755f913a2fc9c168d108ea8c5af04716e8c4a5
https://git.kernel.org/stable/c/ae7d45f5283d30274039b95d3e6d53d33c66e991
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: fix stack overflow when LRO is disabled for virtual interfaces When the virtual interface's feature is updated, it synchronizes the updated feature for its own lower interface. This propagation logic should be worked as the iteration, not recursively. But it works recursively due to the netdev notification unexpectedly. This problem occurs when it disables LRO only for the team and bonding interface type. team0 | +------+------+-----+-----+ | | | | | team1 team2 team3 ... team200 If team0's LRO feature is updated, it generates the NETDEV_FEAT_CHANGE event to its own lower interfaces(team1 ~ team200). It is worked by netdev_sync_lower_features(). So, the NETDEV_FEAT_CHANGE notification logic of each lower interface work iteratively. But generated NETDEV_FEAT_CHANGE event is also sent to the upper interface too. upper interface(team0) generates the NETDEV_FEAT_CHANGE event for its own lower interfaces again. lower and upper interfaces receive this event and generate this event again and again. So, the stack overflow occurs. But it is not the infinite loop issue. Because the netdev_sync_lower_features() updates features before generating the NETDEV_FEAT_CHANGE event. Already synchronized lower interfaces skip notification logic. So, it is just the problem that iteration logic is changed to the recursive unexpectedly due to the notification mechanism. Reproducer: ip link add team0 type team ethtool -K team0 lro on for i in {1..200} do ip link add team$i master team0 type team ethtool -K team$i lro on done ethtool -K team0 lro off In order to fix it, the notifier_ctx member of bonding/team is introduced. 2025-12-24 not yet calculated CVE-2023-54012 https://git.kernel.org/stable/c/9ea0c5f90a27b5b884d880e146e0f65f3052e401
https://git.kernel.org/stable/c/4bb955c4d2830a58c08e2a48ab75d75368e3ff36
https://git.kernel.org/stable/c/cf3b5cd7127cc10c5b12400c545f263f0e5e715c
https://git.kernel.org/stable/c/ed66e6327a69fec95034cda2ac5b6a57b8b3b622
https://git.kernel.org/stable/c/6bf00bb3dc7e5b9fb05488e11616e65d64e975fa
https://git.kernel.org/stable/c/ae9b15fbe63447bc1d3bba3769f409d17ca6fdf6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: interconnect: Fix locking for runpm vs reclaim For cases where icc_bw_set() can be called in callbaths that could deadlock against shrinker/reclaim, such as runpm resume, we need to decouple the icc locking. Introduce a new icc_bw_lock for cases where we need to serialize bw aggregation and update to decouple that from paths that require memory allocation such as node/link creation/ destruction. Fixes this lockdep splat: ====================================================== WARNING: possible circular locking dependency detected 6.2.0-rc8-debug+ #554 Not tainted ------------------------------------------------------ ring0/132 is trying to acquire lock: ffffff80871916d0 (&gmu->lock){+.+.}-{3:3}, at: a6xx_pm_resume+0xf0/0x234 but task is already holding lock: ffffffdb5aee57e8 (dma_fence_map){++++}-{0:0}, at: msm_job_run+0x68/0x150 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 (dma_fence_map){++++}-{0:0}: __dma_fence_might_wait+0x74/0xc0 dma_resv_lockdep+0x1f4/0x2f4 do_one_initcall+0x104/0x2bc kernel_init_freeable+0x344/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}: fs_reclaim_acquire+0x80/0xa8 slab_pre_alloc_hook.constprop.0+0x40/0x25c __kmem_cache_alloc_node+0x60/0x1cc __kmalloc+0xd8/0x100 topology_parse_cpu_capacity+0x8c/0x178 get_cpu_for_node+0x88/0xc4 parse_cluster+0x1b0/0x28c parse_cluster+0x8c/0x28c init_cpu_topology+0x168/0x188 smp_prepare_cpus+0x24/0xf8 kernel_init_freeable+0x18c/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #2 (fs_reclaim){+.+.}-{0:0}: __fs_reclaim_acquire+0x3c/0x48 fs_reclaim_acquire+0x54/0xa8 slab_pre_alloc_hook.constprop.0+0x40/0x25c __kmem_cache_alloc_node+0x60/0x1cc __kmalloc+0xd8/0x100 kzalloc.constprop.0+0x14/0x20 icc_node_create_nolock+0x4c/0xc4 icc_node_create+0x38/0x58 qcom_icc_rpmh_probe+0x1b8/0x248 platform_probe+0x70/0xc4 really_probe+0x158/0x290 __driver_probe_device+0xc8/0xe0 driver_probe_device+0x44/0x100 __driver_attach+0xf8/0x108 bus_for_each_dev+0x78/0xc4 driver_attach+0x2c/0x38 bus_add_driver+0xd0/0x1d8 driver_register+0xbc/0xf8 __platform_driver_register+0x30/0x3c qnoc_driver_init+0x24/0x30 do_one_initcall+0x104/0x2bc kernel_init_freeable+0x344/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #1 (icc_lock){+.+.}-{3:3}: __mutex_lock+0xcc/0x3c8 mutex_lock_nested+0x30/0x44 icc_set_bw+0x88/0x2b4 _set_opp_bw+0x8c/0xd8 _set_opp+0x19c/0x300 dev_pm_opp_set_opp+0x84/0x94 a6xx_gmu_resume+0x18c/0x804 a6xx_pm_resume+0xf8/0x234 adreno_runtime_resume+0x2c/0x38 pm_generic_runtime_resume+0x30/0x44 __rpm_callback+0x15c/0x174 rpm_callback+0x78/0x7c rpm_resume+0x318/0x524 __pm_runtime_resume+0x78/0xbc adreno_load_gpu+0xc4/0x17c msm_open+0x50/0x120 drm_file_alloc+0x17c/0x228 drm_open_helper+0x74/0x118 drm_open+0xa0/0x144 drm_stub_open+0xd4/0xe4 chrdev_open+0x1b8/0x1e4 do_dentry_open+0x2f8/0x38c vfs_open+0x34/0x40 path_openat+0x64c/0x7b4 do_filp_open+0x54/0xc4 do_sys_openat2+0x9c/0x100 do_sys_open+0x50/0x7c __arm64_sys_openat+0x28/0x34 invoke_syscall+0x8c/0x128 el0_svc_common.constprop.0+0xa0/0x11c do_el0_ ---truncated--- 2025-12-24 not yet calculated CVE-2023-54013 https://git.kernel.org/stable/c/2f3a124696d43de3c837f87a9f767c56ee86cf2a
https://git.kernel.org/stable/c/af42269c3523492d71ebbe11fefae2653e9cdc78
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() Klocwork reported warning of rport maybe NULL and will be dereferenced. rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced. Check valid rport returned by fc_bsg_to_rport(). 2025-12-24 not yet calculated CVE-2023-54014 https://git.kernel.org/stable/c/f35bd94b4e11c41de90cd0fa72c9062e8196822f
https://git.kernel.org/stable/c/ccd3bc595bda67db5a347b9050c2df28f292d3fb
https://git.kernel.org/stable/c/1b7e5bdf2be22ae8c61bdca5a5f96ec2746e9639
https://git.kernel.org/stable/c/921d6844625527a92d1178262a633cc88a8e61bd
https://git.kernel.org/stable/c/1ccd52b790a66b8b5f75c87eab8c3a37f941a2bf
https://git.kernel.org/stable/c/e466930717ef18c112585a39fc6174d8eb441df5
https://git.kernel.org/stable/c/ced5460eae772e847debbc0b65ef93aedab92d3f
https://git.kernel.org/stable/c/af73f23a27206ffb3c477cac75b5fcf03410556e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device In case devcom allocation is failed, mlx5 is always freeing the priv. However, this priv might have been allocated by a different thread, and freeing it might lead to use-after-free bugs. Fix it by freeing the priv only in case it was allocated by the running thread. 2025-12-24 not yet calculated CVE-2023-54015 https://git.kernel.org/stable/c/3dfc1004d9afbf689087ae1eafd88f55481984c7
https://git.kernel.org/stable/c/d4d10a6df1529b3f446cdada5c25e065f4712756
https://git.kernel.org/stable/c/1e755065368000205e6683fa924b2654e99f573b
https://git.kernel.org/stable/c/eaa365c10459052cbe3e44caa4ad760cb93bd435
https://git.kernel.org/stable/c/a3a516caef2c5be2f4d171890a8b3415bfab4e5e
https://git.kernel.org/stable/c/af87194352cad882d787d06fb7efa714acd95427
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix memory leak in rx_desc and tx_desc Currently when ath12k_dp_cc_desc_init() is called we allocate memory to rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), during descriptor cleanup rx_descs and tx_descs memory is not freed. This is cause of memory leak. These allocated memory should be freed in ath12k_dp_cc_cleanup. In ath12k_dp_cc_desc_init(), we can save base address of rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), we can free rx_descs and tx_descs memory using their base address. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 2025-12-24 not yet calculated CVE-2023-54016 https://git.kernel.org/stable/c/e16be2d34883eecfe7fd888fcdb76c7a5db5d187
https://git.kernel.org/stable/c/afb522b36e76acaa9f8fc06d0a9742d841c47c16
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: fix possible memory leak in ibmebus_bus_init() If device_register() returns error in ibmebus_bus_init(), name of kobject which is allocated in dev_set_name() called in device_add() is leaked. As comment of device_add() says, it should call put_device() to drop the reference count that was set in device_initialize() when it fails, so the name can be freed in kobject_cleanup(). 2025-12-24 not yet calculated CVE-2023-54017 https://git.kernel.org/stable/c/e4ff88548defafb1ef84facd9856ec252da7b008
https://git.kernel.org/stable/c/3cc4c2f6c266fe5b33a7fa797f31e8b3f06ce58c
https://git.kernel.org/stable/c/7ffe14fce7425c32e735bdc44bce425f18976a49
https://git.kernel.org/stable/c/9f3b2b666833ebef6d0ce5a40e189f38e70342a1
https://git.kernel.org/stable/c/d35e7ae10eb8917883da2a0b1823c620a1be42d6
https://git.kernel.org/stable/c/96f27ff732208dce6468016e7a7d5032bd1bfc23
https://git.kernel.org/stable/c/ebd8dc974fcc59e2851a0d89ee7935b55142dc8e
https://git.kernel.org/stable/c/afda85b963c12947e298ad85d757e333aa40fd74
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/msm/hdmi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue as it may return NULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and `hdmi_hpd.c`. Patchwork: https://patchwork.freedesktop.org/patch/517211/ 2025-12-24 not yet calculated CVE-2023-54018 https://git.kernel.org/stable/c/b479485b24da1d572a0ce875537af31b02d2f915
https://git.kernel.org/stable/c/392f7eb3946ab3780b931af723033e19f82c9134
https://git.kernel.org/stable/c/fc34608fa275fe6b3b17e171b63b8ca3aa1cbf09
https://git.kernel.org/stable/c/1bab31a0969ca4ac90907a5d3b44af104229eafd
https://git.kernel.org/stable/c/9a01ecc312e764ec4527ad49105a3ca799f1860c
https://git.kernel.org/stable/c/e55f93d674314f2fb69eba0dc24acfdf72805611
https://git.kernel.org/stable/c/ae5ca116a0c0ba9fc4123b1f1ec3c4f4d0d01b3f
https://git.kernel.org/stable/c/afe4cb96153a0d8003e4e4ebd91b5c543e10df84
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: sched/psi: use kernfs polling functions for PSI trigger polling Destroying psi trigger in cgroup_file_release causes UAF issues when a cgroup is removed from under a polling process. This is happening because cgroup removal causes a call to cgroup_file_release while the actual file is still alive. Destroying the trigger at this point would also destroy its waitqueue head and if there is still a polling process on that file accessing the waitqueue, it will step on the freed pointer: do_select vfs_poll do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy wake_up_pollfree(&t->event_wait) // vfs_poll is unblocked synchronize_rcu kfree(t) poll_freewait -> UAF access to the trigger's waitqueue head Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), however the same issue exists for synchronous poll() case. The root cause of this issue is that the lifecycles of the psi trigger's waitqueue and of the file associated with the trigger are different. Fix this by using kernfs_generic_poll function when polling on cgroup-specific psi triggers. It internally uses kernfs_open_node->poll waitqueue head with its lifecycle tied to the file's lifecycle. This also renders the fix in [1] obsolete, so revert it. [1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()") 2025-12-24 not yet calculated CVE-2023-54019 https://git.kernel.org/stable/c/92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a
https://git.kernel.org/stable/c/d124ab17024cc85a1079b7810a018a497ebc13da
https://git.kernel.org/stable/c/aff037078ecaecf34a7c2afab1341815f90fba5e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: dmaengine: sf-pdma: pdma_desc memory leak fix Commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a DMA channel") changed sf_pdma_prep_dma_memcpy() to unconditionally allocate a new sf_pdma_desc each time it is called. The driver previously recycled descs, by checking the in_use flag, only allocating additional descs if the existing one was in use. This logic was removed in commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a DMA channel"), but sf_pdma_free_desc() was not changed to handle the new behaviour. As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous descriptor is leaked, over time leading to memory starvation: unreferenced object 0xffffffe008447300 (size 192): comm "irq/39-mchp_dsc", pid 343, jiffies 4294906910 (age 981.200s) hex dump (first 32 bytes): 00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................ 00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p............. backtrace: [<00000000064a04f4>] kmemleak_alloc+0x1e/0x28 [<00000000018927a7>] kmem_cache_alloc+0x11e/0x178 [<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112 Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant in_use flag. 2025-12-24 not yet calculated CVE-2023-54020 https://git.kernel.org/stable/c/ad222c9af25e3f074c180e389b3477dce42afc4f
https://git.kernel.org/stable/c/03fece43fa109beba7cc9948c02f5e2d1205d607
https://git.kernel.org/stable/c/8bd5040bd43f2b5ba3c898b09a3197a0c7ace126
https://git.kernel.org/stable/c/b02e07015a5ac7bbc029da931ae17914b8ae0339
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext4: set goal start correctly in ext4_mb_normalize_request We need to set ac_g_ex to notify the goal start used in ext4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in ext4_mb_normalize_request. Besides we should assure goal start is in range [first_data_block, blocks_count) as ext4_mb_initialize_context does. [ Added a check to make sure size is less than ar->pright; otherwise we could end up passing an underflowed value of ar->pright - size to ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on. - TYT ] 2025-12-24 not yet calculated CVE-2023-54021 https://git.kernel.org/stable/c/2479bb6cbdb4d56b807bbe5229e3e26a6f1f4530
https://git.kernel.org/stable/c/390eee955d4de4662db5e3e9e9a9eae020432cb7
https://git.kernel.org/stable/c/cee78217a7ae72d11c2e21e1a5263b8044489823
https://git.kernel.org/stable/c/3ca3005b502ca8ea87d6a344323b179b48c4e4a3
https://git.kernel.org/stable/c/bc4a3e1d07a86ae5845321d371190244acacb2f2
https://git.kernel.org/stable/c/c6bee8970075b256fc1b07bf4873049219380818
https://git.kernel.org/stable/c/abb330ffaa3a0ae7ce632e28c9260b461c01f19f
https://git.kernel.org/stable/c/b07ffe6927c75d99af534d685282ea188d9f71a6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential memory leaks at error path for UMP open The allocation and initialization errors at alloc_midi_urbs() that is called at MIDI 2.0 / UMP device are supposed to be handled at the caller side by invoking free_midi_urbs(). However, free_midi_urbs() loops only for ep->num_urbs entries, and since ep->num_entries wasn't updated yet at the allocation / init error in alloc_midi_urbs(), this entry won't be released. The intention of free_midi_urbs() is to release the whole elements, so change the loop size to NUM_URBS to scan over all elements for fixing the missed releases. Also, the call of free_midi_urbs() is missing at snd_usb_midi_v2_open(). Although it'll be released later at reopen/close or disconnection, it's better to release immediately at the error path. 2025-12-24 not yet calculated CVE-2023-54022 https://git.kernel.org/stable/c/f819b343aa95d24d5f7d6e06660c7f62591abc5f
https://git.kernel.org/stable/c/b1757fa30ef14f254f4719bf6f7d54a4c8207216
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between balance and cancel/pause Syzbot reported a panic that looks like this: assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 ------------[ cut here ]------------ kernel BUG at fs/btrfs/messages.c:259! RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 Call Trace: <TASK> btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The reproducer is running a balance and a cancel or pause in parallel. The way balance finishes is a bit wonky, if we were paused we need to save the balance_ctl in the fs_info, but clear it otherwise and cleanup. However we rely on the return values being specific errors, or having a cancel request or no pause request. If balance completes and returns 0, but we have a pause or cancel request we won't do the appropriate cleanup, and then the next time we try to start a balance we'll trip this ASSERT. The error handling is just wrong here, we always want to clean up, unless we got -ECANCELLED and we set the appropriate pause flag in the exclusive op. With this patch the reproducer ran for an hour without tripping, previously it would trip in less than a few minutes. 2025-12-24 not yet calculated CVE-2023-54023 https://git.kernel.org/stable/c/ddf7e8984c83aee9122552529f4e77291903f8d9
https://git.kernel.org/stable/c/72efe5d44821e38540888a5fe3ff3d0faab6acad
https://git.kernel.org/stable/c/b19c98f237cd76981aaded52c258ce93f7daa8cb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: KVM: Destroy target device if coalesced MMIO unregistration fails Destroy and free the target coalesced MMIO device if unregistering said device fails. As clearly noted in the code, kvm_io_bus_unregister_dev() does not destroy the target device. BUG: memory leak unreferenced object 0xffff888112a54880 (size 64): comm "syz-executor.2", pid 5258, jiffies 4297861402 (age 14.129s) hex dump (first 32 bytes): 38 c7 67 15 00 c9 ff ff 38 c7 67 15 00 c9 ff ff 8.g.....8.g..... e0 c7 e1 83 ff ff ff ff 00 30 67 15 00 c9 ff ff .........0g..... backtrace: [<0000000006995a8a>] kmalloc include/linux/slab.h:556 [inline] [<0000000006995a8a>] kzalloc include/linux/slab.h:690 [inline] [<0000000006995a8a>] kvm_vm_ioctl_register_coalesced_mmio+0x8e/0x3d0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:150 [<00000000022550c2>] kvm_vm_ioctl+0x47d/0x1600 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3323 [<000000008a75102f>] vfs_ioctl fs/ioctl.c:46 [inline] [<000000008a75102f>] file_ioctl fs/ioctl.c:509 [inline] [<000000008a75102f>] do_vfs_ioctl+0xbab/0x1160 fs/ioctl.c:696 [<0000000080e3f669>] ksys_ioctl+0x76/0xa0 fs/ioctl.c:713 [<0000000059ef4888>] __do_sys_ioctl fs/ioctl.c:720 [inline] [<0000000059ef4888>] __se_sys_ioctl fs/ioctl.c:718 [inline] [<0000000059ef4888>] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 [<000000006444fa05>] do_syscall_64+0x9f/0x4e0 arch/x86/entry/common.c:290 [<000000009a4ed50b>] entry_SYSCALL_64_after_hwframe+0x49/0xbe BUG: leak checking failed 2025-12-24 not yet calculated CVE-2023-54024 https://git.kernel.org/stable/c/10c2a20d73e99463e69b7e92706791656adc16d7
https://git.kernel.org/stable/c/76a9886e1b61ce5592df5ae78a19ed30399ae189
https://git.kernel.org/stable/c/999439fd5da5a76253e2f2c37b94204f47d75491
https://git.kernel.org/stable/c/ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066
https://git.kernel.org/stable/c/fb436dd6914325075f07d19851ab277b7a693ae7
https://git.kernel.org/stable/c/b1cb1fac22abf102ffeb29dd3eeca208a3869d54
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled In case WoWlan was never configured during the operation of the system, the hw->wiphy->wowlan_config will be NULL. rsi_config_wowlan() checks whether wowlan_config is non-NULL and if it is not, then WARNs about it. The warning is valid, as during normal operation the rsi_config_wowlan() should only ever be called with non-NULL wowlan_config. In shutdown this rsi_config_wowlan() should only ever be called if WoWlan was configured before by the user. Add checks for non-NULL wowlan_config into the shutdown hook. While at it, check whether the wiphy is also non-NULL before accessing wowlan_config . Drop the single-use wowlan_config variable, just inline it into function call. 2025-12-24 not yet calculated CVE-2023-54025 https://git.kernel.org/stable/c/b2aeb97fd470206e67f7b3b4a3e68212a13f747b
https://git.kernel.org/stable/c/4391fa180856ff84a2cef4a92694a689eebb855e
https://git.kernel.org/stable/c/eb205a06908122f50b1dd1baa43f7c8036bfc7dc
https://git.kernel.org/stable/c/1b51236aa49a0564280bd45c94118cab6d9b0fbd
https://git.kernel.org/stable/c/b601468539c1d97539097bfc87ad11f1704b7eb7
https://git.kernel.org/stable/c/b241e260820b68c09586e8a0ae0fc23c0e3215bd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: opp: Fix use-after-free in lazy_opp_tables after probe deferral When dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns -EPROBE_DEFER, the opp_table is freed again, to wait until all the interconnect paths are available. However, if the OPP table is using required-opps then it may already have been added to the global lazy_opp_tables list. The error path does not remove the opp_table from the list again. This can cause crashes later when the provider of the required-opps is added, since we will iterate over OPP tables that have already been freed. E.g.: Unable to handle kernel NULL pointer dereference when read CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3 PC is at _of_add_opp_table_v2 (include/linux/of.h:949 drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404 drivers/opp/of.c:1032) -> lazy_link_required_opp_table() Fix this by calling _of_clear_opp_table() to remove the opp_table from the list and clear other allocated resources. While at it, also add the missing mutex_destroy() calls in the error path. 2025-12-24 not yet calculated CVE-2023-54026 https://git.kernel.org/stable/c/39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc
https://git.kernel.org/stable/c/76ab057de777723ec924654502d1a260ba7d7d54
https://git.kernel.org/stable/c/c05e76d6b249e5254c31994eedd06dd3cc90dee0
https://git.kernel.org/stable/c/b2a2ab039bd58f51355e33d7d3fc64605d7f870d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iio: core: Prevent invalid memory access when there is no parent Commit 813665564b3d ("iio: core: Convert to use firmware node handle instead of OF node") switched the kind of nodes to use for label retrieval in device registration. Probably an unwanted change in that commit was that if the device has no parent then NULL pointer is accessed. This is what happens in the stock IIO dummy driver when a new entry is created in configfs: # mkdir /sys/kernel/config/iio/devices/dummy/foo BUG: kernel NULL pointer dereference, address: ... ... Call Trace: __iio_device_register iio_dummy_probe Since there seems to be no reason to make a parent device of an IIO dummy device mandatory, let's prevent the invalid memory access in __iio_device_register when the parent device is NULL. With this change, the IIO dummy driver works fine with configfs. 2025-12-24 not yet calculated CVE-2023-54027 https://git.kernel.org/stable/c/312f04ede209f0a186799fe8e64a19b49700d5dc
https://git.kernel.org/stable/c/a4b34cccff14ce74bb7d77fbfd56e7c9d7c28a97
https://git.kernel.org/stable/c/b2a69969908fcaf68596dfc04369af0fe2e1d2f7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task" In the function rxe_create_qp(), rxe_qp_from_init() is called to initialize qp, internally things like rxe_init_task are not setup until rxe_qp_init_req(). If an error occurred before this point then the unwind will call rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() which will oops when trying to access the uninitialized spinlock. If rxe_init_task is not executed, rxe_cleanup_task will not be called. 2025-12-24 not yet calculated CVE-2023-54028 https://git.kernel.org/stable/c/3236221bb8e4de8e3d0c8385f634064fb26b8e38
https://git.kernel.org/stable/c/c8473cd5b301279a41dc75e5afb26b3d5223b6c7
https://git.kernel.org/stable/c/0d938264fcfe4927e54f0e519da05af1d5d720b4
https://git.kernel.org/stable/c/b2b1ddc457458fecd1c6f385baa9fbda5f0c63ad
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO For MLO, we cannot use vif->bss_conf.chandef.chan->band, since that will lead to a NULL-ptr dereference as bss_conf isn't used. However, in case of real MLO, we also need to take both LMACs into account if they exist, since the station might be active on both LMACs at the same time. 2025-12-24 not yet calculated CVE-2023-54029 https://git.kernel.org/stable/c/63e2d06adf6b0842132ba89efdf8fada5f7ff1ac
https://git.kernel.org/stable/c/4489aa868bc6343afdaf5ef324af5b1f64962b25
https://git.kernel.org/stable/c/b2bc600cced23762d4e97db8989b18772145604f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: io_uring/net: don't overflow multishot recv Don't allow overflowing multishot recv CQEs, it might get out of hand, hurt performance, and in the worst case scenario OOM the task. 2025-12-24 not yet calculated CVE-2023-54030 https://git.kernel.org/stable/c/1e2db9837be7d24a2a74eb3f3906d0872bee8907
https://git.kernel.org/stable/c/b2e74db55dd93d6db22a813c9a775b5dbf87c560
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check The vdpa_nl_policy structure is used to validate the nlattr when parsing the incoming nlmsg. It will ensure the attribute being described produces a valid nlattr pointer in info->attrs before entering into each handler in vdpa_nl_ops. That is to say, the missing part in vdpa_nl_policy may lead to illegal nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. This patch adds the missing nla_policy for vdpa queue index attr to avoid such bugs. 2025-12-24 not yet calculated CVE-2023-54031 https://git.kernel.org/stable/c/8ad9bc25cbdcec72e7ca43dd8281decb69ea9a70
https://git.kernel.org/stable/c/ccb533b7070aeeb65c66ea5d590e9c62421dcd61
https://git.kernel.org/stable/c/b3003e1b54e057f5f3124e437b80c3bef26ed3fe
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when deleting quota root from the dirty cow roots list When disabling quotas we are deleting the quota root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the quota root from that list. 2025-12-24 not yet calculated CVE-2023-54032 https://git.kernel.org/stable/c/365f318da7384cbac5de6b9c098914888a4d63e7
https://git.kernel.org/stable/c/6da229754099518cfa27cbfcd0fd042618785fad
https://git.kernel.org/stable/c/679c34821ab7cd93c8ccb96fbf57fc44848a78bc
https://git.kernel.org/stable/c/6819bb0b8552dcc5f82ca606c8911b8c67e0628f
https://git.kernel.org/stable/c/7ba0da31dd4a8fd24d416016c538a95a5664ff02
https://git.kernel.org/stable/c/a53d78d9a8551e72c46ded23e8b0a56e55d32032
https://git.kernel.org/stable/c/a5cdc4012efa808e07d073c11dc2f366b5394ad3
https://git.kernel.org/stable/c/b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps The LRU and LRU_PERCPU maps allocate a new element on update before locking the target hash table bucket. Right after that the maps try to lock the bucket. If this fails, then maps return -EBUSY to the caller without releasing the allocated element. This makes the element untracked: it doesn't belong to either of free lists, and it doesn't belong to the hash table, so can't be re-used; this eventually leads to the permanent -ENOMEM on LRU map updates, which is unexpected. Fix this by returning the element to the local free list if bucket locking fails. 2025-12-24 not yet calculated CVE-2023-54033 https://git.kernel.org/stable/c/79ea1a12fb9a8275b6e19d4ca625dd872dedcbb9
https://git.kernel.org/stable/c/1a9e80f757bbb1562d82e350afce2bb2f712cc3d
https://git.kernel.org/stable/c/965e9cccbe6b9c7b379908cebcb5e3a47f20dd5e
https://git.kernel.org/stable/c/b34ffb0c6d23583830f9327864b9c1f486003305
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iommufd: Make sure to zero vfio_iommu_type1_info before copying to user Missed a zero initialization here. Most of the struct is filled with a copy_from_user(), however minsz for that copy is smaller than the actual struct by 8 bytes, thus we don't fill the padding. 2025-12-24 not yet calculated CVE-2023-54034 https://git.kernel.org/stable/c/7adcec686e4d699c169d34c722132b2bce5232cb
https://git.kernel.org/stable/c/b3551ead616318ea155558cdbe7e91495b8d9b33
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix underflow in chain reference counter Set element addition error path decrements reference counter on chains twice: once on element release and again via nft_data_release(). Then, d6b478666ffa ("netfilter: nf_tables: fix underflow in object reference counter") incorrectly fixed this by removing the stateful object reference count decrement. Restore the stateful object decrement as in b91d90368837 ("netfilter: nf_tables: fix leaking object reference count") and let nft_data_release() decrement the chain reference counter, so this is done only once. 2025-12-24 not yet calculated CVE-2023-54035 https://git.kernel.org/stable/c/b068314fd8ce751a7f906e55bb90f3551815f1a0
https://git.kernel.org/stable/c/9c959671abc7d4ffdf34eed10c64492d43cb6a3c
https://git.kernel.org/stable/c/b389139f12f287b8ed2e2628b72df89a081f0b59
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU The wifi + bluetooth combo chip RTL8723BU can leak memory (especially?) when it's connected to a bluetooth audio device. The busy bluetooth traffic generates lots of C2H (card to host) messages, which are not freed correctly. To fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback() inside the loop where skb_dequeue() is called. The RTL8192EU leaks memory because the C2H messages are added to the queue and left there forever. (This was fine in the past because it probably wasn't sending any C2H messages until commit e542e66b7c2e ("wifi: rtl8xxxu: gen2: Turn on the rate control"). Since that commit it sends a C2H message when the TX rate changes.) To fix this, delete the check for rf_paths > 1 and the goto. Let the function process the C2H messages from RTL8192EU like the ones from the other chips. Theoretically the RTL8188FU could also leak like RTL8723BU, but it most likely doesn't send C2H messages frequently enough. This change was tested with RTL8723BU by Erhard F. I tested it with RTL8188FU and RTL8192EU. 2025-12-24 not yet calculated CVE-2023-54036 https://git.kernel.org/stable/c/430f9f9bec53a75f9ccc53e156a66f13fc098b83
https://git.kernel.org/stable/c/35fb0e275af1aa1ca0a9784417e90f988aaf8e78
https://git.kernel.org/stable/c/93c3f34ec02fc81188d328287d4fddd498ccddea
https://git.kernel.org/stable/c/f39a86b4efd270947ee252cc32a30b0aef492d65
https://git.kernel.org/stable/c/b39f662ce1648db0b9de32e6a849b098480793cb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ice: prevent NULL pointer deref during reload Calling ethtool during reload can lead to call trace, because VSI isn't configured for some time, but netdev is alive. To fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors to 0 after freeing and add a check for ::tx/rx_rings in ring related ethtool ops. Add proper unroll of filters in ice_start_eth(). Reproduction: $watch -n 0.1 -d 'ethtool -g enp24s0f0np0' $devlink dev reload pci/0000:18:00.0 action driver_reinit Call trace before fix: [66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000 [66303.926259] #PF: supervisor read access in kernel mode [66303.926286] #PF: error_code(0x0000) - not-present page [66303.926311] PGD 0 P4D 0 [66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI [66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1 [66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018 [66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice] [66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 <48> 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48 [66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246 [66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48 [66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000 [66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000 [66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000 [66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50 [66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000 [66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0 [66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [66303.927060] PKRU: 55555554 [66303.927075] Call Trace: [66303.927094] <TASK> [66303.927111] ? __die+0x23/0x70 [66303.927140] ? page_fault_oops+0x171/0x4e0 [66303.927176] ? exc_page_fault+0x7f/0x180 [66303.927209] ? asm_exc_page_fault+0x26/0x30 [66303.927244] ? ice_get_ringparam+0x22/0x50 [ice] [66303.927433] rings_prepare_data+0x62/0x80 [66303.927469] ethnl_default_doit+0xe2/0x350 [66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140 [66303.927538] genl_rcv_msg+0x1b1/0x2c0 [66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10 [66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10 [66303.927615] netlink_rcv_skb+0x58/0x110 [66303.927644] genl_rcv+0x28/0x40 [66303.927665] netlink_unicast+0x19e/0x290 [66303.927691] netlink_sendmsg+0x254/0x4d0 [66303.927717] sock_sendmsg+0x93/0xa0 [66303.927743] __sys_sendto+0x126/0x170 [66303.927780] __x64_sys_sendto+0x24/0x30 [66303.928593] do_syscall_64+0x5d/0x90 [66303.929370] ? __count_memcg_events+0x60/0xa0 [66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30 [66303.930920] ? handle_mm_fault+0x9e/0x350 [66303.931688] ? do_user_addr_fault+0x258/0x740 [66303.932452] ? exc_page_fault+0x7f/0x180 [66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc 2025-12-24 not yet calculated CVE-2023-54037 https://git.kernel.org/stable/c/ca03b327224ed6be2d07f42ee6ee1cdd586cfd5b
https://git.kernel.org/stable/c/b3e7b3a6ee92ab927f750a6b19615ce88ece808f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link hci_connect_sco currently returns NULL when there is no link (i.e. when hci_conn_link() returns NULL). sco_connect() expects an ERR_PTR in case of any error (see line 266 in sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which tries to get hcon->hdev, resulting in dereferencing a NULL pointer as reported by syzkaller. The same issue exists for iso_connect_cis() calling hci_connect_cis(). Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR instead of NULL. 2025-12-24 not yet calculated CVE-2023-54038 https://git.kernel.org/stable/c/357ab53c83a5322437fa434e9a9e3e0bafe6b383
https://git.kernel.org/stable/c/b4066eb04bb67e7ff66e5aaab0db4a753f37eaad
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access could occur during the memcpy() operation if the size of skb->cb is larger than the size of struct j1939_sk_buff_cb. This is because the memcpy() operation uses the size of skb->cb, leading to a read beyond the struct j1939_sk_buff_cb. Updated the memcpy() operation to use the size of struct j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the memcpy() operation only reads the memory within the bounds of struct j1939_sk_buff_cb, preventing out-of-bounds memory access. Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb is greater than or equal to the size of struct j1939_sk_buff_cb. This ensures that the skb->cb buffer is large enough to hold the j1939_sk_buff_cb structure. [mkl: rephrase commit message] 2025-12-24 not yet calculated CVE-2023-54039 https://git.kernel.org/stable/c/d2136f05690c272dfc9f9d6efcc51d5f53494b33
https://git.kernel.org/stable/c/70caa596d158a5d84b117f722d58f3ea503a5ba9
https://git.kernel.org/stable/c/4fe1d9b6231a68ffc91318f57fd8e4982f028cf7
https://git.kernel.org/stable/c/4c3fb22a6ec68258ee129a2e6b720f43dffc562f
https://git.kernel.org/stable/c/36befc9aed6202b4a9b906529aea13eacd7e34ff
https://git.kernel.org/stable/c/b45193cb4df556fe6251b285a5ce44046dd36b4a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ice: fix wrong fallback logic for FDIR When adding a FDIR filter, if ice_vc_fdir_set_irq_ctx returns failure, the inserted fdir entry will not be removed and if ice_vc_fdir_write_fltr returns failure, the fdir context info for irq handler will not be cleared which may lead to inconsistent or memory leak issue. This patch refines failure cases to resolve this issue. 2025-12-24 not yet calculated CVE-2023-54040 https://git.kernel.org/stable/c/391d28c0e38c0e5b11a4240a2b4976cf63e87f45
https://git.kernel.org/stable/c/aad3b871efe26f36f45f8b4649653b5d3fd9c35e
https://git.kernel.org/stable/c/cbfed5f114b5310f221979fc8190f55c6abc3400
https://git.kernel.org/stable/c/b4a01ace20f5c93c724abffc0a83ec84f514b98d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: io_uring: fix memory leak when removing provided buffers When removing provided buffers, io_buffer structs are not being disposed of, leading to a memory leak. They can't be freed individually, because they are allocated in page-sized groups. They need to be added to some free list instead, such as io_buffers_cache. All callers already hold the lock protecting it, apart from when destroying buffers, so had to extend the lock there. 2025-12-24 not yet calculated CVE-2023-54041 https://git.kernel.org/stable/c/ac48787f58d1068f4e06d627c1135784d64b4c72
https://git.kernel.org/stable/c/c117c15927772d1624c29c092b6bd3f47c7faa48
https://git.kernel.org/stable/c/b4a72c0589fdea6259720375426179888969d6a2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix VAS mm use after free The refcount on mm is dropped before the coprocessor is detached. 2025-12-24 not yet calculated CVE-2023-54042 https://git.kernel.org/stable/c/f7d92313002b2d543500cc417d8079aaed1fb0a8
https://git.kernel.org/stable/c/4e82f92c349ea603736ade1e814861c0182a55ad
https://git.kernel.org/stable/c/db8657fdd53c5e3069149d7f957cb60e63027bb2
https://git.kernel.org/stable/c/421cd1544480f2458042fe7f4913a2069c4d7251
https://git.kernel.org/stable/c/b4bda59b47879cce38a6ec5a01cd3cac702b5331
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iommufd: Do not add the same hwpt to the ioas->hwpt_list twice The hwpt is added to the hwpt_list only during its creation, it is never added again. This hunk is some missed leftover from rework. Adding it twice will corrupt the linked list in some cases. It effects HWPT specific attachment, which is something the test suite cannot cover until we can create a legitimate struct device with a non-system iommu "driver" (ie we need the bus removed from the iommu code) 2025-12-24 not yet calculated CVE-2023-54043 https://git.kernel.org/stable/c/c44adefdcf472f946f0632f4e0ddcbf3e00b8516
https://git.kernel.org/stable/c/b4ff830eca097df51af10a9be29e8cc817327919
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: spmi: Add a check for remove callback when removing a SPMI driver When removing a SPMI driver, there can be a crash due to NULL pointer dereference if it does not have a remove callback defined. This is one such call trace observed when removing the QCOM SPMI PMIC driver: dump_backtrace.cfi_jt+0x0/0x8 dump_stack_lvl+0xd8/0x16c panic+0x188/0x498 __cfi_slowpath+0x0/0x214 __cfi_slowpath+0x1dc/0x214 spmi_drv_remove+0x16c/0x1e0 device_release_driver_internal+0x468/0x79c driver_detach+0x11c/0x1a0 bus_remove_driver+0xc4/0x124 driver_unregister+0x58/0x84 cleanup_module+0x1c/0xc24 [qcom_spmi_pmic] __do_sys_delete_module+0x3ec/0x53c __arm64_sys_delete_module+0x18/0x28 el0_svc_common+0xdc/0x294 el0_svc+0x38/0x9c el0_sync_handler+0x8c/0xf0 el0_sync+0x1b4/0x1c0 If a driver has all its resources allocated through devm_() APIs and does not need any other explicit cleanup, it would not require a remove callback to be defined. Hence, add a check for remove callback presence before calling it when removing a SPMI driver. 2025-12-24 not yet calculated CVE-2023-54044 https://git.kernel.org/stable/c/b95a69214daea4aab1c8bad96571d988a62e2c97
https://git.kernel.org/stable/c/699949219e35fe29fd42ccf8cd92c989c3d15109
https://git.kernel.org/stable/c/54dda732225555dc6d660e95793c54a0a44b612c
https://git.kernel.org/stable/c/c45ab3ab9c371c9ac22bbe1217e5abb2e55a3d4b
https://git.kernel.org/stable/c/ee0b6146317a98bfec848d7bde5586beb245a38f
https://git.kernel.org/stable/c/428cc252701d6864151f3a296ffc23e1e49a7408
https://git.kernel.org/stable/c/af763c29b9e7040fedd0077bca053b101438a3a4
https://git.kernel.org/stable/c/0f3ef30c1c05502f5de3b73b3715d5994845c1b4
https://git.kernel.org/stable/c/b56eef3e16d888883fefab47425036de80dd38fc
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: audit: fix possible soft lockup in __audit_inode_child() Tracefs or debugfs maybe cause hundreds to thousands of PATH records, too many PATH records maybe cause soft lockup. For example: 1. CONFIG_KASAN=y && CONFIG_PREEMPTION=n 2. auditctl -a exit,always -S open -k key 3. sysctl -w kernel.watchdog_thresh=5 4. mkdir /sys/kernel/debug/tracing/instances/test There may be a soft lockup as follows: watchdog: BUG: soft lockup - CPU#45 stuck for 7s! [mkdir:15498] Kernel panic - not syncing: softlockup: hung tasks Call trace: dump_backtrace+0x0/0x30c show_stack+0x20/0x30 dump_stack+0x11c/0x174 panic+0x27c/0x494 watchdog_timer_fn+0x2bc/0x390 __run_hrtimer+0x148/0x4fc __hrtimer_run_queues+0x154/0x210 hrtimer_interrupt+0x2c4/0x760 arch_timer_handler_phys+0x48/0x60 handle_percpu_devid_irq+0xe0/0x340 __handle_domain_irq+0xbc/0x130 gic_handle_irq+0x78/0x460 el1_irq+0xb8/0x140 __audit_inode_child+0x240/0x7bc tracefs_create_file+0x1b8/0x2a0 trace_create_file+0x18/0x50 event_create_dir+0x204/0x30c __trace_add_new_event+0xac/0x100 event_trace_add_tracer+0xa0/0x130 trace_array_create_dir+0x60/0x140 trace_array_create+0x1e0/0x370 instance_mkdir+0x90/0xd0 tracefs_syscall_mkdir+0x68/0xa0 vfs_mkdir+0x21c/0x34c do_mkdirat+0x1b4/0x1d4 __arm64_sys_mkdirat+0x4c/0x60 el0_svc_common.constprop.0+0xa8/0x240 do_el0_svc+0x8c/0xc0 el0_svc+0x20/0x30 el0_sync_handler+0xb0/0xb4 el0_sync+0x160/0x180 Therefore, we add cond_resched() to __audit_inode_child() to fix it. 2025-12-24 not yet calculated CVE-2023-54045 https://git.kernel.org/stable/c/d061e2bfc20f2914656385816e0d20566213c54c
https://git.kernel.org/stable/c/1640c7bd4eddec6c72f3a99cbb74e333a2ce9f5d
https://git.kernel.org/stable/c/f6364fa751d7486502c777f124a14d4d543fc5eb
https://git.kernel.org/stable/c/98ef243d5900d75a64539a2165745bffbb155d43
https://git.kernel.org/stable/c/0152e7758cc4e9f8bfba8dbea4438d8e488d6c08
https://git.kernel.org/stable/c/9ca08adb75fb40a8f742c371927ee73f9dc753bf
https://git.kernel.org/stable/c/8a40b491372966ba5426e138a53460985565d5a6
https://git.kernel.org/stable/c/8e76b944a7b9bddef190ffe2e29c9ae342ab91ed
https://git.kernel.org/stable/c/b59bc6e37237e37eadf50cd5de369e913f524463
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Handle EBUSY correctly As it is essiv only handles the special return value of EINPROGERSS, which means that in all other cases it will free data related to the request. However, as the caller of essiv may specify MAY_BACKLOG, we also need to expect EBUSY and treat it in the same way. Otherwise backlogged requests will trigger a use-after-free. 2025-12-24 not yet calculated CVE-2023-54046 https://git.kernel.org/stable/c/c61e7d182ee3f3f5ecf18a2964e303d49c539b52
https://git.kernel.org/stable/c/796e02cca30a67322161f0745e5ce994bbe75605
https://git.kernel.org/stable/c/840a1d3b77c1b062bd62b4733969a5b1efc274ce
https://git.kernel.org/stable/c/a006aa3eedb8bfd6fe317c3cfe9c86ffe76b2385
https://git.kernel.org/stable/c/69c67d451fc19d88e54f7d97e8e7c093e08357e1
https://git.kernel.org/stable/c/b5a772adf45a32c68bef28e60621f12617161556
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/rockchip: dw_hdmi: cleanup drm encoder during unbind This fixes a use-after-free crash during rmmod. The DRM encoder is embedded inside the larger rockchip_hdmi, which is allocated with the component. The component memory gets freed before the main drm device is destroyed. Fix it by running encoder cleanup before tearing down its container. [moved encoder cleanup above clk_disable, similar to bind-error-path] 2025-12-24 not yet calculated CVE-2023-54047 https://git.kernel.org/stable/c/110d4202522373d629d14597af9bac97eb58bd67
https://git.kernel.org/stable/c/218fe9b624545f4bcfb16cdb35ac3d60c8b0d8c7
https://git.kernel.org/stable/c/b5af48eedcb53491c02ded55d5991e03d6da6dbf
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Prevent handling any completions after qp destroy HW may generate completions that indicates QP is destroyed. Driver should not be scheduling any more completion handlers for this QP, after the QP is destroyed. Since CQs are active during the QP destroy, driver may still schedule completion handlers. This can cause a race where the destroy_cq and poll_cq running simultaneously. Snippet of kernel panic while doing bnxt_re driver load unload in loop. This indicates a poll after the CQ is freed.  [77786.481636] Call Trace: [77786.481640]  <TASK> [77786.481644]  bnxt_re_poll_cq+0x14a/0x620 [bnxt_re] [77786.481658]  ? kvm_clock_read+0x14/0x30 [77786.481693]  __ib_process_cq+0x57/0x190 [ib_core] [77786.481728]  ib_cq_poll_work+0x26/0x80 [ib_core] [77786.481761]  process_one_work+0x1e5/0x3f0 [77786.481768]  worker_thread+0x50/0x3a0 [77786.481785]  ? __pfx_worker_thread+0x10/0x10 [77786.481790]  kthread+0xe2/0x110 [77786.481794]  ? __pfx_kthread+0x10/0x10 [77786.481797]  ret_from_fork+0x2c/0x50 To avoid this, complete all completion handlers before returning the destroy QP. If free_cq is called soon after destroy_qp, IB stack will cancel the CQ work before invoking the destroy_cq verb and this will prevent any race mentioned. 2025-12-24 not yet calculated CVE-2023-54048 https://git.kernel.org/stable/c/b79a0e71d6e8692e0b6da05f8aaa7d69191cf7e7
https://git.kernel.org/stable/c/b8500538b8f5b2cd86b02754c8de83eaa7a2d6ba
https://git.kernel.org/stable/c/7faa6097694164380ed19600c7a7993d071270b9
https://git.kernel.org/stable/c/b5bbc6551297447d3cca55cf907079e206e9cd82
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: rpmsg: glink: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. 2025-12-24 not yet calculated CVE-2023-54049 https://git.kernel.org/stable/c/5197498c902502127a47abda5359dd7f1d41946f
https://git.kernel.org/stable/c/13928a837e0f014dac0322dd9f8a67c486e7f232
https://git.kernel.org/stable/c/efa7f31669f04084ed5996ed467ba529f4c90467
https://git.kernel.org/stable/c/71ac2ffd7f80fdd350486f6645dc48456e55a59b
https://git.kernel.org/stable/c/abd740db896b3c588dced175af98b95852c1854b
https://git.kernel.org/stable/c/cae0787e408c30a575760a531ccb69a6b48bbfaf
https://git.kernel.org/stable/c/174cf8853857c190a3c4f1f1d2d06cfd095fe859
https://git.kernel.org/stable/c/e3734a9558afac91df3c655a6f2376b9d14933b7
https://git.kernel.org/stable/c/b5c9ee8296a3760760c7b5d2e305f91412adc795
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix memleak when insert_old_idx() failed Following process will cause a memleak for copied up znode: dirty_cow_znode zn = copy_znode(c, znode); err = insert_old_idx(c, zbr->lnum, zbr->offs); if (unlikely(err)) return ERR_PTR(err); // No one refers to zn. Fetch a reproducer in [Link]. Function copy_znode() is split into 2 parts: resource allocation and znode replacement, insert_old_idx() is split in similar way, so resource cleanup could be done in error handling path without corrupting metadata(mem & disk). It's okay that old index inserting is put behind of add_idx_dirt(), old index is used in layout_leb_in_gaps(), so the two processes do not depend on each other. 2025-12-24 not yet calculated CVE-2023-54050 https://git.kernel.org/stable/c/cc29c7216d7f057eb0613b97dc38c7e1962a88d2
https://git.kernel.org/stable/c/6f2eee5457bc48b0426dedfd78cdbdea241a6edb
https://git.kernel.org/stable/c/66e9f2fb3e753f820bec2a98e8c6387029988320
https://git.kernel.org/stable/c/3ae75f82c33fa1b4ca2006b55c84f4ef4a428d4d
https://git.kernel.org/stable/c/ef9aac603659e9ffe7d69ae16e3f0fc0991a965b
https://git.kernel.org/stable/c/79079cebbeed624b9d01cfcf1e3254ae1a1f6e14
https://git.kernel.org/stable/c/a6da0ab9847779e05a7416c7a98148b549de69ef
https://git.kernel.org/stable/c/b5fda08ef213352ac2df7447611eb4d383cce929
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: do not allow gso_size to be set to GSO_BY_FRAGS One missing check in virtio_net_hdr_to_skb() allowed syzbot to crash kernels again [1] Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff), because this magic value is used by the kernel. [1] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500 Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01 RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000 RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070 RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6 R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109 ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53 __skb_gso_segment+0x339/0x710 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625 __dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329 dev_queue_xmit include/linux/netdevice.h:3082 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:727 [inline] sock_sendmsg+0xd9/0x180 net/socket.c:750 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2496 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2550 __sys_sendmsg+0x117/0x1e0 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ff27cdb34d9 2025-12-24 not yet calculated CVE-2023-54051 https://git.kernel.org/stable/c/a5f9e5804d239d288d983db36bbed45ed10729a0
https://git.kernel.org/stable/c/4c9bfadb4301daaceb6c575fa6ad3bc82c152e79
https://git.kernel.org/stable/c/210ff31342ade546d8d9d0ec4d3cf9cb50ae632d
https://git.kernel.org/stable/c/0a593e8a9d24360fbc469c5897d0791aa2f20ed3
https://git.kernel.org/stable/c/578371ce0d7f67ea1e65817c04478aaab0d36b68
https://git.kernel.org/stable/c/2e03a92b241102aaf490439aa1b00239f84f530f
https://git.kernel.org/stable/c/e3636862f5595b3d2f02650f7b21d39043a34f3e
https://git.kernel.org/stable/c/b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU txs may be dropped if the frame is aggregated in AMSDU. When the problem shows up, some SKBs would be hold in driver to cause network stopped temporarily. Even if the problem can be recovered by txs timeout handling, mt7921 still need to disable txs in AMSDU to avoid this issue. 2025-12-24 not yet calculated CVE-2023-54052 https://git.kernel.org/stable/c/1cd102aaedb277fbe81dd08cd9f5cae951de2bff
https://git.kernel.org/stable/c/e74778e91fedc3b2a0143264887bbb32508c5000
https://git.kernel.org/stable/c/bf5d3fad7219b8de7d3a9cb59f0ea5243b018f07
https://git.kernel.org/stable/c/b642f4c5f3de0a8f47808d32b1ebd9c427a42a66
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: pcie: fix possible NULL pointer dereference It is possible that iwl_pci_probe() will fail and free the trans, then afterwards iwl_pci_remove() will be called and crash by trying to access trans which is already freed, fix it. iwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2 wfpm id 0xa5a5a5a2 iwlwifi 0000:01:00.0: Can't find a correct rfid for crf id 0x5a2 ... BUG: kernel NULL pointer dereference, address: 0000000000000028 ... RIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi] pci_device_remove+0x3e/0xb0 device_release_driver_internal+0x103/0x1f0 driver_detach+0x4c/0x90 bus_remove_driver+0x5c/0xd0 driver_unregister+0x31/0x50 pci_unregister_driver+0x40/0x90 iwl_pci_unregister_driver+0x15/0x20 [iwlwifi] __exit_compat+0x9/0x98 [iwlwifi] __x64_sys_delete_module+0x147/0x260 2025-12-24 not yet calculated CVE-2023-54053 https://git.kernel.org/stable/c/f6f2d16c77f936041b8ac495fceabded4ec6c83c
https://git.kernel.org/stable/c/0fc0d287c1e7dcb39a3b9bb0f8679cd68c2156c7
https://git.kernel.org/stable/c/7545f21eee1356ec98581125c4dba9c4c0cc7397
https://git.kernel.org/stable/c/0f9a1bcb94016d3a3c455a77b01f6bb06e15f6eb
https://git.kernel.org/stable/c/dcd23aa6cc0ded7950b60ce1badb80b84045c6c0
https://git.kernel.org/stable/c/b655b9a9f8467684cfa8906713d33b71ea8c8f54
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix buffer overrun Klocwork warning: Buffer Overflow - Array Index Out of Bounds Driver uses fc_els_flogi to calculate size of buffer. The actual buffer is nested inside of fc_els_flogi which is smaller. Replace structure name to allow proper size calculation. 2025-12-24 not yet calculated CVE-2023-54054 https://git.kernel.org/stable/c/eecb8a491c824a9376155d26ec95b6d0054c059c
https://git.kernel.org/stable/c/89250e775dcc4482d8e970ed92ad2c9458b14a8a
https://git.kernel.org/stable/c/2dddbf8de128289a3fb7ae38d9bc4b2217205ec1
https://git.kernel.org/stable/c/d5e7c9cd56e987c8687859a0bf38fd86aa8f3cec
https://git.kernel.org/stable/c/b68710a8094fdffe8dd4f7a82c82649f479bb453
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix memory leak of PBLE objects On rmmod of irdma, the PBLE object memory is not being freed. PBLE object memory are not statically pre-allocated at function initialization time unlike other HMC objects. PBLEs objects and the Segment Descriptors (SD) for it can be dynamically allocated during scale up and SD's remain allocated till function deinitialization. Fix this leak by adding IRDMA_HMC_IW_PBLE to the iw_hmc_obj_types[] table and skip pbles in irdma_create_hmc_obj but not in irdma_del_hmc_objects(). 2025-12-24 not yet calculated CVE-2023-54055 https://git.kernel.org/stable/c/810250c9c6616fe131099c0e51c61f2110ed07bf
https://git.kernel.org/stable/c/ee02fa4a71bdb95a444124e5c11eaa22f1f44738
https://git.kernel.org/stable/c/adf58bd4018fbcd990c62e840afd2f178eefad60
https://git.kernel.org/stable/c/b69a6979dbaa2453675fe9c71bdc2497fedb11f9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: kheaders: Use array declaration instead of char Under CONFIG_FORTIFY_SOURCE, memcpy() will check the size of destination and source buffers. Defining kernel_headers_data as "char" would trip this check. Since these addresses are treated as byte arrays, define them as arrays (as done everywhere else). This was seen with: $ cat /sys/kernel/kheaders.tar.xz >> /dev/null detected buffer overflow in memcpy kernel BUG at lib/string_helpers.c:1027! ... RIP: 0010:fortify_panic+0xf/0x20 [...] Call Trace: <TASK> ikheaders_read+0x45/0x50 [kheaders] kernfs_fop_read_iter+0x1a4/0x2f0 ... 2025-12-24 not yet calculated CVE-2023-54056 https://git.kernel.org/stable/c/719459877d58c8aced5845c1e5b98d8d87d09197
https://git.kernel.org/stable/c/fcd2da2e6bf2640a31a2a5b118b50dc3635c707b
https://git.kernel.org/stable/c/4a07d2d511e2703efd4387891d49e0326f1157f3
https://git.kernel.org/stable/c/b9f6845a492de20679b84bda6b08be347c5819da
https://git.kernel.org/stable/c/d6d1af6b8611801b585c53c0cc63626c8d339e96
https://git.kernel.org/stable/c/82d2e01b95c439fe55fab5e04fc83387c42d3a48
https://git.kernel.org/stable/c/b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow, because the string specifier in the format string sscanf() has no width limitation. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. 2025-12-24 not yet calculated CVE-2023-54057 https://git.kernel.org/stable/c/5e97dc748d13fad582136ba0c8cec215c7aeeb17
https://git.kernel.org/stable/c/f2a5ec7f7b28f9b9cd5fac232ff51019a7f7b9e9
https://git.kernel.org/stable/c/c513043e0afe6a8ba79d00af358655afabb576d2
https://git.kernel.org/stable/c/2ae19ac3ea82a5b87a81c10adbb497c9e58bdd60
https://git.kernel.org/stable/c/63cd11165e5e0ea2012254c764003eda1f9adb7d
https://git.kernel.org/stable/c/b6b26d86c61c441144c72f842f7469bb686e1211
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Check if ffa_driver remove is present before executing Currently ffa_drv->remove() is called unconditionally from ffa_device_remove(). Since the driver registration doesn't check for it and allows it to be registered without .remove callback, we need to check for the presence of it before executing it from ffa_device_remove() to above a NULL pointer dereference like the one below: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000086000004 | EC = 0x21: IABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP | CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6 | Hardware name: FVP Base RevC (DT) | pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c) | pc : 0x0 | lr : ffa_device_remove+0x20/0x2c | Call trace: | 0x0 | device_release_driver_internal+0x16c/0x260 | driver_detach+0x90/0xd0 | bus_remove_driver+0xdc/0x11c | driver_unregister+0x30/0x54 | ffa_driver_unregister+0x14/0x20 | cleanup_module+0x18/0xeec | __arm64_sys_delete_module+0x234/0x378 | invoke_syscall+0x40/0x108 | el0_svc_common+0xb4/0xf0 | do_el0_svc+0x30/0xa4 | el0_svc+0x2c/0x7c | el0t_64_sync_handler+0x84/0xf0 | el0t_64_sync+0x190/0x194 2025-12-24 not yet calculated CVE-2023-54058 https://git.kernel.org/stable/c/6a26c62625c59b8dd7f52c518cb4f60a63470a0e
https://git.kernel.org/stable/c/ad73dc7263ea90302d6c7eeb7e9f7cbcfa0b0617
https://git.kernel.org/stable/c/48399c297c46b4c8e77ebcf071bb586a42d0ca4e
https://git.kernel.org/stable/c/b71b55248a580e9c9befc4ae060539f1f8e477da
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: soc: mediatek: mtk-svs: Enable the IRQ later If the system does not come from reset (like when is booted via kexec()), the peripheral might triger an IRQ before the data structures are initialised. [ 0.227710] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000f08 [ 0.227913] Call trace: [ 0.227918] svs_isr+0x8c/0x538 2025-12-24 not yet calculated CVE-2023-54059 https://git.kernel.org/stable/c/6b99ebd30d65ee5ab8e8dd1d378550911eff5e4f
https://git.kernel.org/stable/c/66ea96629bbccf1b483be506f3daff754069cdd3
https://git.kernel.org/stable/c/b74952aba6c3f47e7f2c5165abaeefa44c377140
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iommufd: Set end correctly when doing batch carry Even though the test suite covers this it somehow became obscured that this wasn't working. The test iommufd_ioas.mock_domain.access_domain_destory would blow up rarely. end should be set to 1 because this just pushed an item, the carry, to the pfns list. Sometimes the test would blow up with: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 5 PID: 584 Comm: iommufd Not tainted 6.5.0-rc1-dirty #1236 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:batch_unpin+0xa2/0x100 [iommufd] Code: 17 48 81 fe ff ff 07 00 77 70 48 8b 15 b7 be 97 e2 48 85 d2 74 14 48 8b 14 fa 48 85 d2 74 0b 40 0f b6 f6 48 c1 e6 04 48 01 f2 <48> 8b 3a 48 c1 e0 06 89 ca 48 89 de 48 83 e7 f0 48 01 c7 e8 96 dc RSP: 0018:ffffc90001677a58 EFLAGS: 00010246 RAX: 00007f7e2646f000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 00000000fefc4c8d RDI: 0000000000fefc4c RBP: ffffc90001677a80 R08: 0000000000000048 R09: 0000000000000200 R10: 0000000000030b98 R11: ffffffff81f3bb40 R12: 0000000000000001 R13: ffff888101f75800 R14: ffffc90001677ad0 R15: 00000000000001fe FS: 00007f9323679740(0000) GS:ffff8881ba540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105ede003 CR4: 00000000003706a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x5c/0x70 ? __die+0x1f/0x60 ? page_fault_oops+0x15d/0x440 ? lock_release+0xbc/0x240 ? exc_page_fault+0x4a4/0x970 ? asm_exc_page_fault+0x27/0x30 ? batch_unpin+0xa2/0x100 [iommufd] ? batch_unpin+0xba/0x100 [iommufd] __iopt_area_unfill_domain+0x198/0x430 [iommufd] ? __mutex_lock+0x8c/0xb80 ? __mutex_lock+0x6aa/0xb80 ? xa_erase+0x28/0x30 ? iopt_table_remove_domain+0x162/0x320 [iommufd] ? lock_release+0xbc/0x240 iopt_area_unfill_domain+0xd/0x10 [iommufd] iopt_table_remove_domain+0x195/0x320 [iommufd] iommufd_hw_pagetable_destroy+0xb3/0x110 [iommufd] iommufd_object_destroy_user+0x8e/0xf0 [iommufd] iommufd_device_detach+0xc5/0x140 [iommufd] iommufd_selftest_destroy+0x1f/0x70 [iommufd] iommufd_object_destroy_user+0x8e/0xf0 [iommufd] iommufd_destroy+0x3a/0x50 [iommufd] iommufd_fops_ioctl+0xfb/0x170 [iommufd] __x64_sys_ioctl+0x40d/0x9a0 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 2025-12-24 not yet calculated CVE-2023-54060 https://git.kernel.org/stable/c/176f36a376c417b58d19f79edfce20db9317eaa2
https://git.kernel.org/stable/c/b7c822fa6b7701b17e139f1c562fc24135880ed4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: x86: fix clear_user_rep_good() exception handling annotation This code no longer exists in mainline, because it was removed in commit d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory clearing") upstream. However, rather than backport the full range of x86 memory clearing and copying cleanups, fix the exception table annotation placement for the final 'rep movsb' in clear_user_rep_good(): rather than pointing at the actual instruction that did the user space access, it pointed to the register move just before it. That made sense from a code flow standpoint, but not from an actual usage standpoint: it means that if user access takes an exception, the exception handler won't actually find the instruction in the exception tables. As a result, rather than fixing it up and returning -EFAULT, it would then turn it into a kernel oops report instead, something like: BUG: unable to handle page fault for address: 0000000020081000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page ... RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147 ... Call Trace: __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline] clear_user arch/x86/include/asm/uaccess_64.h:124 [inline] iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800 iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline] iomap_dio_iter fs/iomap/direct-io.c:440 [inline] __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601 iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689 ext4_dio_read_iter fs/ext4/file.c:94 [inline] ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145 call_read_iter include/linux/fs.h:2183 [inline] do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733 do_iter_read+0x2f2/0x750 fs/read_write.c:796 vfs_readv+0xe5/0x150 fs/read_write.c:916 do_preadv+0x1b6/0x270 fs/read_write.c:1008 __do_sys_preadv2 fs/read_write.c:1070 [inline] __se_sys_preadv2 fs/read_write.c:1061 [inline] __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd which then looks like a filesystem bug rather than the incorrect exception annotation that it is. [ The alternative to this one-liner fix is to take the upstream series that cleans this all up: 68674f94ffc9 ("x86: don't use REP_GOOD or ERMS for small memory copies") 20f3337d350c ("x86: don't use REP_GOOD or ERMS for small memory clearing") adfcf4231b8c ("x86: don't use REP_GOOD or ERMS for user memory copies") * d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory clearing") 3639a535587d ("x86: move stac/clac from user copy routines into callers") 577e6a7fd50d ("x86: inline the 'rep movs' in user copies for the FSRM case") 8c9b6a88b7e2 ("x86: improve on the non-rep 'clear_user' function") 427fda2c8a49 ("x86: improve on the non-rep 'copy_user' function") * e046fe5a36a9 ("x86: set FSRS automatically on AMD CPUs that have FSRM") e1f2750edc4a ("x86: remove 'zerorest' argument from __copy_user_nocache()") 034ff37d3407 ("x86: rewrite '__copy_user_nocache' function") with either the whole series or at a minimum the two marked commits being needed to fix this issue ] 2025-12-24 not yet calculated CVE-2023-54061 https://git.kernel.org/stable/c/b805d212c394f291f116b12c53401e7ba0c4d408
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext4: fix invalid free tracking in ext4_xattr_move_to_block() In ext4_xattr_move_to_block(), the value of the extended attribute which we need to move to an external block may be allocated by kvmalloc() if the value is stored in an external inode. So at the end of the function the code tried to check if this was the case by testing entry->e_value_inum. However, at this point, the pointer to the xattr entry is no longer valid, because it was removed from the original location where it had been stored. So we could end up calling kvfree() on a pointer which was not allocated by kvmalloc(); or we could also potentially leak memory by not freeing the buffer when it should be freed. Fix this by storing whether it should be freed in a separate variable. 2025-12-24 not yet calculated CVE-2023-54062 https://git.kernel.org/stable/c/76887be2a96193cd11be818551b8934ecdb3123f
https://git.kernel.org/stable/c/f30f3391d089dc91aef91d08f4b04a6c0df2b067
https://git.kernel.org/stable/c/ba04d6af5ac440a6d5a2d35dc1d8e2cb0323550a
https://git.kernel.org/stable/c/1a8822343e67432b658145d2760a524c884da9d4
https://git.kernel.org/stable/c/8beaa3cb293a8f7bacf711cf52201d59859dbc40
https://git.kernel.org/stable/c/c5fa4eedddd1c8342ce533cb401c0e693e55b4e3
https://git.kernel.org/stable/c/a18670395e5f28acddeca037c5e4bd2ea961b70a
https://git.kernel.org/stable/c/b2fab1807d26acd1c6115b95b5eddd697d84751b
https://git.kernel.org/stable/c/b87c7cdf2bed4928b899e1ce91ef0d147017ba45
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix OOB read in indx_insert_into_buffer Syzbot reported a OOB read bug: BUG: KASAN: slab-out-of-bounds in indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755 Read of size 17168 at addr ffff8880255e06c0 by task syz-executor308/3630 Call Trace: <TASK> memmove+0x25/0x60 mm/kasan/shadow.c:54 indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755 indx_insert_entry+0x446/0x6b0 fs/ntfs3/index.c:1863 ntfs_create_inode+0x1d3f/0x35c0 fs/ntfs3/inode.c:1548 ntfs_create+0x3e/0x60 fs/ntfs3/namei.c:100 lookup_open fs/namei.c:3413 [inline] If the member struct INDEX_BUFFER *index of struct indx_node is incorrect, that is, the value of __le32 used is greater than the value of __le32 total in struct INDEX_HDR. Therefore, OOB read occurs when memmove is called in indx_insert_into_buffer(). Fix this by adding a check in hdr_find_e(). 2025-12-24 not yet calculated CVE-2023-54063 https://git.kernel.org/stable/c/cd7e1d67924081717c5c96ead758a1a77867689a
https://git.kernel.org/stable/c/17048287ac79abd33b275ac3b5738285d406481b
https://git.kernel.org/stable/c/a7e5dba10ba1402dd6c2f961a70320770865c4a5
https://git.kernel.org/stable/c/4bf3b564e27a518f158a83d5e1a50064ed6136a0
https://git.kernel.org/stable/c/b8c44949044e5f7f864525fdffe8e95135ce9ce5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ipmi:ssif: Fix a memory leak when scanning for an adapter The adapter scan ssif_info_find() sets info->adapter_name if the adapter info came from SMBIOS, as it's not set in that case. However, this function can be called more than once, and it will leak the adapter name if it had already been set. So check for NULL before setting it. 2025-12-24 not yet calculated CVE-2023-54064 https://git.kernel.org/stable/c/de677f4379fa67f650e367c188a0f80bee9b6732
https://git.kernel.org/stable/c/13623b966bb6d36ba61646b69cd49cdac6e4978a
https://git.kernel.org/stable/c/3ad53071fe8547eb8d8813971844cc43246008ee
https://git.kernel.org/stable/c/74a1194cce60a90723d0fe148863c18931a31153
https://git.kernel.org/stable/c/7db16d2e791bf2ec3e0249f56b7ec81c35bba6e6
https://git.kernel.org/stable/c/b870caeb18041f856893066ded81c560db3d56cc
https://git.kernel.org/stable/c/b8d72e32e1453d37ee5c8a219f24e7eeadc471ef
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: dsa: realtek: fix out-of-bounds access The probe function sets priv->chip_data to (void *)priv + sizeof(*priv) with the expectation that priv has enough trailing space. However, only realtek-smi actually allocated this chip_data space. Do likewise in realtek-mdio to fix out-of-bounds accesses. These accesses likely went unnoticed so far, because of an (unused) buf[4096] member in struct realtek_priv, which caused kmalloc to round up the allocated buffer to a big enough size, so nothing of value was overwritten. With a different allocator (like in the barebox bootloader port of the driver) or with KASAN, the memory corruption becomes quickly apparent. 2025-12-24 not yet calculated CVE-2023-54065 https://git.kernel.org/stable/c/cc0f9bb99735d2b68fac68f37b585d615728ce5b
https://git.kernel.org/stable/c/fe668aa499b4b95425044ba11af9609db6ecf466
https://git.kernel.org/stable/c/b93eb564869321d0dffaf23fcc5c88112ed62466
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer In gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach gl861_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") 2025-12-24 not yet calculated CVE-2023-54066 https://git.kernel.org/stable/c/578b67614ae0e4fba3945b66a4c8f9ae77115bcb
https://git.kernel.org/stable/c/2a33fc57133d6f39d62285df6706aeb1714967f1
https://git.kernel.org/stable/c/dfcd3c010209927b9f45b860f046635dc32e32e1
https://git.kernel.org/stable/c/72af676551efe820e309a6c7681c2c4372f37376
https://git.kernel.org/stable/c/b97719a66970601cd3151a3e2020f4454a1c4ff6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when deleting free space root from the dirty cow roots list When deleting the free space tree we are deleting the free space root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the free space root from that list. 2025-12-24 not yet calculated CVE-2023-54067 https://git.kernel.org/stable/c/6f1c81886b0b56cb88b311e5d2f203625474d892
https://git.kernel.org/stable/c/8ce9139aea5e60a247bde5af804312f54975f443
https://git.kernel.org/stable/c/babebf023e661b90b1c78b2baa384fb03a226879
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages() BUG_ON() will be triggered when writing files concurrently, because the same page is writtenback multiple times. 1597 void folio_end_writeback(struct folio *folio) 1598 { ...... 1618 if (!__folio_end_writeback(folio)) 1619 BUG(); ...... 1625 } kernel BUG at mm/filemap.c:1619! Call Trace: <TASK> f2fs_write_end_io+0x1a0/0x370 blk_update_request+0x6c/0x410 blk_mq_end_request+0x15/0x130 blk_complete_reqs+0x3c/0x50 __do_softirq+0xb8/0x29b ? sort_range+0x20/0x20 run_ksoftirqd+0x19/0x20 smpboot_thread_fn+0x10b/0x1d0 kthread+0xde/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> Below is the concurrency scenario: [Process A] [Process B] [Process C] f2fs_write_raw_pages() - redirty_page_for_writepage() - unlock page() f2fs_do_write_data_page() - lock_page() - clear_page_dirty_for_io() - set_page_writeback() [1st writeback] ..... - unlock page() generic_perform_write() - f2fs_write_begin() - wait_for_stable_page() - f2fs_write_end() - set_page_dirty() - lock_page() - f2fs_do_write_data_page() - set_page_writeback() [2st writeback] This problem was introduced by the previous commit 7377e853967b ("f2fs: compress: fix potential deadlock of compress file"). All pagelocks were released in f2fs_write_raw_pages(), but whether the page was in the writeback state was ignored in the subsequent writing process. Let's fix it by waiting for the page to writeback before writing. 2025-12-24 not yet calculated CVE-2023-54068 https://git.kernel.org/stable/c/a8226a45b2a9ce83ba7a167a387a00fecc319e71
https://git.kernel.org/stable/c/169134da419cb8ffbe3b0743bc24573e16952ea9
https://git.kernel.org/stable/c/6604df2a9d07ba8f8fb1ac14046c2c83776faa4f
https://git.kernel.org/stable/c/9940877c4fe752923a53f0f7372f2f152b6eccf0
https://git.kernel.org/stable/c/ad31eed06c3b4d63b2d38322a271d4009aee4bb3
https://git.kernel.org/stable/c/babedcbac164cec970872b8097401ca913a80e61
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow When we calculate the end position of ext4_free_extent, this position may be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not the first case of adjusting the best extent, that is, new_bex_end > 0, the following BUG_ON will be triggered: ========================================================= kernel BUG at fs/ext4/mballoc.c:5116! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279 RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430 Call Trace: <TASK> ext4_mb_use_best_found+0x203/0x2f0 ext4_mb_try_best_found+0x163/0x240 ext4_mb_regular_allocator+0x158/0x1550 ext4_mb_new_blocks+0x86a/0xe10 ext4_ext_map_blocks+0xb0c/0x13a0 ext4_map_blocks+0x2cd/0x8f0 ext4_iomap_begin+0x27b/0x400 iomap_iter+0x222/0x3d0 __iomap_dio_rw+0x243/0xcb0 iomap_dio_rw+0x16/0x80 ========================================================= A simple reproducer demonstrating the problem: mkfs.ext4 -F /dev/sda -b 4096 100M mount /dev/sda /tmp/test fallocate -l1M /tmp/test/tmp fallocate -l10M /tmp/test/file fallocate -i -o 1M -l16777203M /tmp/test/file fsstress -d /tmp/test -l 0 -n 100000 -p 8 & sleep 10 && killall -9 fsstress rm -f /tmp/test/tmp xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192" We simply refactor the logic for adjusting the best extent by adding a temporary ext4_free_extent ex and use extent_logical_end() to avoid overflow, which also simplifies the code. 2025-12-24 not yet calculated CVE-2023-54069 https://git.kernel.org/stable/c/83ecffd40c65844a73c2e93d7c841455786605ac
https://git.kernel.org/stable/c/58fe961c606c446f5612f6897827b1cac42c2e89
https://git.kernel.org/stable/c/f2c3a3aa6f11ad9878dbc3a067b0633e07b586c1
https://git.kernel.org/stable/c/fcefddf3a151b2c416b20120c06bb1ba9ad676fb
https://git.kernel.org/stable/c/b7e9ec38b6a0beb5a49cd1e76be0a9a07c218e90
https://git.kernel.org/stable/c/bc056e7163ac7db945366de219745cf94f32a3e6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: igb: clean up in all error paths when enabling SR-IOV After commit 50f303496d92 ("igb: Enable SR-IOV after reinit"), removing the igb module could hang or crash (depending on the machine) when the module has been loaded with the max_vfs parameter set to some value != 0. In case of one test machine with a dual port 82580, this hang occurred: [ 232.480687] igb 0000:41:00.1: removed PHC on enp65s0f1 [ 233.093257] igb 0000:41:00.1: IOV Disabled [ 233.329969] pcieport 0000:40:01.0: AER: Multiple Uncorrected (Non-Fatal) err0 [ 233.340302] igb 0000:41:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fata) [ 233.352248] igb 0000:41:00.0: device [8086:1516] error status/mask=00100000 [ 233.361088] igb 0000:41:00.0: [20] UnsupReq (First) [ 233.368183] igb 0000:41:00.0: AER: TLP Header: 40000001 0000040f cdbfc00c c [ 233.376846] igb 0000:41:00.1: PCIe Bus Error: severity=Uncorrected (Non-Fata) [ 233.388779] igb 0000:41:00.1: device [8086:1516] error status/mask=00100000 [ 233.397629] igb 0000:41:00.1: [20] UnsupReq (First) [ 233.404736] igb 0000:41:00.1: AER: TLP Header: 40000001 0000040f cdbfc00c c [ 233.538214] pci 0000:41:00.1: AER: can't recover (no error_detected callback) [ 233.538401] igb 0000:41:00.0: removed PHC on enp65s0f0 [ 233.546197] pcieport 0000:40:01.0: AER: device recovery failed [ 234.157244] igb 0000:41:00.0: IOV Disabled [ 371.619705] INFO: task irq/35-aerdrv:257 blocked for more than 122 seconds. [ 371.627489] Not tainted 6.4.0-dirty #2 [ 371.632257] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this. [ 371.641000] task:irq/35-aerdrv state:D stack:0 pid:257 ppid:2 f0 [ 371.650330] Call Trace: [ 371.653061] <TASK> [ 371.655407] __schedule+0x20e/0x660 [ 371.659313] schedule+0x5a/0xd0 [ 371.662824] schedule_preempt_disabled+0x11/0x20 [ 371.667983] __mutex_lock.constprop.0+0x372/0x6c0 [ 371.673237] ? __pfx_aer_root_reset+0x10/0x10 [ 371.678105] report_error_detected+0x25/0x1c0 [ 371.682974] ? __pfx_report_normal_detected+0x10/0x10 [ 371.688618] pci_walk_bus+0x72/0x90 [ 371.692519] pcie_do_recovery+0xb2/0x330 [ 371.696899] aer_process_err_devices+0x117/0x170 [ 371.702055] aer_isr+0x1c0/0x1e0 [ 371.705661] ? __set_cpus_allowed_ptr+0x54/0xa0 [ 371.710723] ? __pfx_irq_thread_fn+0x10/0x10 [ 371.715496] irq_thread_fn+0x20/0x60 [ 371.719491] irq_thread+0xe6/0x1b0 [ 371.723291] ? __pfx_irq_thread_dtor+0x10/0x10 [ 371.728255] ? __pfx_irq_thread+0x10/0x10 [ 371.732731] kthread+0xe2/0x110 [ 371.736243] ? __pfx_kthread+0x10/0x10 [ 371.740430] ret_from_fork+0x2c/0x50 [ 371.744428] </TASK> The reproducer was a simple script: #!/bin/sh for i in `seq 1 5`; do modprobe -rv igb modprobe -v igb max_vfs=1 sleep 1 modprobe -rv igb done It turned out that this could only be reproduce on 82580 (quad and dual-port), but not on 82576, i350 and i210. Further debugging showed that igb_enable_sriov()'s call to pci_enable_sriov() is failing, because dev->is_physfn is 0 on 82580. Prior to commit 50f303496d92 ("igb: Enable SR-IOV after reinit"), igb_enable_sriov() jumped into the "err_out" cleanup branch. After this commit it only returned the error code. So the cleanup didn't take place, and the incorrect VF setup in the igb_adapter structure fooled the igb driver into assuming that VFs have been set up where no VF actually existed. Fix this problem by cleaning up again if pci_enable_sriov() fails. 2025-12-24 not yet calculated CVE-2023-54070 https://git.kernel.org/stable/c/0e3ea7e82a06014b9baf1b84ba579c38cbff3558
https://git.kernel.org/stable/c/bc6ed2fa24b14e40e1005488bbe11268ce7108fa
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: use work to update rate to avoid RCU warning The ieee80211_ops::sta_rc_update must be atomic, because ieee80211_chan_bw_change() holds rcu_read lock while calling drv_sta_rc_update(), so create a work to do original things. Voluntary context switch within RCU read-side critical section! WARNING: CPU: 0 PID: 4621 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x571/0x5d0 CPU: 0 PID: 4621 Comm: kworker/u16:2 Tainted: G W OE Workqueue: phy3 ieee80211_chswitch_work [mac80211] RIP: 0010:rcu_note_context_switch+0x571/0x5d0 Call Trace: <TASK> __schedule+0xb0/0x1460 ? __mod_timer+0x116/0x360 schedule+0x5a/0xc0 schedule_timeout+0x87/0x150 ? trace_raw_output_tick_stop+0x60/0x60 wait_for_completion_timeout+0x7b/0x140 usb_start_wait_urb+0x82/0x160 [usbcore usb_control_msg+0xe3/0x140 [usbcore rtw_usb_read+0x88/0xe0 [rtw_usb rtw_usb_read8+0xf/0x10 [rtw_usb rtw_fw_send_h2c_command+0xa0/0x170 [rtw_core rtw_fw_send_ra_info+0xc9/0xf0 [rtw_core drv_sta_rc_update+0x7c/0x160 [mac80211 ieee80211_chan_bw_change+0xfb/0x110 [mac80211 ieee80211_change_chanctx+0x38/0x130 [mac80211 ieee80211_vif_use_reserved_switch+0x34e/0x900 [mac80211 ieee80211_link_use_reserved_context+0x88/0xe0 [mac80211 ieee80211_chswitch_work+0x95/0x170 [mac80211 process_one_work+0x201/0x410 worker_thread+0x4a/0x3b0 ? process_one_work+0x410/0x410 kthread+0xe1/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> 2025-12-24 not yet calculated CVE-2023-54071 https://git.kernel.org/stable/c/107677a8f43521e33e4a653e50fdf55ba622a4ce
https://git.kernel.org/stable/c/dd3af22323e79a2ffabed366db20aab83716fe6f
https://git.kernel.org/stable/c/bcafcb959a57a6890e900199690c5fc47da1a304
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix potential data race at PCM memory allocation helpers The PCM memory allocation helpers have a sanity check against too many buffer allocations. However, the check is performed without a proper lock and the allocation isn't serialized; this allows user to allocate more memories than predefined max size. Practically seen, this isn't really a big problem, as it's more or less some "soft limit" as a sanity check, and it's not possible to allocate unlimitedly. But it's still better to address this for more consistent behavior. The patch covers the size check in do_alloc_pages() with the card->memory_mutex, and increases the allocated size there for preventing the further overflow. When the actual allocation fails, the size is decreased accordingly. 2025-12-24 not yet calculated CVE-2023-54072 https://git.kernel.org/stable/c/7e1d1456c8db9949459c5a24e8845cfe92430b0f
https://git.kernel.org/stable/c/7e11c58b2620a22c67a5ae28d64ce383890ee9f4
https://git.kernel.org/stable/c/a0ab49e7a758b488b2090171a75d50735c0876f6
https://git.kernel.org/stable/c/3eb4e47a94e3f76521d7d344696db61e6a9619c7
https://git.kernel.org/stable/c/773ccad902f67583a58b5650a2f8d8daf2e76fac
https://git.kernel.org/stable/c/bd55842ed998a622ba6611fe59b3358c9f76773d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tpm: Add !tpm_amd_is_rng_defective() to the hwrng_unregister() call site The following crash was reported: [ 1950.279393] list_del corruption, ffff99560d485790->next is NULL [ 1950.279400] ------------[ cut here ]------------ [ 1950.279401] kernel BUG at lib/list_debug.c:49! [ 1950.279405] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 1950.279407] CPU: 11 PID: 5886 Comm: modprobe Tainted: G O 6.2.8_1 #1 [ 1950.279409] Hardware name: Gigabyte Technology Co., Ltd. B550M AORUS PRO-P/B550M AORUS PRO-P, BIOS F15c 05/11/2022 [ 1950.279410] RIP: 0010:__list_del_entry_valid+0x59/0xc0 [ 1950.279415] Code: 48 8b 01 48 39 f8 75 5a 48 8b 72 08 48 39 c6 75 65 b8 01 00 00 00 c3 cc cc cc cc 48 89 fe 48 c7 c7 08 a8 13 9e e8 b7 0a bc ff <0f> 0b 48 89 fe 48 c7 c7 38 a8 13 9e e8 a6 0a bc ff 0f 0b 48 89 fe [ 1950.279416] RSP: 0018:ffffa96d05647e08 EFLAGS: 00010246 [ 1950.279418] RAX: 0000000000000033 RBX: ffff99560d485750 RCX: 0000000000000000 [ 1950.279419] RDX: 0000000000000000 RSI: ffffffff9e107c59 RDI: 00000000ffffffff [ 1950.279420] RBP: ffffffffc19c5168 R08: 0000000000000000 R09: ffffa96d05647cc8 [ 1950.279421] R10: 0000000000000003 R11: ffffffff9ea2a568 R12: 0000000000000000 [ 1950.279422] R13: ffff99560140a2e0 R14: ffff99560127d2e0 R15: 0000000000000000 [ 1950.279422] FS: 00007f67da795380(0000) GS:ffff995d1f0c0000(0000) knlGS:0000000000000000 [ 1950.279424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1950.279424] CR2: 00007f67da7e65c0 CR3: 00000001feed2000 CR4: 0000000000750ee0 [ 1950.279426] PKRU: 55555554 [ 1950.279426] Call Trace: [ 1950.279428] <TASK> [ 1950.279430] hwrng_unregister+0x28/0xe0 [rng_core] [ 1950.279436] tpm_chip_unregister+0xd5/0xf0 [tpm] Add the forgotten !tpm_amd_is_rng_defective() invariant to the hwrng_unregister() call site inside tpm_chip_unregister(). 2025-12-24 not yet calculated CVE-2023-54073 https://git.kernel.org/stable/c/1408d27f25c7b73ece7545cb6434965eedc49ddb
https://git.kernel.org/stable/c/8da5ba044ea74105f3cfa182603b2f2d766fb22d
https://git.kernel.org/stable/c/0af0a989e747248e05640980661225e5b94cdb9e
https://git.kernel.org/stable/c/bd8621ca1510e6e802df9855bdc35a04a3cfa932
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Use correct encap attribute during invalidation With introduction of post action infrastructure most of the users of encap attribute had been modified in order to obtain the correct attribute by calling mlx5e_tc_get_encap_attr() helper instead of assuming encap action is always on default attribute. However, the cited commit didn't modify mlx5e_invalidate_encap() which prevents it from destroying correct modify header action which leads to a warning [0]. Fix the issue by using correct attribute. [0]: Feb 21 09:47:35 c-237-177-40-045 kernel: WARNING: CPU: 17 PID: 654 at drivers/net/ethernet/mellanox/mlx5/core/en_tc.c:684 mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: RIP: 0010:mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: Call Trace: Feb 21 09:47:35 c-237-177-40-045 kernel: <TASK> Feb 21 09:47:35 c-237-177-40-045 kernel: mlx5e_tc_fib_event_work+0x8e3/0x1f60 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: ? mlx5e_take_all_encap_flows+0xe0/0xe0 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: ? lock_downgrade+0x6d0/0x6d0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0 Feb 21 09:47:35 c-237-177-40-045 kernel: process_one_work+0x7c2/0x1310 Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x3f0/0x3f0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? pwq_dec_nr_in_flight+0x230/0x230 Feb 21 09:47:35 c-237-177-40-045 kernel: ? rwlock_bug.part.0+0x90/0x90 Feb 21 09:47:35 c-237-177-40-045 kernel: worker_thread+0x59d/0xec0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? __kthread_parkme+0xd9/0x1d0 2025-12-24 not yet calculated CVE-2023-54074 https://git.kernel.org/stable/c/00959a1bad58e4b6c14a2729f84d354255073609
https://git.kernel.org/stable/c/b8b4292fdd8818ab43b943b6717811651f51e39f
https://git.kernel.org/stable/c/be071cdb167fc3e25fe81922166b3d499d23e8ac
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: common: Fix refcount leak in parse_dai_link_info Add missing of_node_put()s before the returns to balance of_node_get()s and of_node_put()s, which may get unbalanced in case the for loop 'for_each_available_child_of_node' returns early. 2025-12-24 not yet calculated CVE-2023-54075 https://git.kernel.org/stable/c/3e40722d55805584dc04d8594d912820cafb2432
https://git.kernel.org/stable/c/beed115c2ce78f990222a29abed042582df4e87c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: smb: client: fix missed ses refcounting Use new cifs_smb_ses_inc_refcount() helper to get an active reference of @ses and @ses->dfs_root_ses (if set). This will prevent @ses->dfs_root_ses of being put in the next call to cifs_put_smb_ses() and thus potentially causing an use-after-free bug. 2025-12-24 not yet calculated CVE-2023-54076 https://git.kernel.org/stable/c/eb382196e6f6e05cfafdab797840e5a96c6e7bf0
https://git.kernel.org/stable/c/bf99f6be2d20146942bce6f9e90a0ceef12cbc1e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix memory leak if ntfs_read_mft failed Label ATTR_ROOT in ntfs_read_mft() sets is_root = true and ni->ni_flags |= NI_FLAG_DIR, then next attr will goto label ATTR_ALLOC and alloc ni->dir.alloc_run. However two states are not always consistent and can make memory leak. 1) attr_name in ATTR_ROOT does not fit the condition it will set is_root = true but NI_FLAG_DIR is not set. 2) next attr_name in ATTR_ALLOC fits the condition and alloc ni->dir.alloc_run 3) in cleanup function ni_clear(), when NI_FLAG_DIR is set, it frees ni->dir.alloc_run, otherwise it frees ni->file.run 4) because NI_FLAG_DIR is not set in this case, ni->dir.alloc_run is leaked as kmemleak reported: unreferenced object 0xffff888003bc5480 (size 64): backtrace: [<000000003d42e6b0>] __kmalloc_node+0x4e/0x1c0 [<00000000d8e19b8a>] kvmalloc_node+0x39/0x1f0 [<00000000fc3eb5b8>] run_add_entry+0x18a/0xa40 [ntfs3] [<0000000011c9f978>] run_unpack+0x75d/0x8e0 [ntfs3] [<00000000e7cf1819>] run_unpack_ex+0xbc/0x500 [ntfs3] [<00000000bbf0a43d>] ntfs_iget5+0xb25/0x2dd0 [ntfs3] [<00000000a6e50693>] ntfs_fill_super+0x218d/0x3580 [ntfs3] [<00000000b9170608>] get_tree_bdev+0x3fb/0x710 [<000000004833798a>] vfs_get_tree+0x8e/0x280 [<000000006e20b8e6>] path_mount+0xf3c/0x1930 [<000000007bf15a5f>] do_mount+0xf3/0x110 ... Fix this by always setting is_root and NI_FLAG_DIR together. 2025-12-24 not yet calculated CVE-2023-54077 https://git.kernel.org/stable/c/3030f2b9b3329db3948c1a145a5493ca6f617d50
https://git.kernel.org/stable/c/1bc6bb657dfb0ab3b94ef6d477ca241bf7b6ec06
https://git.kernel.org/stable/c/93bf79f989688852deade1550fb478b0a4d8daa8
https://git.kernel.org/stable/c/3bb0d3eb475f01744ce6d6e998dfbd80220852a1
https://git.kernel.org/stable/c/bfa434c60157c9793e9b12c9b68ade02aff9f803
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: max9286: Free control handler The control handler is leaked in some probe-time error paths, as well as in the remove path. Fix it. 2025-12-24 not yet calculated CVE-2023-54078 https://git.kernel.org/stable/c/9a3a907cf69f804eb41ece5c079720d1a6a15aa1
https://git.kernel.org/stable/c/1ad4b8c4552b4096dfc86531462dc1899f96af94
https://git.kernel.org/stable/c/1e9fc6c473210138eff3425a6136f0a9bf4eb0ae
https://git.kernel.org/stable/c/0f25f99dacc72bce7d4128f7a254b23f1a343cc7
https://git.kernel.org/stable/c/19f36204dbe28bf4ec0149e87e9996a56af4e654
https://git.kernel.org/stable/c/bfce6a12e5ba1edde95126aa06778027f16115d4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: power: supply: bq27xxx: Fix poll_interval handling and races on remove Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0 to avoid bq27xxx_battery_update() requeuing the delayed_work item. There are 2 problems with this: 1. If the driver is unbound through sysfs, rather then the module being rmmod-ed, this changes poll_interval unexpectedly 2. This is racy, after it being set poll_interval could be changed before bq27xxx_battery_update() checks it through /sys/module/bq27xxx_battery/parameters/poll_interval Fix this by added a removed attribute to struct bq27xxx_device_info and using that instead of setting poll_interval to 0. There also is another poll_interval related race on remove(), writing /sys/module/bq27xxx_battery/parameters/poll_interval will requeue the delayed_work item for all devices on the bq27xxx_battery_devices list and the device being removed was only removed from that list after cancelling the delayed_work item. Fix this by moving the removal from the bq27xxx_battery_devices list to before cancelling the delayed_work item. 2025-12-24 not yet calculated CVE-2023-54079 https://git.kernel.org/stable/c/4c9615474fb0a41cfad658d78db3c9ec70912969
https://git.kernel.org/stable/c/465d919151a1e8d40daf366b868914f59d073211
https://git.kernel.org/stable/c/0c5f4cec759679c290720fbcf6bb81768e21c95b
https://git.kernel.org/stable/c/e85757da9091998276ff21a13915ac25229cc232
https://git.kernel.org/stable/c/e98e5bebfcafc75a7b41192a607dfea5c1268afa
https://git.kernel.org/stable/c/d952a1eaafcc5f0351caad5dbe9b5b3300d1d529
https://git.kernel.org/stable/c/b12faeca0e819ea09051a705fef9df7ea7e9e18c
https://git.kernel.org/stable/c/c00bc80462afc7963f449d7f21d896d2f629cacc
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: skip splitting and logical rewriting on pre-alloc write When doing a relocation, there is a chance that at the time of btrfs_reloc_clone_csums(), there is no checksum for the corresponding region. In this case, btrfs_finish_ordered_zoned()'s sum points to an invalid item and so ordered_extent's logical is set to some invalid value. Then, btrfs_lookup_block_group() in btrfs_zone_finish_endio() failed to find a block group and will hit an assert or a null pointer dereference as following. This can be reprodcued by running btrfs/028 several times (e.g, 4 to 16 times) with a null_blk setup. The device's zone size and capacity is set to 32 MB and the storage size is set to 5 GB on my setup. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 6 PID: 3105720 Comm: kworker/u16:13 Tainted: G W 6.5.0-rc6-kts+ #1 Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015 Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] Code: 41 54 49 89 fc 55 48 89 f5 53 e8 57 7d fc ff 48 8d b8 88 00 00 00 48 89 c3 48 b8 00 00 00 00 00 > 3c 02 00 0f 85 02 01 00 00 f6 83 88 00 00 00 01 0f 84 a8 00 00 RSP: 0018:ffff88833cf87b08 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088 RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed102877b827 R10: ffff888143bdc13b R11: ffff888125b1cbc0 R12: ffff888143bdc000 R13: 0000000000007000 R14: ffff888125b1cba8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88881e500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3ed85223d5 CR3: 00000001519b4005 CR4: 00000000001706e0 Call Trace: <TASK> ? die_addr+0x3c/0xa0 ? exc_general_protection+0x148/0x220 ? asm_exc_general_protection+0x22/0x30 ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] ? btrfs_zone_finish_endio.part.0+0x19/0x160 [btrfs] btrfs_finish_one_ordered+0x7b8/0x1de0 [btrfs] ? rcu_is_watching+0x11/0xb0 ? lock_release+0x47a/0x620 ? btrfs_finish_ordered_zoned+0x59b/0x800 [btrfs] ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs] ? btrfs_finish_ordered_zoned+0x358/0x800 [btrfs] ? __smp_call_single_queue+0x124/0x350 ? rcu_is_watching+0x11/0xb0 btrfs_work_helper+0x19f/0xc60 [btrfs] ? __pfx_try_to_wake_up+0x10/0x10 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 process_one_work+0x8c1/0x1430 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0x52/0x60 worker_thread+0x100/0x12c0 ? __kthread_parkme+0xc1/0x1f0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2ea/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> On the zoned mode, writing to pre-allocated region means data relocation write. Such write always uses WRITE command so there is no need of splitting and rewriting logical address. Thus, we can just skip the function for the case. 2025-12-24 not yet calculated CVE-2023-54080 https://git.kernel.org/stable/c/d3cfa44164688a076e8b476cafb5df87d07cfa63
https://git.kernel.org/stable/c/c02d35d89b317994bd713ba82e160c5e7f22d9c8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: xen: speed up grant-table reclaim When a grant entry is still in use by the remote domain, Linux must put it on a deferred list. Normally, this list is very short, because the PV network and block protocols expect the backend to unmap the grant first. However, Qubes OS's GUI protocol is subject to the constraints of the X Window System, and as such winds up with the frontend unmapping the window first. As a result, the list can grow very large, resulting in a massive memory leak and eventual VM freeze. To partially solve this problem, make the number of entries that the VM will attempt to free at each iteration tunable. The default is still 10, but it can be overridden via a module parameter. This is Cc: stable because (when combined with appropriate userspace changes) it fixes a severe performance and stability problem for Qubes OS users. 2025-12-24 not yet calculated CVE-2023-54081 https://git.kernel.org/stable/c/cd1a8952ff529adc210e62306849fd6f256608c0
https://git.kernel.org/stable/c/c76d96c555895ac602c1587b001e5cf656abc371
https://git.kernel.org/stable/c/c04e9894846c663f3278a414f34416e6e45bbe68
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage() with detailed analysis and a nice repro. unix_stream_sendpage() tries to add data to the last skb in the peer's recv queue without locking the queue. If the peer's FD is passed to another socket and the socket's FD is passed to the peer, there is a loop between them. If we close both sockets without receiving FD, the sockets will be cleaned up by garbage collection. The garbage collection iterates such sockets and unlinks skb with FD from the socket's receive queue under the queue's lock. So, there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. To avoid the issue, unix_stream_sendpage() must lock the peer's recv queue. Note the issue does not exist in 6.5+ thanks to the recent sendpage() refactoring. This patch is originally written by Linus Torvalds. BUG: unable to handle page fault for address: ffff988004dd6870 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP PTI CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0 Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44 RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246 RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284 RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0 RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00 R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8 FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x1a/0x1f ? page_fault_oops+0xa9/0x1e0 ? fixup_exception+0x1d/0x310 ? exc_page_fault+0xa8/0x150 ? asm_exc_page_fault+0x22/0x30 ? kmem_cache_alloc_node+0xa2/0x1e0 ? __alloc_skb+0x16c/0x1e0 __alloc_skb+0x16c/0x1e0 alloc_skb_with_frags+0x48/0x1e0 sock_alloc_send_pskb+0x234/0x270 unix_stream_sendmsg+0x1f5/0x690 sock_sendmsg+0x5d/0x60 ____sys_sendmsg+0x210/0x260 ___sys_sendmsg+0x83/0xd0 ? kmem_cache_alloc+0xc6/0x1c0 ? avc_disable+0x20/0x20 ? percpu_counter_add_batch+0x53/0xc0 ? alloc_empty_file+0x5d/0xb0 ? alloc_file+0x91/0x170 ? alloc_file_pseudo+0x94/0x100 ? __fget_light+0x9f/0x120 __sys_sendmsg+0x54/0xa0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x69/0xd3 RIP: 0033:0x7f174d639a7d Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48 RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007 RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28 R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000 </TASK> 2025-12-24 not yet calculated CVE-2023-54082 https://git.kernel.org/stable/c/c080cee930303124624fe64fc504f66c815ee6b9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Clear the driver reference in usb-phy dev For the dual-role port, it will assign the phy dev to usb-phy dev and use the port dev driver as the dev driver of usb-phy. When we try to destroy the port dev, it will destroy its dev driver as well. But we did not remove the reference from usb-phy dev. This might cause the use-after-free issue in KASAN. 2025-12-24 not yet calculated CVE-2023-54083 https://git.kernel.org/stable/c/b6a107c52073496d2e5d2837915f59fb3103832f
https://git.kernel.org/stable/c/b84998a407a882991916b1a61d987c400d8a0ce6
https://git.kernel.org/stable/c/238edc04ddb9d272b38f5419bcd419ad3b92b91b
https://git.kernel.org/stable/c/82187460347ad58fd6b06d2883da73c3f2df9631
https://git.kernel.org/stable/c/c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-digi00x: prevent potential use after free This code was supposed to return an error code if init_stream() failed, but it instead freed dg00x->rx_stream and returned success. This potentially leads to a use after free. 2025-12-24 not yet calculated CVE-2023-54084 https://git.kernel.org/stable/c/5009aead17f060753428e249eb0246eb1c2f8b86
https://git.kernel.org/stable/c/13c5fa1248bf06e95a25907c1be83948b8c44c50
https://git.kernel.org/stable/c/bbb5ac533ca6c4e2775a95388c9c0c610bb442b7
https://git.kernel.org/stable/c/ee1a221d947809c0308f27567c07a3ac93406057
https://git.kernel.org/stable/c/67148395efa2c1fb20e98fca359b20e7a6c81fe4
https://git.kernel.org/stable/c/c0e72058d5e21982e61a29de6b098f7c1f0db498
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer dereference on fastopen early fallback In case of early fallback to TCP, subflow_syn_recv_sock() deletes the subflow context before returning the newly allocated sock to the caller. The fastopen path does not cope with the above unconditionally dereferencing the subflow context. 2025-12-24 not yet calculated CVE-2023-54085 https://git.kernel.org/stable/c/95135835519b0ab931c39908b2c99e9fb3c9068b
https://git.kernel.org/stable/c/c0ff6f6da66a7791a32c0234388b1bdc00244917
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Add preempt_count_{sub,add} into btf id deny list The recursion check in __bpf_prog_enter* and __bpf_prog_exit* leave preempt_count_{sub,add} unprotected. When attaching trampoline to them we get panic as follows, [ 867.843050] BUG: TASK stack guard page was hit at 0000000009d325cf (stack is 0000000046a46a15..00000000537e7b28) [ 867.843064] stack guard page: 0000 [#1] PREEMPT SMP NOPTI [ 867.843067] CPU: 8 PID: 11009 Comm: trace Kdump: loaded Not tainted 6.2.0+ #4 [ 867.843100] Call Trace: [ 867.843101] <TASK> [ 867.843104] asm_exc_int3+0x3a/0x40 [ 867.843108] RIP: 0010:preempt_count_sub+0x1/0xa0 [ 867.843135] __bpf_prog_enter_recur+0x17/0x90 [ 867.843148] bpf_trampoline_6442468108_0+0x2e/0x1000 [ 867.843154] ? preempt_count_sub+0x1/0xa0 [ 867.843157] preempt_count_sub+0x5/0xa0 [ 867.843159] ? migrate_enable+0xac/0xf0 [ 867.843164] __bpf_prog_exit_recur+0x2d/0x40 [ 867.843168] bpf_trampoline_6442468108_0+0x55/0x1000 ... [ 867.843788] preempt_count_sub+0x5/0xa0 [ 867.843793] ? migrate_enable+0xac/0xf0 [ 867.843829] __bpf_prog_exit_recur+0x2d/0x40 [ 867.843837] BUG: IRQ stack guard page was hit at 0000000099bd8228 (stack is 00000000b23e2bc4..000000006d95af35) [ 867.843841] BUG: IRQ stack guard page was hit at 000000005ae07924 (stack is 00000000ffd69623..0000000014eb594c) [ 867.843843] BUG: IRQ stack guard page was hit at 00000000028320f0 (stack is 00000000034b6438..0000000078d1bcec) [ 867.843842] bpf_trampoline_6442468108_0+0x55/0x1000 ... That is because in __bpf_prog_exit_recur, the preempt_count_{sub,add} are called after prog->active is decreased. Fixing this by adding these two functions into btf ids deny list. 2025-12-24 not yet calculated CVE-2023-54086 https://git.kernel.org/stable/c/095018267c87b8bfbbb12eeb1c0ebf2359e1782c
https://git.kernel.org/stable/c/60039bf72f81638baa28652a11a68e9b0b7b5b2d
https://git.kernel.org/stable/c/b9168d41b83d182f34ba927ee822edaee18d5fc8
https://git.kernel.org/stable/c/c11bd046485d7bf1ca200db0e7d0bdc4bafdd395
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ubi: Fix possible null-ptr-deref in ubi_free_volume() It willl cause null-ptr-deref in the following case: uif_init() ubi_add_volume() cdev_add() -> if it fails, call kill_volumes() device_register() kill_volumes() -> if ubi_add_volume() fails call this function ubi_free_volume() cdev_del() device_unregister() -> trying to delete a not added device, it causes null-ptr-deref So in ubi_free_volume(), it delete devices whether they are added or not, it will causes null-ptr-deref. Handle the error case whlie calling ubi_add_volume() to fix this problem. If add volume fails, set the corresponding vol to null, so it can not be accessed in kill_volumes() and release the resource in ubi_add_volume() error path. 2025-12-24 not yet calculated CVE-2023-54087 https://git.kernel.org/stable/c/5558bcf1c58720ca6e9d6198d921cb3aa337f038
https://git.kernel.org/stable/c/45b2c5ca4d2edae70f19fdb086bd927840c4c309
https://git.kernel.org/stable/c/234c53e57424992e657e6f4acc00d3df0983176f
https://git.kernel.org/stable/c/fcbc795abe7897da4b5d2a6ab5010e36774b00c2
https://git.kernel.org/stable/c/5ec4c8aca5a221756a9007deadfea92795319fee
https://git.kernel.org/stable/c/2ea7195b195009ecf0046e55361f393ba96d02db
https://git.kernel.org/stable/c/9eccdb0760cbcb4427b5303a83a3007de998af51
https://git.kernel.org/stable/c/c15859bfd326c10230f09cb48a17f8a35f190342
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: hold queue_lock when removing blkg->q_node When blkg is removed from q->blkg_list from blkg_free_workfn(), queue_lock has to be held, otherwise, all kinds of bugs(list corruption, hard lockup, ..) can be triggered from blkg_destroy_all(). 2025-12-24 not yet calculated CVE-2023-54088 https://git.kernel.org/stable/c/b5dae1cd0d8368b4338430ff93403df67f0b8bcc
https://git.kernel.org/stable/c/083b58373463a6e5ee60ecb135269348f68ad7df
https://git.kernel.org/stable/c/cd4ffdf56791eec95af01f06bee1ec7665ca75c4
https://git.kernel.org/stable/c/c164c7bc9775be7bcc68754bb3431fce5823822e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: virtio_pmem: add the missing REQ_OP_WRITE for flush bio When doing mkfs.xfs on a pmem device, the following warning was ------------[ cut here ]------------ WARNING: CPU: 2 PID: 384 at block/blk-core.c:751 submit_bio_noacct Modules linked in: CPU: 2 PID: 384 Comm: mkfs.xfs Not tainted 6.4.0-rc7+ #154 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:submit_bio_noacct+0x340/0x520 ...... Call Trace: <TASK> ? submit_bio_noacct+0xd5/0x520 submit_bio+0x37/0x60 async_pmem_flush+0x79/0xa0 nvdimm_flush+0x17/0x40 pmem_submit_bio+0x370/0x390 __submit_bio+0xbc/0x190 submit_bio_noacct_nocheck+0x14d/0x370 submit_bio_noacct+0x1ef/0x520 submit_bio+0x55/0x60 submit_bio_wait+0x5a/0xc0 blkdev_issue_flush+0x44/0x60 The root cause is that submit_bio_noacct() needs bio_op() is either WRITE or ZONE_APPEND for flush bio and async_pmem_flush() doesn't assign REQ_OP_WRITE when allocating flush bio, so submit_bio_noacct just fail the flush bio. Simply fix it by adding the missing REQ_OP_WRITE for flush bio. And we could fix the flush order issue and do flush optimization later. 2025-12-24 not yet calculated CVE-2023-54089 https://git.kernel.org/stable/c/e39e870e1e683a71d3d2e63e661a5695f60931a7
https://git.kernel.org/stable/c/c7ab7e45ccef209809f8c2b00f497deec06b29c0
https://git.kernel.org/stable/c/c1dbd8a849183b9c12d257ad3043ecec50db50b3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ixgbe: Fix panic during XDP_TX with > 64 CPUs Commit 4fe815850bdc ("ixgbe: let the xdpdrv work with more than 64 cpus") adds support to allow XDP programs to run on systems with more than 64 CPUs by locking the XDP TX rings and indexing them using cpu % 64 (IXGBE_MAX_XDP_QS). Upon trying this out patch on a system with more than 64 cores, the kernel paniced with an array-index-out-of-bounds at the return in ixgbe_determine_xdp_ring in ixgbe.h, which means ixgbe_determine_xdp_q_idx was just returning the cpu instead of cpu % IXGBE_MAX_XDP_QS. An example splat: ========================================================================== UBSAN: array-index-out-of-bounds in /var/lib/dkms/ixgbe/5.18.6+focal-1/build/src/ixgbe.h:1147:26 index 65 is out of range for type 'ixgbe_ring *[64]' ========================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000058 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 65 PID: 408 Comm: ksoftirqd/65 Tainted: G IOE 5.15.0-48-generic #54~20.04.1-Ubuntu Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.5.4 01/13/2020 RIP: 0010:ixgbe_xmit_xdp_ring+0x1b/0x1c0 [ixgbe] Code: 3b 52 d4 cf e9 42 f2 ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 55 b9 00 00 00 00 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 <44> 0f b7 47 58 0f b7 47 5a 0f b7 57 54 44 0f b7 76 08 66 41 39 c0 RSP: 0018:ffffbc3fcd88fcb0 EFLAGS: 00010282 RAX: ffff92a253260980 RBX: ffffbc3fe68b00a0 RCX: 0000000000000000 RDX: ffff928b5f659000 RSI: ffff928b5f659000 RDI: 0000000000000000 RBP: ffffbc3fcd88fce0 R08: ffff92b9dfc20580 R09: 0000000000000001 R10: 3d3d3d3d3d3d3d3d R11: 3d3d3d3d3d3d3d3d R12: 0000000000000000 R13: ffff928b2f0fa8c0 R14: ffff928b9be20050 R15: 000000000000003c FS: 0000000000000000(0000) GS:ffff92b9dfc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000058 CR3: 000000011dd6a002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ixgbe_poll+0x103e/0x1280 [ixgbe] ? sched_clock_cpu+0x12/0xe0 __napi_poll+0x30/0x160 net_rx_action+0x11c/0x270 __do_softirq+0xda/0x2ee run_ksoftirqd+0x2f/0x50 smpboot_thread_fn+0xb7/0x150 ? sort_range+0x30/0x30 kthread+0x127/0x150 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x1f/0x30 </TASK> I think this is how it happens: Upon loading the first XDP program on a system with more than 64 CPUs, ixgbe_xdp_locking_key is incremented in ixgbe_xdp_setup. However, immediately after this, the rings are reconfigured by ixgbe_setup_tc. ixgbe_setup_tc calls ixgbe_clear_interrupt_scheme which calls ixgbe_free_q_vectors which calls ixgbe_free_q_vector in a loop. ixgbe_free_q_vector decrements ixgbe_xdp_locking_key once per call if it is non-zero. Commenting out the decrement in ixgbe_free_q_vector stopped my system from panicing. I suspect to make the original patch work, I would need to load an XDP program and then replace it in order to get ixgbe_xdp_locking_key back above 0 since ixgbe_setup_tc is only called when transitioning between XDP and non-XDP ring configurations, while ixgbe_xdp_locking_key is incremented every time ixgbe_xdp_setup is called. Also, ixgbe_setup_tc can be called via ethtool --set-channels, so this becomes another path to decrement ixgbe_xdp_locking_key to 0 on systems with more than 64 CPUs. Since ixgbe_xdp_locking_key only protects the XDP_TX path and is tied to the number of CPUs present, there is no reason to disable it upon unloading an XDP program. To avoid confusion, I have moved enabling ixgbe_xdp_locking_key into ixgbe_sw_init, which is part of the probe path. 2025-12-24 not yet calculated CVE-2023-54090 https://git.kernel.org/stable/c/1924450175349e64f8dfc3689efcb653dba0418e
https://git.kernel.org/stable/c/785b2b5b47b1aa4c31862948b312ea845401c5ec
https://git.kernel.org/stable/c/4cd43a19900d0b98c1ec4bb6984763369d2e19ec
https://git.kernel.org/stable/c/c23ae5091a8b3e50fe755257df020907e7c029bb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/client: Fix memory leak in drm_client_target_cloned dmt_mode is allocated and never freed in this function. It was found with the ast driver, but most drivers using generic fbdev setup are probably affected. This fixes the following kmemleak report: backtrace: [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] [<00000000987f19bb>] local_pci_probe+0xdc/0x180 [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 [<0000000000b85301>] process_one_work+0x8b7/0x1540 [<000000003375b17c>] worker_thread+0x70a/0xed0 [<00000000b0d43cd9>] kthread+0x29f/0x340 [<000000008d770833>] ret_from_fork+0x1f/0x30 unreferenced object 0xff11000333089a00 (size 128): 2025-12-24 not yet calculated CVE-2023-54091 https://git.kernel.org/stable/c/d3009700f48602b557eade1f22c98b6bc20247e8
https://git.kernel.org/stable/c/a4b978249e8fa94956fce8b70a709f7797716f62
https://git.kernel.org/stable/c/52daf6ba2e0d201640cb1ce42049c5c4426b4d6e
https://git.kernel.org/stable/c/105275879a80503686a8108af2f5c579a1c5aef4
https://git.kernel.org/stable/c/a85e23a1ef63e45a18f0a30d7816fcb4a865ca95
https://git.kernel.org/stable/c/b5359d7a5087ac398fc429da6833133b4784c268
https://git.kernel.org/stable/c/4b596a6e2d2e0f9c14e4122506dd715f43fcd727
https://git.kernel.org/stable/c/c2a88e8bdf5f6239948d75283d0ae7e0c7945b03
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: KVM: s390: pv: fix index value of replaced ASCE The index field of the struct page corresponding to a guest ASCE should be 0. When replacing the ASCE in s390_replace_asce(), the index of the new ASCE should also be set to 0. Having the wrong index might lead to the wrong addresses being passed around when notifying pte invalidations, and eventually to validity intercepts (VM crash) if the prefix gets unmapped and the notifier gets called with the wrong address. 2025-12-24 not yet calculated CVE-2023-54092 https://git.kernel.org/stable/c/8e635da0e0d3cb45e32fa79b36218fb98281bc10
https://git.kernel.org/stable/c/49a2686adddebe1ae76b4d368383208656ef6606
https://git.kernel.org/stable/c/017f686bcb536ff23d49c143fdf9d1fd89a9a924
https://git.kernel.org/stable/c/f1c7a776338f2ac5e34da40e58fe9f33ea390a5e
https://git.kernel.org/stable/c/c2fceb59bbda16468bda82b002383bff59de89ab
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: anysee: fix null-ptr-deref in anysee_master_xfer In anysee_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach anysee_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") [hverkuil: add spaces around +] 2025-12-24 not yet calculated CVE-2023-54093 https://git.kernel.org/stable/c/73c0b224ceeba12dee2a7a8cbc147648da0b2e63
https://git.kernel.org/stable/c/e04affec2506ff5c12a18d78d7e694b3556a8982
https://git.kernel.org/stable/c/8dc5b370254abc10f0cb4141d90cecf7ce465472
https://git.kernel.org/stable/c/4a9763d2bc4a6d6fab42555b9c0b2eefa32585ac
https://git.kernel.org/stable/c/3dd5846a873938ec7b6d404ec27662942cd8f2ef
https://git.kernel.org/stable/c/14b94154a72388b57221a2a73795c0ea61a95373
https://git.kernel.org/stable/c/5975dbbb7ad0767eaabd15d2c37a739ac76acb00
https://git.kernel.org/stable/c/c30411266fd67ea3c02a05c157231654d5a3bdc9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: prevent skb corruption on frag list segmentation Ian reported several skb corruptions triggered by rx-gro-list, collecting different oops alike: [ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0 [ 62.631083] #PF: supervisor read access in kernel mode [ 62.636312] #PF: error_code(0x0000) - not-present page [ 62.641541] PGD 0 P4D 0 [ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364 [ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022 [ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858 ./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261 net/ipv4/udp_offload.c:277) [ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246 [ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000 [ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4 [ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9 [ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2 [ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9 [ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000) knlGS:0000000000000000 [ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0 [ 62.749948] Call Trace: [ 62.752498] <TASK> [ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398) [ 62.787605] skb_mac_gso_segment (net/core/gro.c:141) [ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2)) [ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862 net/core/dev.c:3659) [ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710) [ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330) [ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210) net/netfilter/core.c:626) [ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55) [ 62.825652] maybe_deliver (net/bridge/br_forward.c:193) [ 62.829420] br_flood (net/bridge/br_forward.c:233) [ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215) [ 62.837403] br_handle_frame (net/bridge/br_input.c:298 net/bridge/br_input.c:416) [ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387) [ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570) [ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638 net/core/dev.c:5727) [ 62.876795] napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067) [ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191) [ 62.893534] __napi_poll (net/core/dev.c:6498) [ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89 net/core/dev.c:6640) [ 62.905276] kthread (kernel/kthread.c:379) [ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314) [ 62.917119] </TASK> In the critical scenario, rx-gro-list GRO-ed packets are fed, via a bridge, both to the local input path and to an egress device (tun). The segmentation of such packets unsafely writes to the cloned skbs with shared heads. This change addresses the issue by uncloning as needed the to-be-segmented skbs. 2025-12-24 not yet calculated CVE-2023-54094 https://git.kernel.org/stable/c/bc3ab5d2ab69823f5cff89cf74ef78ffa0386c9a
https://git.kernel.org/stable/c/ea438eed94ac0fe69b93ac034738823c0e989a12
https://git.kernel.org/stable/c/1731234e8b60063eae858c77b55c7a88f5084353
https://git.kernel.org/stable/c/7a59f29961cf97b98b02acaadf5a0b1f8dde938c
https://git.kernel.org/stable/c/c329b261afe71197d9da83c1f18eb45a7e97e089
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: powerpc/iommu: Fix notifiers being shared by PCI and VIO buses fail_iommu_setup() registers the fail_iommu_bus_notifier struct to both PCI and VIO buses. struct notifier_block is a linked list node, so this causes any notifiers later registered to either bus type to also be registered to the other since they share the same node. This causes issues in (at least) the vgaarb code, which registers a notifier for PCI buses. pci_notify() ends up being called on a vio device, converted with to_pci_dev() even though it's not a PCI device, and finally makes a bad access in vga_arbiter_add_pci_device() as discovered with KASAN: BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00 Read of size 4 at addr c000000264c26fdc by task swapper/0/1 Call Trace: dump_stack_lvl+0x1bc/0x2b8 (unreliable) print_report+0x3f4/0xc60 kasan_report+0x244/0x698 __asan_load4+0xe8/0x250 vga_arbiter_add_pci_device+0x60/0xe00 pci_notify+0x88/0x444 notifier_call_chain+0x104/0x320 blocking_notifier_call_chain+0xa0/0x140 device_add+0xac8/0x1d30 device_register+0x58/0x80 vio_register_device_node+0x9ac/0xce0 vio_bus_scan_register_devices+0xc4/0x13c __machine_initcall_pseries_vio_device_init+0x94/0xf0 do_one_initcall+0x12c/0xaa8 kernel_init_freeable+0xa48/0xba8 kernel_init+0x64/0x400 ret_from_kernel_thread+0x5c/0x64 Fix this by creating separate notifier_block structs for each bus type. [mpe: Add #ifdef to fix CONFIG_IBMVIO=n build] 2025-12-24 not yet calculated CVE-2023-54095 https://git.kernel.org/stable/c/dc0d107e624ca96aef6dd8722eb33ba3a6d157b0
https://git.kernel.org/stable/c/075a4dcdbc9a5ea793cb8ec8b78a6c0b7636fd52
https://git.kernel.org/stable/c/65bf8a196ba25cf65a858b5bb8de80f0aad76691
https://git.kernel.org/stable/c/f08944e3c6962b00827de7263a9e20688e79ad84
https://git.kernel.org/stable/c/a9ddbfed53465bc7c411231db32a488066c0c1be
https://git.kernel.org/stable/c/f17d5efaafba3d5f02f0373f7c5f44711d676f3e
https://git.kernel.org/stable/c/c46af58588253e5e4063bb5ddc78cd12fdf9e55d
https://git.kernel.org/stable/c/6670c65bf863cd0d44ca24d4c10ef6755b8d9529
https://git.kernel.org/stable/c/c37b6908f7b2bd24dcaaf14a180e28c9132b9c58
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: soundwire: fix enumeration completion The soundwire subsystem uses two completion structures that allow drivers to wait for soundwire device to become enumerated on the bus and initialised by their drivers, respectively. The code implementing the signalling is currently broken as it does not signal all current and future waiters and also uses the wrong reinitialisation function, which can potentially lead to memory corruption if there are still waiters on the queue. Not signalling future waiters specifically breaks sound card probe deferrals as codec drivers can not tell that the soundwire device is already attached when being reprobed. Some codec runtime PM implementations suffer from similar problems as waiting for enumeration during resume can also timeout despite the device already having been enumerated. 2025-12-24 not yet calculated CVE-2023-54096 https://git.kernel.org/stable/c/48d1d0ce0782f995fda678508fdae35c5e9593f0
https://git.kernel.org/stable/c/a36b522767f3a72688893a472e80c9aa03e67eda
https://git.kernel.org/stable/c/e1d54962a63b6ec04ed0204a3ecca942fde3a6fe
https://git.kernel.org/stable/c/c5265691cd065464d795de5666dcfb89c26b9bc1
https://git.kernel.org/stable/c/c40d6b3249b11d60e09d81530588f56233d9aa44
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: regulator: stm32-pwr: fix of_iomap leak Smatch reports: drivers/regulator/stm32-pwr.c:166 stm32_pwr_regulator_probe() warn: 'base' from of_iomap() not released on lines: 151,166. In stm32_pwr_regulator_probe(), base is not released when devm_kzalloc() fails to allocate memory or devm_regulator_register() fails to register a new regulator device, which may cause a leak. To fix this issue, replace of_iomap() with devm_platform_ioremap_resource(). devm_platform_ioremap_resource() is a specialized function for platform devices. It allows 'base' to be automatically released whether the probe function succeeds or fails. Besides, use IS_ERR(base) instead of !base as the return value of devm_platform_ioremap_resource() can either be a pointer to the remapped memory or an ERR_PTR() encoded error code if the operation fails. 2025-12-24 not yet calculated CVE-2023-54097 https://git.kernel.org/stable/c/824683dbec234a01bd49a0589ee3323594a6f4cf
https://git.kernel.org/stable/c/dfce9bb3517a78507cf96f9b83948d0b81338afa
https://git.kernel.org/stable/c/ad6481f49fb2c703efa3a929643934f24b666d6a
https://git.kernel.org/stable/c/f25994f7a9ad53eb756bc4869497c3ebe281ad5e
https://git.kernel.org/stable/c/c091bb49b3233307c7af73dae888f0799752af3d
https://git.kernel.org/stable/c/0ad07e02be0d3f0d554653382ffe53ae4879378d
https://git.kernel.org/stable/c/c4a413e56d16a2ae84e6d8992f215c4dcc7fac20
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/i915/gvt: fix gvt debugfs destroy When gvt debug fs is destroyed, need to have a sane check if drm minor's debugfs root is still available or not, otherwise in case like device remove through unbinding, drm minor's debugfs directory has already been removed, then intel_gvt_debugfs_clean() would act upon dangling pointer like below oops. i915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2 i915 0000:00:02.0: MDEV: Registered Console: switching to colour dummy device 80x25 i915 0000:00:02.0: MDEV: Unregistering BUG: kernel NULL pointer dereference, address: 00000000000000a0 PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15 Hardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020 RIP: 0010:down_write+0x1f/0x90 Code: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01 RSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000 RDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8 RBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0 R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000 R13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0 FS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0 Call Trace: <TASK> simple_recursive_removal+0x9f/0x2a0 ? start_creating.part.0+0x120/0x120 ? _raw_spin_lock+0x13/0x40 debugfs_remove+0x40/0x60 intel_gvt_debugfs_clean+0x15/0x30 [kvmgt] intel_gvt_clean_device+0x49/0xe0 [kvmgt] intel_gvt_driver_remove+0x2f/0xb0 i915_driver_remove+0xa4/0xf0 i915_pci_remove+0x1a/0x30 pci_device_remove+0x33/0xa0 device_release_driver_internal+0x1b2/0x230 unbind_store+0xe0/0x110 kernfs_fop_write_iter+0x11b/0x1f0 vfs_write+0x203/0x3d0 ksys_write+0x63/0xe0 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f6947cb5190 Code: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89 RSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190 RDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001 RBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001 R13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0 </TASK> Modules linked in: kvmgt CR2: 00000000000000a0 ---[ end trace 0000000000000000 ]--- 2025-12-24 not yet calculated CVE-2023-54098 https://git.kernel.org/stable/c/bb7c7b2c89d2feb347b6f9bffc1c75987adb1048
https://git.kernel.org/stable/c/ae9a61511736cc71a99f01e8b7b90f6fb6128ed8
https://git.kernel.org/stable/c/b85c8536fda3d1ed07c6d87a661ffe18d6eb214b
https://git.kernel.org/stable/c/fe340500baf84b6531c9fc508b167525b9bf6446
https://git.kernel.org/stable/c/c4b850d1f448a901fbf4f7f36dec38c84009b489
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs: Protect reconfiguration of sb read-write from racing writes The reconfigure / remount code takes a lot of effort to protect filesystem's reconfiguration code from racing writes on remounting read-only. However during remounting read-only filesystem to read-write mode userspace writes can start immediately once we clear SB_RDONLY flag. This is inconvenient for example for ext4 because we need to do some writes to the filesystem (such as preparation of quota files) before we can take userspace writes so we are clearing SB_RDONLY flag before we are fully ready to accept userpace writes and syzbot has found a way to exploit this [1]. Also as far as I'm reading the code the filesystem remount code was protected from racing writes in the legacy mount path by the mount's MNT_READONLY flag so this is relatively new problem. It is actually fairly easy to protect remount read-write from racing writes using sb->s_readonly_remount flag so let's just do that instead of having to workaround these races in the filesystem code. [1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/ 2025-12-24 not yet calculated CVE-2023-54099 https://git.kernel.org/stable/c/0336b42456e485fda1006b5b411e7372e20fbf03
https://git.kernel.org/stable/c/7e4e87ec56aa6d008c64eab31b340a7c452b26cc
https://git.kernel.org/stable/c/0ccfe21949bc9f706a86ee7351b74375c0745757
https://git.kernel.org/stable/c/295ef44a2abaf97d7a594b1d4c60d4be3738191f
https://git.kernel.org/stable/c/4abda85197ba5d695e6040d580b4b409ce0d3733
https://git.kernel.org/stable/c/c541dce86c537714b6761a79a969c1623dfa222b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: qedi: Fix use after free bug in qedi_remove() In qedi_probe() we call __qedi_probe() which initializes &qedi->recovery_work with qedi_recovery_handler() and &qedi->board_disable_work with qedi_board_disable_work(). When qedi_schedule_recovery_handler() is called, schedule_delayed_work() will finally start the work. In qedi_remove(), which is called to remove the driver, the following sequence may be observed: Fix this by finishing the work before cleanup in qedi_remove(). CPU0 CPU1 |qedi_recovery_handler qedi_remove | __qedi_remove | iscsi_host_free | scsi_host_put | //free shost | |iscsi_host_for_each_session |//use qedi->shost Cancel recovery_work and board_disable_work in __qedi_remove(). 2025-12-24 not yet calculated CVE-2023-54100 https://git.kernel.org/stable/c/fa19c533ab19161298f0780bcc6523af88f6fd20
https://git.kernel.org/stable/c/5e756a59cee6a8a79b9059c5bdf0ecbf5bb8d151
https://git.kernel.org/stable/c/3738a230831e861503119ee2691c4a7dc56ed60a
https://git.kernel.org/stable/c/89f6023fc321c958a0fb11f143a6eb4544ae3940
https://git.kernel.org/stable/c/124027cd1a624ce0347adcd59241a9966a726b22
https://git.kernel.org/stable/c/c5749639f2d0a1f6cbe187d05f70c2e7c544d748
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: driver: soc: xilinx: use _safe loop iterator to avoid a use after free The hash_for_each_possible() loop dereferences "eve_data" to get the next item on the list. However the loop frees eve_data so it leads to a use after free. Use hash_for_each_possible_safe() instead. 2025-12-24 not yet calculated CVE-2023-54101 https://git.kernel.org/stable/c/49fca83f6f3f0cafe5bf5b43e8ee81cf73c2d5e0
https://git.kernel.org/stable/c/f16599e638073ef0b2828bb64f5e99138e9381b5
https://git.kernel.org/stable/c/256aace3a5d8c987183ba4832dffb36f48ea7d3b
https://git.kernel.org/stable/c/c58da0ba3e5c86e51e2c1557afaf6f71e00c4533
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow A static code analysis tool flagged the possibility of buffer overflow when using copy_from_user() for a debugfs entry. Currently, it is possible that copy_from_user() copies more bytes than what would fit in the mybuf char array. Add a min() restriction check between sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect against buffer overflow. 2025-12-24 not yet calculated CVE-2023-54102 https://git.kernel.org/stable/c/644a9d5e22761a41d5005a26996a643da96de962
https://git.kernel.org/stable/c/e0e7faee3a7dd6f51350cda64997116a247eb045
https://git.kernel.org/stable/c/f91037487036e2d2f18d3c2481be6b9a366bde7f
https://git.kernel.org/stable/c/a9df88cb31dcbd72104ec5883f35cbc1fb587e47
https://git.kernel.org/stable/c/ad050f6cf681ebb850a9d4bc19474d3896476301
https://git.kernel.org/stable/c/c6087b82a9146826564a55c5ca0164cac40348f5
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to uncanceled work In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in the mtk_jpeg_remove CPU0 CPU1 |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use 2025-12-24 not yet calculated CVE-2023-54103 https://git.kernel.org/stable/c/d346a2ef6b1ebb77d740890cfaf8478c5b286380
https://git.kernel.org/stable/c/d56dbfe750a8f96789cc86a911864f663e63bc5d
https://git.kernel.org/stable/c/715c0200b4809396998e562ce5cd0284e7314cc1
https://git.kernel.org/stable/c/8977d9924843823f46696d7d9432ea4b2499ed14
https://git.kernel.org/stable/c/2fc20f8bcc2b4d31c808a5320506c31aa2cf3834
https://git.kernel.org/stable/c/c677d7ae83141d390d1253abebafa49c962afb52
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op() 'op-cs' is copied in 'fun->mchip_number' which is used to access the 'mchip_offsets' and the 'rnb_gpio' arrays. These arrays have NAND_MAX_CHIPS elements, so the index must be below this limit. Fix the sanity check in order to avoid the NAND_MAX_CHIPS value. This would lead to out-of-bound accesses. 2025-12-24 not yet calculated CVE-2023-54104 https://git.kernel.org/stable/c/1f09d67d390647f83f8f9d26382b0daa43756e6f
https://git.kernel.org/stable/c/eb7a5e4d14c8659cb97db6863316280e15f67209
https://git.kernel.org/stable/c/f4b700c71802c81e6f9dce362ee7a0312c8377ba
https://git.kernel.org/stable/c/49e57caf967a969f6b955c88805f2d160910aa12
https://git.kernel.org/stable/c/c6abce60338aa2080973cd95be0aedad528bb41f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: isotp: check CAN address family in isotp_bind() Add missing check to block non-AF_CAN binds. Syzbot created some code which matched the right sockaddr struct size but used AF_XDP (0x2C) instead of AF_CAN (0x1D) in the address family field: bind$xdp(r2, &(0x7f0000000540)={0x2c, 0x0, r4, 0x0, r2}, 0x10) ^^^^ This has no funtional impact but the userspace should be notified about the wrong address family field content. 2025-12-24 not yet calculated CVE-2023-54105 https://git.kernel.org/stable/c/de3c02383aa678f6799402ac47fdd89cf4bfcaa9
https://git.kernel.org/stable/c/2fc6f337257f4f7c21ecff429241f7acaa6df4e8
https://git.kernel.org/stable/c/9427584c2f153d0677ef3bad6f44028c60d728c4
https://git.kernel.org/stable/c/dd4faace51e41a82a8c0770ee0cc26088f9d9d06
https://git.kernel.org/stable/c/c6adf659a8ba85913e16a571d5a9bcd17d3d1234
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fix potential memory leak in mlx5e_init_rep_rx The memory pointed to by the priv->rx_res pointer is not freed in the error path of mlx5e_init_rep_rx, which can lead to a memory leak. Fix by freeing the memory in the error path, thereby making the error path identical to mlx5e_cleanup_rep_rx(). 2025-12-24 not yet calculated CVE-2023-54106 https://git.kernel.org/stable/c/0582a3caaa3e2f7b80bcb113ad3c910eac15a63e
https://git.kernel.org/stable/c/c265d8c2e25546a6b7ee16d36f2bb79b6160c2c3
https://git.kernel.org/stable/c/c6cf0b6097bf1bf1b2a89b521e9ecd26b581a93a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: dropping parent refcount after pd_free_fn() is done Some cgroup policies will access parent pd through child pd even after pd_offline_fn() is done. If pd_free_fn() for parent is called before child, then UAF can be triggered. Hence it's better to guarantee the order of pd_free_fn(). Currently refcount of parent blkg is dropped in __blkg_release(), which is before pd_free_fn() is called in blkg_free_work_fn() while blkg_free_work_fn() is called asynchronously. This patch make sure pd_free_fn() called from removing cgroup is ordered by delaying dropping parent refcount after calling pd_free_fn() for child. BTW, pd_free_fn() will also be called from blkcg_deactivate_policy() from deleting device, and following patches will guarantee the order. 2025-12-24 not yet calculated CVE-2023-54107 https://git.kernel.org/stable/c/c7241babf0855d8a6180cd1743ff0ec34de40b4e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests The following message and call trace was seen with debug kernels: DMA-API: qla2xxx 0000:41:00.0: device driver failed to check map error [device address=0x00000002a3ff38d8] [size=1024 bytes] [mapped as single] WARNING: CPU: 0 PID: 2930 at kernel/dma/debug.c:1017 check_unmap+0xf42/0x1990 Call Trace: debug_dma_unmap_page+0xc9/0x100 qla_nvme_ls_unmap+0x141/0x210 [qla2xxx] Remove DMA mapping from the driver altogether, as it is already done by FC layer. This prevents the warning. 2025-12-24 not yet calculated CVE-2023-54108 https://git.kernel.org/stable/c/3a564de3a299856f2cbd289649cea2e20d671a43
https://git.kernel.org/stable/c/e596253113b69b4018818260bd5da40c201bee73
https://git.kernel.org/stable/c/77302fb0e357da666d5249a6e91078feeef3dade
https://git.kernel.org/stable/c/3ee4f1991c54c6707aa9df47e51c02ea25bb63e3
https://git.kernel.org/stable/c/ad6af23593594402c826eefdf43ae174e5f0f202
https://git.kernel.org/stable/c/c75e6aef5039830cce5d4cf764dd204522f89e6b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: rcar_fdp1: Fix refcount leak in probe and remove function rcar_fcp_get() take reference, which should be balanced with rcar_fcp_put(). Add missing rcar_fcp_put() in fdp1_remove and the error paths of fdp1_probe() to fix this. [hverkuil: resolve merge conflict, remove() is now void] 2025-12-24 not yet calculated CVE-2023-54109 https://git.kernel.org/stable/c/418a8f3140e07f33bbd5a81625d0ef46c0732cef
https://git.kernel.org/stable/c/9df630dafa1a59946d1da6f070d4cb64f14ea57c
https://git.kernel.org/stable/c/1acb982e3616e70128994fdecf2368a259c8a489
https://git.kernel.org/stable/c/2322b262d2205720518785c2706a3283725ba402
https://git.kernel.org/stable/c/45b7461d914c867ef21c74798da8c42d13d3a0df
https://git.kernel.org/stable/c/59c6addfaaaa09ff7654e4d8793cb16fd22a46d4
https://git.kernel.org/stable/c/48765ca7c6b71bf73a4cc8475a4bad9e2633cf61
https://git.kernel.org/stable/c/c766c90faf93897b77c9c5daa603cffab85ba907
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: rndis_host: Secure rndis_query check against int overflow Variables off and len typed as uint32 in rndis_query function are controlled by incoming RNDIS response message thus their value may be manipulated. Setting off to a unexpectetly large value will cause the sum with len and 8 to overflow and pass the implemented validation step. Consequently the response pointer will be referring to a location past the expected buffer boundaries allowing information leakage e.g. via RNDIS_OID_802_3_PERMANENT_ADDRESS OID. 2025-12-24 not yet calculated CVE-2023-54110 https://git.kernel.org/stable/c/55782f6d63a5a3dd3b84c1e0627738fc5b146b4e
https://git.kernel.org/stable/c/02ffb4ecf0614c58e3d0e5bfbe99588c9ddc77c0
https://git.kernel.org/stable/c/ebe6d2fcf7835f98cdbb1bd5e0414be20c321578
https://git.kernel.org/stable/c/232ef345e5d76e5542f430a29658a85dbef07f0b
https://git.kernel.org/stable/c/11cd4ec6359d90b13ffb8f85a9df8637f0cf8d95
https://git.kernel.org/stable/c/39eadaf5611ddd064ad1c53da65c02d2b0fe22a4
https://git.kernel.org/stable/c/a713602807f32afc04add331410c77ef790ef77a
https://git.kernel.org/stable/c/c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups of_find_node_by_phandle() returns a node pointer with refcount incremented, We should use of_node_put() on it when not needed anymore. Add missing of_node_put() to avoid refcount leak. 2025-12-24 not yet calculated CVE-2023-54111 https://git.kernel.org/stable/c/aa017ab5716c9157c65fdce061c4a4a568af53a8
https://git.kernel.org/stable/c/5868013522297bf628eee4322d99d6d4de4f308e
https://git.kernel.org/stable/c/954a7a0011d94475f8ba5ceb77a5d11e01cf402f
https://git.kernel.org/stable/c/d562054a3a2eede3507a5461011ee82b671fcb88
https://git.kernel.org/stable/c/0f735f232ff59863e0b6ebac0849d637e215a9c2
https://git.kernel.org/stable/c/dbef00ef4b9b98d15183340396e5df0fa7a860d8
https://git.kernel.org/stable/c/3c40b34e3462aab12af3dba77d2e1602afc72e80
https://git.kernel.org/stable/c/c818ae563bf99457f02e8170aabd6b174f629f65
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: kcm: Fix memory leak in error path of kcm_sendmsg() syzbot reported a memory leak like below: BUG: memory leak unreferenced object 0xffff88810b088c00 (size 240): comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s) hex dump (first 32 bytes): 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff83e5d5ff>] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634 [<ffffffff84606e59>] alloc_skb include/linux/skbuff.h:1289 [inline] [<ffffffff84606e59>] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815 [<ffffffff83e479c6>] sock_sendmsg_nosec net/socket.c:725 [inline] [<ffffffff83e479c6>] sock_sendmsg+0x56/0xb0 net/socket.c:748 [<ffffffff83e47f55>] ____sys_sendmsg+0x365/0x470 net/socket.c:2494 [<ffffffff83e4c389>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548 [<ffffffff83e4c536>] __sys_sendmsg+0xa6/0x120 net/socket.c:2577 [<ffffffff84ad7bb8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84ad7bb8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append newly allocated skbs to 'head'. If some bytes are copied, an error occurred, and jumped to out_error label, 'last_skb' is left unmodified. A later kcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the 'head' frag_list and causing the leak. This patch fixes this issue by properly updating the last allocated skb in 'last_skb'. 2025-12-24 not yet calculated CVE-2023-54112 https://git.kernel.org/stable/c/8dc7eb757b1652b82725f32e0c89a1e9f6c0e13b
https://git.kernel.org/stable/c/5e5554389397e98fafb9efe395d8b4830dd5f042
https://git.kernel.org/stable/c/479c71cda14b3c3a6515773faa39055333eaa2b7
https://git.kernel.org/stable/c/33db24ad811b3576a0c2f8862506763f2be925b0
https://git.kernel.org/stable/c/97275339c34cfbccd65e87bc38fd910ae66c48ba
https://git.kernel.org/stable/c/16989de75497574b5fafd174c0c233d5a86858b7
https://git.kernel.org/stable/c/af8085e0fc3207ecbf8b9e7a635c790e36d058c6
https://git.kernel.org/stable/c/c821a88bd720b0046433173185fd841a100d44ad
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: rcu: dump vmalloc memory info safely Currently, for double invoke call_rcu(), will dump rcu_head objects memory info, if the objects is not allocated from the slab allocator, the vmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to be held, since the call_rcu() can be invoked in interrupt context, therefore, there is a possibility of spinlock deadlock scenarios. And in Preempt-RT kernel, the rcutorture test also trigger the following lockdep warning: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0 preempt_count: 1, expected: 0 RCU nest depth: 1, expected: 1 3 locks held by swapper/0/1: #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0 #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370 #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70 irq event stamp: 565512 hardirqs last enabled at (565511): [<ffffffffb379b138>] __call_rcu_common+0x218/0x940 hardirqs last disabled at (565512): [<ffffffffb5804262>] rcu_torture_init+0x20b2/0x2370 softirqs last enabled at (399112): [<ffffffffb36b2586>] __local_bh_enable_ip+0x126/0x170 softirqs last disabled at (399106): [<ffffffffb43fef59>] inet_register_protosw+0x9/0x1d0 Preemption disabled at: [<ffffffffb58040c3>] rcu_torture_init+0x1f13/0x2370 CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x68/0xb0 dump_stack+0x14/0x20 __might_resched+0x1aa/0x280 ? __pfx_rcu_torture_err_cb+0x10/0x10 rt_spin_lock+0x53/0x130 ? find_vmap_area+0x1f/0x70 find_vmap_area+0x1f/0x70 vmalloc_dump_obj+0x20/0x60 mem_dump_obj+0x22/0x90 __call_rcu_common+0x5bf/0x940 ? debug_smp_processor_id+0x1b/0x30 call_rcu_hurry+0x14/0x20 rcu_torture_init+0x1f82/0x2370 ? __pfx_rcu_torture_leak_cb+0x10/0x10 ? __pfx_rcu_torture_leak_cb+0x10/0x10 ? __pfx_rcu_torture_init+0x10/0x10 do_one_initcall+0x6c/0x300 ? debug_smp_processor_id+0x1b/0x30 kernel_init_freeable+0x2b9/0x540 ? __pfx_kernel_init+0x10/0x10 kernel_init+0x1f/0x150 ret_from_fork+0x40/0x50 ? __pfx_kernel_init+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> The previous patch fixes this by using the deadlock-safe best-effort version of find_vm_area. However, in case of failure print the fact that the pointer was a vmalloc pointer so that we print at least something. 2025-12-24 not yet calculated CVE-2023-54113 https://git.kernel.org/stable/c/0a22f9c17b1aa2a35b5eedee928f7841595b55cd
https://git.kernel.org/stable/c/3f7a4e88e40e38c0b16a4bcb599b7b1d8c81440d
https://git.kernel.org/stable/c/dddca4c46ec92f83449bc91dd199f46a89e066be
https://git.kernel.org/stable/c/8fb1601ec0a2c4c34fc2170af767e5c2a6400573
https://git.kernel.org/stable/c/c83ad36a18c02c0f51280b50272327807916987f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() As the call trace shows, skb_panic was caused by wrong skb->mac_header in nsh_gso_segment(): invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 RIP: 0010:skb_panic+0xda/0xe0 call Trace: skb_push+0x91/0xa0 nsh_gso_segment+0x4f3/0x570 skb_mac_gso_segment+0x19e/0x270 __skb_gso_segment+0x1e8/0x3c0 validate_xmit_skb+0x452/0x890 validate_xmit_skb_list+0x99/0xd0 sch_direct_xmit+0x294/0x7c0 __dev_queue_xmit+0x16f0/0x1d70 packet_xmit+0x185/0x210 packet_snd+0xc15/0x1170 packet_sendmsg+0x7b/0xa0 sock_sendmsg+0x14f/0x160 The root cause is: nsh_gso_segment() use skb->network_header - nhoff to reset mac_header in skb_gso_error_unwind() if inner-layer protocol gso fails. However, skb->network_header may be reset by inner-layer protocol gso function e.g. mpls_gso_segment. skb->mac_header reset by the inaccurate network_header will be larger than skb headroom. nsh_gso_segment nhoff = skb->network_header - skb->mac_header; __skb_pull(skb,nsh_len) skb_mac_gso_segment mpls_gso_segment skb_reset_network_header(skb);//skb->network_header+=nsh_len return -EINVAL; skb_gso_error_unwind skb_push(skb, nsh_len); skb->mac_header = skb->network_header - nhoff; // skb->mac_header > skb->headroom, cause skb_push panic Use correct mac_offset to restore mac_header and get rid of nhoff. 2025-12-24 not yet calculated CVE-2023-54114 https://git.kernel.org/stable/c/2f88c8d38ecf5ed0273f99a067246899ba499eb2
https://git.kernel.org/stable/c/d2309e0cb27b6871b273fbc1725e93be62570d86
https://git.kernel.org/stable/c/435855b0831b351cb72cb38369ee33122ce9574c
https://git.kernel.org/stable/c/02b20e0bc0c2628539e9e518dc342787c3332de2
https://git.kernel.org/stable/c/cdd8160dcda1fed2028a5f96575a84afc23aff7d
https://git.kernel.org/stable/c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9
https://git.kernel.org/stable/c/cb38e62922aa3991793344b5a5870e7291c74a44
https://git.kernel.org/stable/c/c83b49383b595be50647f0c764a48c78b5f3c4f8
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() When nonstatic_release_resource_db() frees all resources associated with an PCMCIA socket, it forgets to free socket_data too, causing a memory leak observable with kmemleak: unreferenced object 0xc28d1000 (size 64): comm "systemd-udevd", pid 297, jiffies 4294898478 (age 194.484s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 f0 85 0e c3 00 00 00 00 ................ 00 00 00 00 0c 10 8d c2 00 00 00 00 00 00 00 00 ................ backtrace: [<ffda4245>] __kmem_cache_alloc_node+0x2d7/0x4a0 [<7e51f0c8>] kmalloc_trace+0x31/0xa4 [<d52b4ca0>] nonstatic_init+0x24/0x1a4 [pcmcia_rsrc] [<a2f13e08>] pcmcia_register_socket+0x200/0x35c [pcmcia_core] [<a728be1b>] yenta_probe+0x4d8/0xa70 [yenta_socket] [<c48fac39>] pci_device_probe+0x99/0x194 [<84b7c690>] really_probe+0x181/0x45c [<8060fe6e>] __driver_probe_device+0x75/0x1f4 [<b9b76f43>] driver_probe_device+0x28/0xac [<648b766f>] __driver_attach+0xeb/0x1e4 [<6e9659eb>] bus_for_each_dev+0x61/0xb4 [<25a669f3>] driver_attach+0x1e/0x28 [<d8671d6b>] bus_add_driver+0x102/0x20c [<df0d323c>] driver_register+0x5b/0x120 [<942cd8a4>] __pci_register_driver+0x44/0x4c [<e536027e>] __UNIQUE_ID___addressable_cleanup_module188+0x1c/0xfffff000 [iTCO_vendor_support] Fix this by freeing socket_data too. Tested on a Acer Travelmate 4002WLMi by manually binding/unbinding the yenta_cardbus driver (yenta_socket). 2025-12-24 not yet calculated CVE-2023-54115 https://git.kernel.org/stable/c/bde0b6da7bd893c37afaee3555cc3ac3be582313
https://git.kernel.org/stable/c/2d45e2be0be35a3d66863563ed2591ee18a6897e
https://git.kernel.org/stable/c/22100df1d57f04cf2370d5347b9ef547f481deea
https://git.kernel.org/stable/c/04bb8af40a7729c398ed4caea7e66cedd2881719
https://git.kernel.org/stable/c/97fd1c8e9c5aa833aab7e836760bc13103afa892
https://git.kernel.org/stable/c/e8a80cf06b4bb0396212289d651b384c949f09d0
https://git.kernel.org/stable/c/fd53a1f28faba2c4806c055e706a7721006291c1
https://git.kernel.org/stable/c/c85fd9422fe0f5d667305efb27f56d09eab120b0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/fbdev-generic: prohibit potential out-of-bounds access The fbdev test of IGT may write after EOF, which lead to out-of-bound access for drm drivers with fbdev-generic. For example, run fbdev test on a x86+ast2400 platform, with 1680x1050 resolution, will cause the linux kernel hang with the following call trace: Oops: 0000 [#1] PREEMPT SMP PTI [IGT] fbdev: starting subtest eof Workqueue: events drm_fb_helper_damage_work [drm_kms_helper] [IGT] fbdev: starting subtest nullptr RIP: 0010:memcpy_erms+0xa/0x20 RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246 RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0 RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000 RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0 R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80 R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30 FS: 0000000000000000(0000) GS:ffff895257380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0 Call Trace: <TASK> ? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper] drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper] process_one_work+0x21f/0x430 worker_thread+0x4e/0x3c0 ? __pfx_worker_thread+0x10/0x10 kthread+0xf4/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 </TASK> CR2: ffffa17d40e0b000 ---[ end trace 0000000000000000 ]--- The is because damage rectangles computed by drm_fb_helper_memory_range_to_clip() function is not guaranteed to be bound in the screen's active display area. Possible reasons are: 1) Buffers are allocated in the granularity of page size, for mmap system call support. The shadow screen buffer consumed by fbdev emulation may also choosed be page size aligned. 2) The DIV_ROUND_UP() used in drm_fb_helper_memory_range_to_clip() will introduce off-by-one error. For example, on a 16KB page size system, in order to store a 1920x1080 XRGB framebuffer, we need allocate 507 pages. Unfortunately, the size 1920*1080*4 can not be divided exactly by 16KB. 1920 * 1080 * 4 = 8294400 bytes 506 * 16 * 1024 = 8290304 bytes 507 * 16 * 1024 = 8306688 bytes line_length = 1920*4 = 7680 bytes 507 * 16 * 1024 / 7680 = 1081.6 off / line_length = 507 * 16 * 1024 / 7680 = 1081 DIV_ROUND_UP(507 * 16 * 1024, 7680) will yeild 1082 memcpy_toio() typically issue the copy line by line, when copy the last line, out-of-bound access will be happen. Because: 1082 * line_length = 1082 * 7680 = 8309760, and 8309760 > 8306688 Note that userspace may still write to the invisiable area if a larger buffer than width x stride is exposed. But it is not a big issue as long as there still have memory resolve the access if not drafting so far. - Also limit the y1 (Daniel) - keep fix patch it to minimal (Daniel) - screen_size is page size aligned because of it need mmap (Thomas) - Adding fixes tag (Thomas) 2025-12-24 not yet calculated CVE-2023-54116 https://git.kernel.org/stable/c/efd2821b8abeccb6b51423002e2a62921481a26e
https://git.kernel.org/stable/c/251653fa974ea551a15d16cacfed7cde68cc7f87
https://git.kernel.org/stable/c/c8687694bb1f5c48134f152f8c5c2e53483eb99d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: s390/dcssblk: fix kernel crash with list_add corruption Commit fb08a1908cb1 ("dax: simplify the dax_device <-> gendisk association") introduced new logic for gendisk association, requiring drivers to explicitly call dax_add_host() and dax_remove_host(). For dcssblk driver, some dax_remove_host() calls were missing, e.g. in device remove path. The commit also broke error handling for out_dax case in device add path, resulting in an extra put_device() w/o the previous get_device() in that case. This lead to stale xarray entries after device add / remove cycles. In the case when a previously used struct gendisk pointer (xarray index) would be used again, because blk_alloc_disk() happened to return such a pointer, the xa_insert() in dax_add_host() would fail and go to out_dax, doing the extra put_device() in the error path. In combination with an already flawed error handling in dcssblk (device_register() cleanup), which needs to be addressed in a separate patch, this resulted in a missing device_del() / klist_del(), and eventually in the kernel crash with list_add corruption on a subsequent device_add() / klist_add(). Fix this by adding the missing dax_remove_host() calls, and also move the put_device() in the error path to restore the previous logic. 2025-12-24 not yet calculated CVE-2023-54117 https://git.kernel.org/stable/c/6489ec0107860345bc57dcde39e63dfb05ac5c11
https://git.kernel.org/stable/c/b7ad75c77349beb4983b9f27108d9b3f33ae1413
https://git.kernel.org/stable/c/b5c531a9a7d8e047c90c909f09cef06a9f8e62f4
https://git.kernel.org/stable/c/c8f40a0bccefd613748d080147469a4652d6e74c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: setup GPIO controller later in probe The GPIO controller component of the sc16is7xx driver is setup too early, which can result in a race condition where another device tries to utilise the GPIO lines before the sc16is7xx device has finished initialising. This issue manifests itself as an Oops when the GPIO lines are configured: Unable to handle kernel read from unreadable memory at virtual address ... pc : sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx] lr : sc16is7xx_gpio_direction_output+0x4c/0x108 [sc16is7xx] ... Call trace: sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx] gpiod_direction_output_raw_commit+0x64/0x318 gpiod_direction_output+0xb0/0x170 create_gpio_led+0xec/0x198 gpio_led_probe+0x16c/0x4f0 platform_drv_probe+0x5c/0xb0 really_probe+0xe8/0x448 driver_probe_device+0xe8/0x138 __device_attach_driver+0x94/0x118 bus_for_each_drv+0x8c/0xe0 __device_attach+0x100/0x1b8 device_initial_probe+0x28/0x38 bus_probe_device+0xa4/0xb0 deferred_probe_work_func+0x90/0xe0 process_one_work+0x1c4/0x480 worker_thread+0x54/0x430 kthread+0x138/0x150 ret_from_fork+0x10/0x1c This patch moves the setup of the GPIO controller functions to later in the probe function, ensuring the sc16is7xx device has already finished initialising by the time other devices try to make use of the GPIO lines. The error handling has also been reordered to reflect the new initialisation order. 2025-12-24 not yet calculated CVE-2023-54118 https://git.kernel.org/stable/c/17b96b5c19bec791b433890549e44ca523dc82aa
https://git.kernel.org/stable/c/49b326ce8a686428d8cbb82ed74fc88ed3f95a51
https://git.kernel.org/stable/c/f57c2164d082a36d177ab7fbf54c18970df89c22
https://git.kernel.org/stable/c/b71ff206707855ce73c04794c76f7b678b2d4f72
https://git.kernel.org/stable/c/c8f71b49ee4d28930c4a6798d1969fa91dc4ef3e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: inotify: Avoid reporting event with invalid wd When inotify_freeing_mark() races with inotify_handle_inode_event() it can happen that inotify_handle_inode_event() sees that i_mark->wd got already reset to -1 and reports this value to userspace which can confuse the inotify listener. Avoid the problem by validating that wd is sensible (and pretend the mark got removed before the event got generated otherwise). 2025-12-24 not yet calculated CVE-2023-54119 https://git.kernel.org/stable/c/8fb33166aed888769ea63d6af49515893f8a1f14
https://git.kernel.org/stable/c/2d65c97777e5b4a845637800d5d7b648f5772106
https://git.kernel.org/stable/c/17ad86d8c12220de97e80d88b5b4c934a40e1812
https://git.kernel.org/stable/c/145f54ea336b06cf4f92eeee996f2ffca939ea43
https://git.kernel.org/stable/c/fb3294998489d39835006240e9c6e6b2ac62022e
https://git.kernel.org/stable/c/a48bacee05860c6089c3482bcdc80720b0ee5732
https://git.kernel.org/stable/c/c915d8f5918bea7c3962b09b8884ca128bfd9b0c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix race condition in hidp_session_thread There is a potential race condition in hidp_session_thread that may lead to use-after-free. For instance, the timer is active while hidp_del_timer is called in hidp_session_thread(). After hidp_session_put, then 'session' will be freed, causing kernel panic when hidp_idle_timeout is running. The solution is to use del_timer_sync instead of del_timer. Here is the call trace: ? hidp_session_probe+0x780/0x780 call_timer_fn+0x2d/0x1e0 __run_timers.part.0+0x569/0x940 hidp_session_probe+0x780/0x780 call_timer_fn+0x1e0/0x1e0 ktime_get+0x5c/0xf0 lapic_next_deadline+0x2c/0x40 clockevents_program_event+0x205/0x320 run_timer_softirq+0xa9/0x1b0 __do_softirq+0x1b9/0x641 __irq_exit_rcu+0xdc/0x190 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0xa1/0xc0 2025-12-24 not yet calculated CVE-2023-54120 https://git.kernel.org/stable/c/152f47bd6b995e0e98c85672f6d19894bc287ef2
https://git.kernel.org/stable/c/5f3d214d19899183d4e0cce7552998262112e4ab
https://git.kernel.org/stable/c/8a99e6200c38b78a45dcd12a6bdc43fdf4dc36be
https://git.kernel.org/stable/c/f7ec5ca433ceead8d9d78fd2febff094f289441d
https://git.kernel.org/stable/c/0efb276d5848a3accc37c6f41b85e442c4768169
https://git.kernel.org/stable/c/f6719fd8f409fa1da8dc956e93822d25e1e8b360
https://git.kernel.org/stable/c/248af9feca062a4ca9c3f2ccf67056c8a5eb817f
https://git.kernel.org/stable/c/c95930abd687fcd1aa040dc4fe90dff947916460
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect splitting in btrfs_drop_extent_map_range In production we were seeing a variety of WARN_ON()'s in the extent_map code, specifically in btrfs_drop_extent_map_range() when we have to call add_extent_mapping() for our second split. Consider the following extent map layout PINNED [0 16K) [32K, 48K) and then we call btrfs_drop_extent_map_range for [0, 36K), with skip_pinned == true. The initial loop will have start = 0 end = 36K len = 36K we will find the [0, 16k) extent, but since we are pinned we will skip it, which has this code start = em_end; if (end != (u64)-1) len = start + len - em_end; em_end here is 16K, so now the values are start = 16K len = 16K + 36K - 16K = 36K len should instead be 20K. This is a problem when we find the next extent at [32K, 48K), we need to split this extent to leave [36K, 48k), however the code for the split looks like this split->start = start + len; split->len = em_end - (start + len); In this case we have em_end = 48K split->start = 16K + 36K // this should be 16K + 20K split->len = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K and now we have an invalid extent_map in the tree that potentially overlaps other entries in the extent map. Even in the non-overlapping case we will have split->start set improperly, which will cause problems with any block related calculations. We don't actually need len in this loop, we can simply use end as our end point, and only adjust start up when we find a pinned extent we need to skip. Adjust the logic to do this, which keeps us from inserting an invalid extent map. We only skip_pinned in the relocation case, so this is relatively rare, except in the case where you are running relocation a lot, which can happen with auto relocation on. 2025-12-24 not yet calculated CVE-2023-54121 https://git.kernel.org/stable/c/9f68e2105dd96cf0fafffffafb2337fbd0fbae1f
https://git.kernel.org/stable/c/b43a4c99d878cf5e59040e45c96bb0a8358bfb3b
https://git.kernel.org/stable/c/c962098ca4af146f2625ed64399926a098752c9c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add check for cstate As kzalloc may fail and return NULL pointer, it should be better to check cstate in order to avoid the NULL pointer dereference in __drm_atomic_helper_crtc_reset. Patchwork: https://patchwork.freedesktop.org/patch/514163/ 2025-12-24 not yet calculated CVE-2023-54122 https://git.kernel.org/stable/c/a6afb8293ec0932f4ed0b7aecfc0ccc00f44dc2b
https://git.kernel.org/stable/c/31f2f8de0ea7387cde18a24f94ba5e0b886b9842
https://git.kernel.org/stable/c/d4ba50614cb3f0686bbdb505af685d78e75861dc
https://git.kernel.org/stable/c/42442d42c57b9fbc35cb5ef72c7e5347c5f7d082
https://git.kernel.org/stable/c/a52e5a002d18bffabff66f6f59a74f8e9aac5afe
https://git.kernel.org/stable/c/c96988b7d99327bb08bd9efd29a203b22cd88ace
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix memleak for 'conf->bio_split' In the error path of raid10_run(), 'conf' need be freed, however, 'conf->bio_split' is missed and memory will be leaked. Since there are 3 places to free 'conf', factor out a helper to fix the problem. 2025-12-24 not yet calculated CVE-2023-54123 https://git.kernel.org/stable/c/133008af833b4f2e021d2c294c29c70364a3f0ba
https://git.kernel.org/stable/c/b6460f68c1cc95a80d089af402be501619f228e4
https://git.kernel.org/stable/c/6361b0592b46c465ac926c1f3105d66c30d9658b
https://git.kernel.org/stable/c/7f673fa34c0e3f95ee951a1bbf61791164871d2e
https://git.kernel.org/stable/c/b21019a220d9cac08819bb6c63000de9ee61eb9e
https://git.kernel.org/stable/c/5cba3e26c073b535e4e3b825ea481fb29c53943b
https://git.kernel.org/stable/c/e2fec8d95353a48634b085011626ba3ec8ab8b1c
https://git.kernel.org/stable/c/c9ac2acde53f5385de185bccf6aaa91cf9ac1541
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to drop all dirty pages during umount() if cp_error is set xfstest generic/361 reports a bug as below: f2fs_bug_on(sbi, sbi->fsync_node_num); kernel BUG at fs/f2fs/super.c:1627! RIP: 0010:f2fs_put_super+0x3a8/0x3b0 Call Trace: generic_shutdown_super+0x8c/0x1b0 kill_block_super+0x2b/0x60 kill_f2fs_super+0x87/0x110 deactivate_locked_super+0x39/0x80 deactivate_super+0x46/0x50 cleanup_mnt+0x109/0x170 __cleanup_mnt+0x16/0x20 task_work_run+0x65/0xa0 exit_to_user_mode_prepare+0x175/0x190 syscall_exit_to_user_mode+0x25/0x50 do_syscall_64+0x4c/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc During umount(), if cp_error is set, f2fs_wait_on_all_pages() should not stop waiting all F2FS_WB_CP_DATA pages to be writebacked, otherwise, fsync_node_num can be non-zero after f2fs_wait_on_all_pages() causing this bug. In this case, to avoid deadloop in f2fs_wait_on_all_pages(), it needs to drop all dirty pages rather than redirtying them. 2025-12-24 not yet calculated CVE-2023-54124 https://git.kernel.org/stable/c/92575f05a32dafb16348bfa5e62478118a9be069
https://git.kernel.org/stable/c/4ceedc2f8bdffb82e40b7d1bb912304f8e157cb1
https://git.kernel.org/stable/c/ad87bd313f70b51e48019d5ce2d02d73152356b3
https://git.kernel.org/stable/c/d8f4ad5f3979dbd8e6251259562f12472717883a
https://git.kernel.org/stable/c/7741ddc882a0c806a6508ba8203c55a779db7a21
https://git.kernel.org/stable/c/82c3d6e9db41cbd3af1d4f90bdb441740b5fad10
https://git.kernel.org/stable/c/c9b3649a934d131151111354bcbb638076f03a30
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Return error for inconsistent extended attributes ntfs_read_ea is called when we want to read extended attributes. There are some sanity checks for the validity of the EAs. However, it fails to return a proper error code for the inconsistent attributes, which might lead to unpredicted memory accesses after return. [ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0 [ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199 [ 138.931132] [ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4 [ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 138.947327] Call Trace: [ 138.949557] <TASK> [ 138.951539] dump_stack_lvl+0x4d/0x67 [ 138.956834] print_report+0x16f/0x4a6 [ 138.960798] ? ntfs_set_ea+0x453/0xbf0 [ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200 [ 138.969793] ? ntfs_set_ea+0x453/0xbf0 [ 138.973523] kasan_report+0xb8/0x140 [ 138.976740] ? ntfs_set_ea+0x453/0xbf0 [ 138.980578] __asan_store4+0x76/0xa0 [ 138.984669] ntfs_set_ea+0x453/0xbf0 [ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10 [ 138.993390] ? kernel_text_address+0xd3/0xe0 [ 138.998270] ? __kernel_text_address+0x16/0x50 [ 139.002121] ? unwind_get_return_address+0x3e/0x60 [ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 139.010177] ? arch_stack_walk+0xa2/0x100 [ 139.013657] ? filter_irq_stacks+0x27/0x80 [ 139.017018] ntfs_setxattr+0x405/0x440 [ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10 [ 139.026569] ? kvmalloc_node+0x2d/0x120 [ 139.030329] ? kasan_save_stack+0x41/0x60 [ 139.033883] ? kasan_save_stack+0x2a/0x60 [ 139.037338] ? kasan_set_track+0x29/0x40 [ 139.040163] ? kasan_save_alloc_info+0x1f/0x30 [ 139.043588] ? __kasan_kmalloc+0x8b/0xa0 [ 139.047255] ? __kmalloc_node+0x68/0x150 [ 139.051264] ? kvmalloc_node+0x2d/0x120 [ 139.055301] ? vmemdup_user+0x2b/0xa0 [ 139.058584] __vfs_setxattr+0x121/0x170 [ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10 [ 139.066282] __vfs_setxattr_noperm+0x97/0x300 [ 139.070061] __vfs_setxattr_locked+0x145/0x170 [ 139.073580] vfs_setxattr+0x137/0x2a0 [ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10 [ 139.080223] ? __kasan_check_write+0x18/0x20 [ 139.084234] do_setxattr+0xce/0x150 [ 139.087768] setxattr+0x126/0x140 [ 139.091250] ? __pfx_setxattr+0x10/0x10 [ 139.094948] ? __virt_addr_valid+0xcb/0x140 [ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330 [ 139.102688] ? debug_smp_processor_id+0x1b/0x30 [ 139.105985] ? kasan_quarantine_put+0x5b/0x190 [ 139.109980] ? putname+0x84/0xa0 [ 139.113886] ? __kasan_slab_free+0x11e/0x1b0 [ 139.117961] ? putname+0x84/0xa0 [ 139.121316] ? preempt_count_sub+0x1c/0xd0 [ 139.124427] ? __mnt_want_write+0xae/0x100 [ 139.127836] ? mnt_want_write+0x8f/0x150 [ 139.130954] path_setxattr+0x164/0x180 [ 139.133998] ? __pfx_path_setxattr+0x10/0x10 [ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10 [ 139.141299] ? debug_smp_processor_id+0x1b/0x30 [ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80 [ 139.150796] __x64_sys_setxattr+0x71/0x90 [ 139.155407] do_syscall_64+0x3f/0x90 [ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 139.163843] RIP: 0033:0x7f108cae4469 [ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 [ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc [ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469 [ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6 [ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618 [ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0 [ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15 ---truncated--- 2025-12-24 not yet calculated CVE-2023-54125 https://git.kernel.org/stable/c/1474098b590a426d90f27bb992f17c326e0b60c1
https://git.kernel.org/stable/c/c9db0ff04649aa0b45f497183c957fe260f229f6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: safexcel - Cleanup ring IRQ workqueues on load failure A failure loading the safexcel driver results in the following warning on boot, because the IRQ affinity has not been correctly cleaned up. Ensure we clean up the affinity and workqueues on a failure to load the driver. crypto-safexcel: probe of f2800000.crypto failed with error -2 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 232 at kernel/irq/manage.c:1913 free_irq+0x300/0x340 Modules linked in: hwmon mdio_i2c crypto_safexcel(+) md5 sha256_generic libsha256 authenc libdes omap_rng rng_core nft_masq nft_nat nft_chain_nat nf_nat nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink fuse autofs4 CPU: 1 PID: 232 Comm: systemd-udevd Tainted: G W 6.1.6-00002-g9d4898824677 #3 Hardware name: MikroTik RB5009 (DT) pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : free_irq+0x300/0x340 lr : free_irq+0x2e0/0x340 sp : ffff800008fa3890 x29: ffff800008fa3890 x28: 0000000000000000 x27: 0000000000000000 x26: ffff8000008e6dc0 x25: ffff000009034cac x24: ffff000009034d50 x23: 0000000000000000 x22: 000000000000004a x21: ffff0000093e0d80 x20: ffff000009034c00 x19: ffff00000615fc00 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 000075f5c1584c5e x14: 0000000000000017 x13: 0000000000000000 x12: 0000000000000040 x11: ffff000000579b60 x10: ffff000000579b62 x9 : ffff800008bbe370 x8 : ffff000000579dd0 x7 : 0000000000000000 x6 : ffff000000579e18 x5 : ffff000000579da8 x4 : ffff800008ca0000 x3 : ffff800008ca0188 x2 : 0000000013033204 x1 : ffff000009034c00 x0 : ffff8000087eadf0 Call trace: free_irq+0x300/0x340 devm_irq_release+0x14/0x20 devres_release_all+0xa0/0x100 device_unbind_cleanup+0x14/0x60 really_probe+0x198/0x2d4 __driver_probe_device+0x74/0xdc driver_probe_device+0x3c/0x110 __driver_attach+0x8c/0x190 bus_for_each_dev+0x6c/0xc0 driver_attach+0x20/0x30 bus_add_driver+0x148/0x1fc driver_register+0x74/0x120 __platform_driver_register+0x24/0x30 safexcel_init+0x48/0x1000 [crypto_safexcel] do_one_initcall+0x4c/0x1b0 do_init_module+0x44/0x1cc load_module+0x1724/0x1be4 __do_sys_finit_module+0xbc/0x110 __arm64_sys_finit_module+0x1c/0x24 invoke_syscall+0x44/0x110 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x20/0x80 el0_svc+0x14/0x4c el0t_64_sync_handler+0xb0/0xb4 el0t_64_sync+0x148/0x14c ---[ end trace 0000000000000000 ]--- 2025-12-24 not yet calculated CVE-2023-54126 https://git.kernel.org/stable/c/4f4de392f4926820ec1fd3573a016c704a68893d
https://git.kernel.org/stable/c/0a89d4a075524cf1f865cfdbb9cf38ab8e3e5409
https://git.kernel.org/stable/c/09e177d6f7edd0873a63f51abe914902ec0f4400
https://git.kernel.org/stable/c/4d9d2fd86766ee3ec077c011aa482e85b6c9595c
https://git.kernel.org/stable/c/162f9daf0c22480f88b24fd46d16abae46c10fce
https://git.kernel.org/stable/c/ab573af2655ba509e2a167897de9b5585c2ca44d
https://git.kernel.org/stable/c/ca25c00ccbc5f942c63897ed23584cfc66e8ec81
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount() Syzkaller reported the following issue: ================================================================== BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 Free of addr ffff888086408000 by task syz-executor.4/12750 [...] Call Trace: <TASK> [...] kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1386 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1291 task_work_run+0x243/0x300 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> Allocated by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 mount_bdev+0x26c/0x3a0 fs/super.c:1359 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1489 do_new_mount+0x289/0xad0 fs/namespace.c:3145 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 jfs_remount+0x3db/0x710 fs/jfs/super.c:454 reconfigure_super+0x3bc/0x7b0 fs/super.c:935 vfs_fsconfig_locked fs/fsopen.c:254 [inline] __do_sys_fsconfig fs/fsopen.c:439 [inline] __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in dbUnmount(). Syzkaller uses faultinject to reproduce this KASAN double-free warning. The issue is triggered if either diMount() or dbMount() fail in jfs_remount(), since diUnmount() or dbUnmount() already happened in such a case - they will do double-free on next execution: jfs_umount or jfs_remount. Tested on both upstream and jfs-next by syzkaller. 2025-12-24 not yet calculated CVE-2023-54127 https://git.kernel.org/stable/c/798c5f6f98bc9045593d4b3a65c32f05d97bd0e6
https://git.kernel.org/stable/c/aef6507e85475e30831c30405d785c7ed976ea4a
https://git.kernel.org/stable/c/b12ccbfdf6539ef0157868f69fcae0b7f7a072b3
https://git.kernel.org/stable/c/6f8b34458948ffca2fe90cd8c614e3fa2ebe0b27
https://git.kernel.org/stable/c/aa5b019a3e0f7f54f4e5370c1af827f6b00fd26b
https://git.kernel.org/stable/c/2f7a36448f51d08d3a83f1514abcca4b680bcd3c
https://git.kernel.org/stable/c/f71c4bb3ec08dfcbd201350a6a0a914c4e6a9e3f
https://git.kernel.org/stable/c/cade5397e5461295f3cb87880534b6a07cafa427
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs: drop peer group ids under namespace lock When cleaning up peer group ids in the failure path we need to make sure to hold on to the namespace lock. Otherwise another thread might just turn the mount from a shared into a non-shared mount concurrently. 2025-12-24 not yet calculated CVE-2023-54128 https://git.kernel.org/stable/c/0af8fae81d8b7f1beddc17c5d4cfa43235134648
https://git.kernel.org/stable/c/ddca03d97daa7b07b60c52e3d3060762732c6666
https://git.kernel.org/stable/c/65c324d3f35c05e37afec39ac80743583fdcc96c
https://git.kernel.org/stable/c/cb2239c198ad9fbd5aced22cf93e45562da781eb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Add validation for lmac type Upon physical link change, firmware reports to the kernel about the change along with the details like speed, lmac_type_id, etc. Kernel derives lmac_type based on lmac_type_id received from firmware. In a few scenarios, firmware returns an invalid lmac_type_id, which is resulting in below kernel panic. This patch adds the missing validation of the lmac_type_id field. Internal error: Oops: 96000005 [#1] PREEMPT SMP [ 35.321595] Modules linked in: [ 35.328982] CPU: 0 PID: 31 Comm: kworker/0:1 Not tainted 5.4.210-g2e3169d8e1bc-dirty #17 [ 35.337014] Hardware name: Marvell CN103XX board (DT) [ 35.344297] Workqueue: events work_for_cpu_fn [ 35.352730] pstate: 40400089 (nZcv daIf +PAN -UAO) [ 35.360267] pc : strncpy+0x10/0x30 [ 35.366595] lr : cgx_link_change_handler+0x90/0x180 2025-12-24 not yet calculated CVE-2023-54129 https://git.kernel.org/stable/c/83a7f27c5b94e43f29f8216a32790751139aa61e
https://git.kernel.org/stable/c/afd7660c766c4d317feae004e5cd829390bbc4b0
https://git.kernel.org/stable/c/5c0268b141ad612b6fca13d3a66cfda111716dbb
https://git.kernel.org/stable/c/cb5edce271764524b88b1a6866b3e626686d9a33
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling Commit 55d1cbbbb29e ("hfs/hfsplus: use WARN_ON for sanity check") fixed a build warning by turning a comment into a WARN_ON(), but it turns out that syzbot then complains because it can trigger said warning with a corrupted hfs image. The warning actually does warn about a bad situation, but we are much better off just handling it as the error it is. So rather than warn about us doing bad things, stop doing the bad things and return -EIO. While at it, also fix a memory leak that was introduced by an earlier fix for a similar syzbot warning situation, and add a check for one case that historically wasn't handled at all (ie neither comment nor subsequent WARN_ON). 2025-12-24 not yet calculated CVE-2023-54130 https://git.kernel.org/stable/c/cc2164ada548addfa8ee215196661c3afe0c5154
https://git.kernel.org/stable/c/82725be426bce0a425cc5e26fbad61ffd29cff03
https://git.kernel.org/stable/c/da23752d9660ba7a8ca6c5768fd8776f67f59ee7
https://git.kernel.org/stable/c/be01f35efa876eb81cebab2cb0add068b7280ef4
https://git.kernel.org/stable/c/f10defb0be6ac42fb6a97b45920d32da6bd6fde8
https://git.kernel.org/stable/c/90e019006644dad35862cb4aa270f561b0732066
https://git.kernel.org/stable/c/45917be9f0af339a45b4619f31c902d37b8aed59
https://git.kernel.org/stable/c/cb7a95af78d29442b8294683eca4897544b8ef46
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: rt2x00: Fix memory leak when handling surveys When removing a rt2x00 device, its associated channel surveys are not freed, causing a memory leak observable with kmemleak: unreferenced object 0xffff9620f0881a00 (size 512): comm "systemd-udevd", pid 2290, jiffies 4294906974 (age 33.768s) hex dump (first 32 bytes): 70 44 12 00 00 00 00 00 92 8a 00 00 00 00 00 00 pD.............. 00 00 00 00 00 00 00 00 ab 87 01 00 00 00 00 00 ................ backtrace: [<ffffffffb0ed858b>] __kmalloc+0x4b/0x130 [<ffffffffc1b0f29b>] rt2800_probe_hw+0xc2b/0x1380 [rt2800lib] [<ffffffffc1a9496e>] rt2800usb_probe_hw+0xe/0x60 [rt2800usb] [<ffffffffc1ae491a>] rt2x00lib_probe_dev+0x21a/0x7d0 [rt2x00lib] [<ffffffffc1b3b83e>] rt2x00usb_probe+0x1be/0x980 [rt2x00usb] [<ffffffffc05981e2>] usb_probe_interface+0xe2/0x310 [usbcore] [<ffffffffb13be2d5>] really_probe+0x1a5/0x410 [<ffffffffb13be5c8>] __driver_probe_device+0x78/0x180 [<ffffffffb13be6fe>] driver_probe_device+0x1e/0x90 [<ffffffffb13be972>] __driver_attach+0xd2/0x1c0 [<ffffffffb13bbc57>] bus_for_each_dev+0x77/0xd0 [<ffffffffb13bd2a2>] bus_add_driver+0x112/0x210 [<ffffffffb13bfc6c>] driver_register+0x5c/0x120 [<ffffffffc0596ae8>] usb_register_driver+0x88/0x150 [usbcore] [<ffffffffb0c011c4>] do_one_initcall+0x44/0x220 [<ffffffffb0d6134c>] do_init_module+0x4c/0x220 Fix this by freeing the channel surveys on device removal. Tested with a RT3070 based USB wireless adapter. 2025-12-24 not yet calculated CVE-2023-54131 https://git.kernel.org/stable/c/eb77c0c0a17c53d83b5fe8e46490fb0a7ed9e6af
https://git.kernel.org/stable/c/bea3f8aa999318bdffa2d17753e492f76904f0ce
https://git.kernel.org/stable/c/494064ffd60d044c097d514917c40913d1affbca
https://git.kernel.org/stable/c/0354bce76ed1d775904acdb4cc0bf88c5b9b5b9f
https://git.kernel.org/stable/c/cbef9a83c51dfcb07f77cfa6ac26f53a1ea86f49
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: erofs: stop parsing non-compact HEAD index if clusterofs is invalid Syzbot generated a crafted image [1] with a non-compact HEAD index of clusterofs 33024 while valid numbers should be 0 ~ lclustersize-1, which causes the following unexpected behavior as below: BUG: unable to handle page fault for address: fffff52101a3fff9 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 23ffed067 P4D 23ffed067 PUD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4398 Comm: kworker/u5:1 Not tainted 6.3.0-rc6-syzkaller-g09a9639e56c0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 Workqueue: erofs_worker z_erofs_decompressqueue_work RIP: 0010:z_erofs_decompress_queue+0xb7e/0x2b40 ... Call Trace: <TASK> z_erofs_decompressqueue_work+0x99/0xe0 process_one_work+0x8f6/0x1170 worker_thread+0xa63/0x1210 kthread+0x270/0x300 ret_from_fork+0x1f/0x30 Note that normal images or images using compact indexes are not impacted. Let's fix this now. [1] https://lore.kernel.org/r/000000000000ec75b005ee97fbaa@google.com 2025-12-24 not yet calculated CVE-2023-54132 https://git.kernel.org/stable/c/880c79bdb002b9d5b6940e52c2ad3829c2178207
https://git.kernel.org/stable/c/7a4579cd6e4936de107c82499c3c9ee11b63401e
https://git.kernel.org/stable/c/060fecf1114ff9fcfe87953fe8c4fc5048777160
https://git.kernel.org/stable/c/7ee7a86e28ce9ead7112286c388df8d254c373c6
https://git.kernel.org/stable/c/f01b2894928affa3339d355608713cf3db8360b8
https://git.kernel.org/stable/c/96a845419b3722869f09883319de4d55c44d9aef
https://git.kernel.org/stable/c/cc4efd3dd2ac9f89143e5d881609747ecff04164
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nfp: clean mc addresses in application firmware when closing port When moving devices from one namespace to another, mc addresses are cleaned in software while not removed from application firmware. Thus the mc addresses are remained and will cause resource leak. Now use `__dev_mc_unsync` to clean mc addresses when closing port. 2025-12-24 not yet calculated CVE-2023-54133 https://git.kernel.org/stable/c/c427221733d49fd1e1b79b4a86746acf3ef660e7
https://git.kernel.org/stable/c/cc7eab25b1cf3f9594fe61142d3523ce4d14a788
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: autofs: fix memory leak of waitqueues in autofs_catatonic_mode Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk 2025-12-24 not yet calculated CVE-2023-54134 https://git.kernel.org/stable/c/1985e8eae8627f02e3364690c5fed7af1c46be55
https://git.kernel.org/stable/c/976abbdc120a97049b9133e60fa7b29627d11de4
https://git.kernel.org/stable/c/6079dc77c6f32936e8a6766ee8334ae3c99f4504
https://git.kernel.org/stable/c/69ddafc7a7afd8401bab53eff5af813fa0d368a2
https://git.kernel.org/stable/c/71eeddcad7342292c19042c290c477697acaccab
https://git.kernel.org/stable/c/726deae613bc1b6096ad3b61cc1e63e33330fbc2
https://git.kernel.org/stable/c/696b625f3f85d80fca48c24d2948fbc451e74366
https://git.kernel.org/stable/c/ccbe77f7e45dfb4420f7f531b650c00c6e9c7507
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix potential out-of-bounds access in mas_wr_end_piv() Check the write offset end bounds before using it as the offset into the pivot array. This avoids a possible out-of-bounds access on the pivot array if the write extends to the last slot in the node, in which case the node maximum should be used as the end pivot. akpm: this doesn't affect any current callers, but new users of mapletree may encounter this problem if backported into earlier kernels, so let's fix it in -stable kernels in case of this. 2025-12-24 not yet calculated CVE-2023-54135 https://git.kernel.org/stable/c/4e2ad53ababeaac44d71162650984abfe783960c
https://git.kernel.org/stable/c/dc4751bd4aba01ccfc02f91adfeee0ba4cda405c
https://git.kernel.org/stable/c/f5fcf6555a2a4f32947d17b92b173837cc652891
https://git.kernel.org/stable/c/cd00dd2585c4158e81fdfac0bbcc0446afbad26d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: serial: sprd: Fix DMA buffer leak issue Release DMA buffer when _probe() returns failure to avoid memory leak. 2025-12-24 not yet calculated CVE-2023-54136 https://git.kernel.org/stable/c/c65be6ad55e5e45f8c4e40e1d8d7fe0e21b26e77
https://git.kernel.org/stable/c/9a26aaea6c212ea26bab159933dbfd3321a491f6
https://git.kernel.org/stable/c/f34508d934c4f2efb6a85787fc37f42184dabadf
https://git.kernel.org/stable/c/6d209ed70f9c388727995aaece1f930fe63d402b
https://git.kernel.org/stable/c/0237f913694d57bcd7e0e7ae6f255b648a1c42a7
https://git.kernel.org/stable/c/4ee715e54e255b1be65722f715fca939d5c2ca7a
https://git.kernel.org/stable/c/cd119fdc3ee1450fbf7f78862b5de44c42b6e47f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: vfio/type1: fix cap_migration information leak Fix an information leak where an uninitialized hole in struct vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace. The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as shown in this pahole(1) output: struct vfio_iommu_type1_info_cap_migration { struct vfio_info_cap_header header; /* 0 8 */ __u32 flags; /* 8 4 */ /* XXX 4 bytes hole, try to pack */ __u64 pgsize_bitmap; /* 16 8 */ __u64 max_dirty_bitmap_size; /* 24 8 */ /* size: 32, cachelines: 1, members: 4 */ /* sum members: 28, holes: 1, sum holes: 4 */ /* last cacheline: 32 bytes */ }; The cap_mig variable is filled in without initializing the hole: static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu, struct vfio_info_cap *caps) { struct vfio_iommu_type1_info_cap_migration cap_mig; cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION; cap_mig.header.version = 1; cap_mig.flags = 0; /* support minimum pgsize */ cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap); cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX; return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig)); } The structure is then copied to a temporary location on the heap. At this point it's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace later: int vfio_info_add_capability(struct vfio_info_cap *caps, struct vfio_info_cap_header *cap, size_t size) { struct vfio_info_cap_header *header; header = vfio_info_cap_add(caps, size, cap->id, cap->version); if (IS_ERR(header)) return PTR_ERR(header); memcpy(header + 1, cap + 1, size - sizeof(*header)); return 0; } This issue was found by code inspection. 2025-12-24 not yet calculated CVE-2023-54137 https://git.kernel.org/stable/c/ad83d83dd891244de0d07678b257dc976db7c132
https://git.kernel.org/stable/c/13fd667db999bffb557c5de7adb3c14f1713dd51
https://git.kernel.org/stable/c/f6f300ecc196d243c02adeb9ee0c62c677c24bfb
https://git.kernel.org/stable/c/cbac29a1caa49a34e131394e1f4d924a76d8b0c9
https://git.kernel.org/stable/c/1b5feb8497cdb5b9962db2700814bffbc030fb4a
https://git.kernel.org/stable/c/cd24e2a60af633f157d7e59c0a6dba64f131c0b1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix NULL-deref on irq uninstall In case of early initialisation errors and on platforms that do not use the DPU controller, the deinitilisation code can be called with the kms pointer set to NULL. Patchwork: https://patchwork.freedesktop.org/patch/525104/ 2025-12-24 not yet calculated CVE-2023-54138 https://git.kernel.org/stable/c/e2d1cc82ad509c07a9ab0ab4bf88b6613fbf784b
https://git.kernel.org/stable/c/dd8ce825b165acf997689c5ffa45d6a7a1fc0260
https://git.kernel.org/stable/c/bafa985acff9b0ed53957beff33c18be08d6b9a6
https://git.kernel.org/stable/c/72092e34742e8b34accdadfa7bd9a13cf255a531
https://git.kernel.org/stable/c/cd459c005de3e2b855a8cc7768e633ce9d018e9f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tracing/user_events: Ensure write index cannot be negative The write index indicates which event the data is for and accesses a per-file array. The index is passed by user processes during write() calls as the first 4 bytes. Ensure that it cannot be negative by returning -EINVAL to prevent out of bounds accesses. Update ftrace self-test to ensure this occurs properly. 2025-12-24 not yet calculated CVE-2023-54139 https://git.kernel.org/stable/c/0489c2b2c3104b89f078dbcec8c744dfc157d3e9
https://git.kernel.org/stable/c/4fe46b5adf18e3dc606e62c9e6a0413398a17572
https://git.kernel.org/stable/c/fa7f2f5d1739452280c22727c4384a52b72ab5de
https://git.kernel.org/stable/c/cd98c93286a30cc4588dfd02453bec63c2f4acf4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse A syzbot stress test using a corrupted disk image reported that mark_buffer_dirty() called from __nilfs_mark_inode_dirty() or nilfs_palloc_commit_alloc_entry() may output a kernel warning, and can panic if the kernel is booted with panic_on_warn. This is because nilfs2 keeps buffer pointers in local structures for some metadata and reuses them, but such buffers may be forcibly discarded by nilfs_clear_dirty_page() in some critical situations. This issue is reported to appear after commit 28a65b49eb53 ("nilfs2: do not write dirty data after degenerating to read-only"), but the issue has potentially existed before. Fix this issue by checking the uptodate flag when attempting to reuse an internally held buffer, and reloading the metadata instead of reusing the buffer if the flag was lost. 2025-12-24 not yet calculated CVE-2023-54140 https://git.kernel.org/stable/c/473795610594f261e98920f0945550314df36f07
https://git.kernel.org/stable/c/d95e403588738c7ec38f52b9f490b15e7745d393
https://git.kernel.org/stable/c/99a73016a5e12a09586a96f998e91f9ea145cd00
https://git.kernel.org/stable/c/f1d637b63d8a27ac3386f186a694907f2717fc13
https://git.kernel.org/stable/c/b911bef132a06de01a745c6a24172d6db7216333
https://git.kernel.org/stable/c/4da07e958bfda2d69d83db105780e8916e3ac02e
https://git.kernel.org/stable/c/46c11be2dca295742a5508ea910a77f7733fb7f4
https://git.kernel.org/stable/c/b308b3eabc429649b5501d36290cea403fbd746c
https://git.kernel.org/stable/c/cdaac8e7e5a059f9b5e816cda257f08d0abffacd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Add missing hw_ops->get_ring_selector() for IPQ5018 During sending data after clients connected, hw_ops->get_ring_selector() will be called. But for IPQ5018, this member isn't set, and the following NULL pointer exception will be occurred: [ 38.840478] 8<--- cut here --- [ 38.840517] Unable to handle kernel NULL pointer dereference at virtual address 00000000 ... [ 38.923161] PC is at 0x0 [ 38.927930] LR is at ath11k_dp_tx+0x70/0x730 [ath11k] ... [ 39.063264] Process hostapd (pid: 1034, stack limit = 0x801ceb3d) [ 39.068994] Stack: (0x856a9a68 to 0x856aa000) ... [ 39.438467] [<7f323804>] (ath11k_dp_tx [ath11k]) from [<7f314e6c>] (ath11k_mac_op_tx+0x80/0x190 [ath11k]) [ 39.446607] [<7f314e6c>] (ath11k_mac_op_tx [ath11k]) from [<7f17dbe0>] (ieee80211_handle_wake_tx_queue+0x7c/0xc0 [mac80211]) [ 39.456162] [<7f17dbe0>] (ieee80211_handle_wake_tx_queue [mac80211]) from [<7f174450>] (ieee80211_probereq_get+0x584/0x704 [mac80211]) [ 39.467443] [<7f174450>] (ieee80211_probereq_get [mac80211]) from [<7f178c40>] (ieee80211_tx_prepare_skb+0x1f8/0x248 [mac80211]) [ 39.479334] [<7f178c40>] (ieee80211_tx_prepare_skb [mac80211]) from [<7f179e28>] (__ieee80211_subif_start_xmit+0x32c/0x3d4 [mac80211]) [ 39.491053] [<7f179e28>] (__ieee80211_subif_start_xmit [mac80211]) from [<7f17af08>] (ieee80211_tx_control_port+0x19c/0x288 [mac80211]) [ 39.502946] [<7f17af08>] (ieee80211_tx_control_port [mac80211]) from [<7f0fc704>] (nl80211_tx_control_port+0x174/0x1d4 [cfg80211]) [ 39.515017] [<7f0fc704>] (nl80211_tx_control_port [cfg80211]) from [<808ceac4>] (genl_rcv_msg+0x154/0x340) [ 39.526814] [<808ceac4>] (genl_rcv_msg) from [<808cdb74>] (netlink_rcv_skb+0xb8/0x11c) [ 39.536446] [<808cdb74>] (netlink_rcv_skb) from [<808ce1d0>] (genl_rcv+0x28/0x34) [ 39.544344] [<808ce1d0>] (genl_rcv) from [<808cd234>] (netlink_unicast+0x174/0x274) [ 39.551895] [<808cd234>] (netlink_unicast) from [<808cd510>] (netlink_sendmsg+0x1dc/0x440) [ 39.559362] [<808cd510>] (netlink_sendmsg) from [<808596e0>] (____sys_sendmsg+0x1a8/0x1fc) [ 39.567697] [<808596e0>] (____sys_sendmsg) from [<8085b1a8>] (___sys_sendmsg+0xa4/0xdc) [ 39.575941] [<8085b1a8>] (___sys_sendmsg) from [<8085b310>] (sys_sendmsg+0x44/0x74) [ 39.583841] [<8085b310>] (sys_sendmsg) from [<80300060>] (ret_fast_syscall+0x0/0x40) ... [ 39.620734] Code: bad PC value [ 39.625869] ---[ end trace 8aef983ad3cbc032 ]--- 2025-12-24 not yet calculated CVE-2023-54141 https://git.kernel.org/stable/c/d1992d72a359732f143cc962917104d193705da7
https://git.kernel.org/stable/c/c36289e3c5e83286974ef68c20c821fd5b63801c
https://git.kernel.org/stable/c/ce282d8de71f07f0056ea319541141152c65f552
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: gtp: Fix use-after-free in __gtp_encap_destroy(). syzkaller reported use-after-free in __gtp_encap_destroy(). [0] It shows the same process freed sk and touched it illegally. Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, but release_sock() is called after sock_put() releases the last refcnt. [0]: BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0xcc/0x620 mm/kasan/report.c:462 kasan_report+0xb2/0xe0 mm/kasan/report.c:572 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:186 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] release_sock+0x1f/0x1a0 net/core/sock.c:3526 gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 rtnl_delete_link net/core/rtnetlink.c:3216 [inline] rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b7/0x200 net/socket.c:747 ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f1168b1fe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 </TASK> Allocated by task 1483: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x ---truncated--- 2025-12-24 not yet calculated CVE-2023-54142 https://git.kernel.org/stable/c/d38039697184aacff1cf576e14ef583112fdefef
https://git.kernel.org/stable/c/e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6
https://git.kernel.org/stable/c/9c9662e2512b5e4ee7b03108802c5222e0fa77a4
https://git.kernel.org/stable/c/bccc7ace12e69dee4684a3bb4b69737972e570d6
https://git.kernel.org/stable/c/ebd6d2077a083329110695a996c00e8ca94bc640
https://git.kernel.org/stable/c/17d6b6354f0025b7c10a56da783fd0cbb3819c5d
https://git.kernel.org/stable/c/dae6095bdb24f537b4798ffd9201515b97bac94e
https://git.kernel.org/stable/c/58fa341327fdb4bdf92597fd8796a9abc8d20ea3
https://git.kernel.org/stable/c/ce3aee7114c575fab32a5e9e939d4bbb3dcca79f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix resource leaks in vdec_msg_queue_init() If we encounter any error in the vdec_msg_queue_init() then we need to set "msg_queue->wdma_addr.size = 0;". Normally, this is done inside the vdec_msg_queue_deinit() function. However, if the first call to allocate &msg_queue->wdma_addr fails, then the vdec_msg_queue_deinit() function is a no-op. For that situation, just set the size to zero explicitly and return. There were two other error paths which did not clean up before returning. Change those error paths to goto mem_alloc_err. 2025-12-24 not yet calculated CVE-2023-54143 https://git.kernel.org/stable/c/858322c409e0aba8f70810d23f35c482744f007c
https://git.kernel.org/stable/c/b7dbc27301f560c3b915235c53383155b3512083
https://git.kernel.org/stable/c/451dc187cadd47771e5d9434fe220fad7be84057
https://git.kernel.org/stable/c/cf10b0bb503c974ba049d6f888b21178be20a962
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix kernel warning during topology setup This patch fixes the following kernel warning seen during driver load by correctly initializing the p2plink attr before creating the sysfs file: [ +0.002865] ------------[ cut here ]------------ [ +0.002327] kobject: '(null)' (0000000056260cfb): is not initialized, yet kobject_put() is being called. [ +0.004780] WARNING: CPU: 32 PID: 1006 at lib/kobject.c:718 kobject_put+0xaa/0x1c0 [ +0.001361] Call Trace: [ +0.001234] <TASK> [ +0.001067] kfd_remove_sysfs_node_entry+0x24a/0x2d0 [amdgpu] [ +0.003147] kfd_topology_update_sysfs+0x3d/0x750 [amdgpu] [ +0.002890] kfd_topology_add_device+0xbd7/0xc70 [amdgpu] [ +0.002844] ? lock_release+0x13c/0x2e0 [ +0.001936] ? smu_cmn_send_smc_msg_with_param+0x1e8/0x2d0 [amdgpu] [ +0.003313] ? amdgpu_dpm_get_mclk+0x54/0x60 [amdgpu] [ +0.002703] kgd2kfd_device_init.cold+0x39f/0x4ed [amdgpu] [ +0.002930] amdgpu_amdkfd_device_init+0x13d/0x1f0 [amdgpu] [ +0.002944] amdgpu_device_init.cold+0x1464/0x17b4 [amdgpu] [ +0.002970] ? pci_bus_read_config_word+0x43/0x80 [ +0.002380] amdgpu_driver_load_kms+0x15/0x100 [amdgpu] [ +0.002744] amdgpu_pci_probe+0x147/0x370 [amdgpu] [ +0.002522] local_pci_probe+0x40/0x80 [ +0.001896] work_for_cpu_fn+0x10/0x20 [ +0.001892] process_one_work+0x26e/0x5a0 [ +0.002029] worker_thread+0x1fd/0x3e0 [ +0.001890] ? process_one_work+0x5a0/0x5a0 [ +0.002115] kthread+0xea/0x110 [ +0.001618] ? kthread_complete_and_exit+0x20/0x20 [ +0.002422] ret_from_fork+0x1f/0x30 [ +0.001808] </TASK> [ +0.001103] irq event stamp: 59837 [ +0.001718] hardirqs last enabled at (59849): [<ffffffffb30fab12>] __up_console_sem+0x52/0x60 [ +0.004414] hardirqs last disabled at (59860): [<ffffffffb30faaf7>] __up_console_sem+0x37/0x60 [ +0.004414] softirqs last enabled at (59654): [<ffffffffb307d9c7>] irq_exit_rcu+0xd7/0x130 [ +0.004205] softirqs last disabled at (59649): [<ffffffffb307d9c7>] irq_exit_rcu+0xd7/0x130 [ +0.004203] ---[ end trace 0000000000000000 ]--- 2025-12-24 not yet calculated CVE-2023-54144 https://git.kernel.org/stable/c/2d5a6742a242091292cc0a2b607be701a45d0c4e
https://git.kernel.org/stable/c/306888b1246bf44e703b6f1ccc746c2746c1a981
https://git.kernel.org/stable/c/cf97eb7e47d4671084c7e114c5d88a3d0540ecbd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log It's trivial for user to trigger "verifier log line truncated" warning, as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at least two pieces of user-provided information that can be output through this buffer, and both can be arbitrarily sized by user: - BTF names; - BTF.ext source code lines strings. Verifier log buffer should be properly sized for typical verifier state output. But it's sort-of expected that this buffer won't be long enough in some circumstances. So let's drop the check. In any case code will work correctly, at worst truncating a part of a single line output. 2025-12-24 not yet calculated CVE-2023-54145 https://git.kernel.org/stable/c/40c88c429a598006f91ad7a2b89856cd50b3a008
https://git.kernel.org/stable/c/926a175026fed5d534f587ea4ec3ec49265cd3c5
https://git.kernel.org/stable/c/cff36398bd4c7d322d424433db437f3c3391c491
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Fix double-free of elf header buffer After b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer"), freeing image->elf_headers in the error path of crash_load_segments() is not needed because kimage_file_post_load_cleanup() will take care of that later. And not clearing it could result in a double-free. Drop the superfluous vfree() call at the error path of crash_load_segments(). 2025-12-24 not yet calculated CVE-2023-54146 https://git.kernel.org/stable/c/4c71a552b97fb4f46eb300224434fe56fcf4f254
https://git.kernel.org/stable/c/554a880a1fff46dd5a355dec21cd77d542a0ddf2
https://git.kernel.org/stable/c/fbdbf8ac333d3d47c0d9ea81d7d445654431d100
https://git.kernel.org/stable/c/5bd3c7abeb69fb4133418b846a1c6dc11313d6f0
https://git.kernel.org/stable/c/d00dd2f2645dca04cf399d8fc692f3f69b6dd996
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: media: platform: mtk-mdp3: Add missing check and free for ida_alloc Add the check for the return value of the ida_alloc in order to avoid NULL pointer dereference. Moreover, free allocated "ctx->id" if mdp_m2m_open fails later in order to avoid memory leak. 2025-12-24 not yet calculated CVE-2023-54147 https://git.kernel.org/stable/c/51fc1880e47421ee7b192372e8e86b7bbba40776
https://git.kernel.org/stable/c/4c173a65a2b1cc0556c3f6f0bab82e4fdb449522
https://git.kernel.org/stable/c/22b72cad501fb75500cc60af4d92de3066fb6fc2
https://git.kernel.org/stable/c/d00f592250782538cda87745607695b0fe27dcd4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Move representor neigh cleanup to profile cleanup_tx For IP tunnel encapsulation in ECMP (Equal-Cost Multipath) mode, as the flow is duplicated to the peer eswitch, the related neighbour information on the peer uplink representor is created as well. In the cited commit, eswitch devcom unpair is moved to uplink unload API, specifically the profile->cleanup_tx. If there is a encap rule offloaded in ECMP mode, when one eswitch does unpair (because of unloading the driver, for instance), and the peer rule from the peer eswitch is going to be deleted, the use-after-free error is triggered while accessing neigh info, as it is already cleaned up in uplink's profile->disable, which is before its profile->cleanup_tx. To fix this issue, move the neigh cleanup to profile's cleanup_tx callback, and after mlx5e_cleanup_uplink_rep_tx is called. The neigh init is moved to init_tx for symmeter. [ 2453.376299] BUG: KASAN: slab-use-after-free in mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.379125] Read of size 4 at addr ffff888127af9008 by task modprobe/2496 [ 2453.381542] CPU: 7 PID: 2496 Comm: modprobe Tainted: G B 6.4.0-rc7+ #15 [ 2453.383386] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 2453.384335] Call Trace: [ 2453.384625] <TASK> [ 2453.384891] dump_stack_lvl+0x33/0x50 [ 2453.385285] print_report+0xc2/0x610 [ 2453.385667] ? __virt_addr_valid+0xb1/0x130 [ 2453.386091] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.386757] kasan_report+0xae/0xe0 [ 2453.387123] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.387798] mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.388465] mlx5e_rep_encap_entry_detach+0xa6/0xe0 [mlx5_core] [ 2453.389111] mlx5e_encap_dealloc+0xa7/0x100 [mlx5_core] [ 2453.389706] mlx5e_tc_tun_encap_dests_unset+0x61/0xb0 [mlx5_core] [ 2453.390361] mlx5_free_flow_attr_actions+0x11e/0x340 [mlx5_core] [ 2453.391015] ? complete_all+0x43/0xd0 [ 2453.391398] ? free_flow_post_acts+0x38/0x120 [mlx5_core] [ 2453.392004] mlx5e_tc_del_fdb_flow+0x4ae/0x690 [mlx5_core] [ 2453.392618] mlx5e_tc_del_fdb_peers_flow+0x308/0x370 [mlx5_core] [ 2453.393276] mlx5e_tc_clean_fdb_peer_flows+0xf5/0x140 [mlx5_core] [ 2453.393925] mlx5_esw_offloads_unpair+0x86/0x540 [mlx5_core] [ 2453.394546] ? mlx5_esw_offloads_set_ns_peer.isra.0+0x180/0x180 [mlx5_core] [ 2453.395268] ? down_write+0xaa/0x100 [ 2453.395652] mlx5_esw_offloads_devcom_event+0x203/0x530 [mlx5_core] [ 2453.396317] mlx5_devcom_send_event+0xbb/0x190 [mlx5_core] [ 2453.396917] mlx5_esw_offloads_devcom_cleanup+0xb0/0xd0 [mlx5_core] [ 2453.397582] mlx5e_tc_esw_cleanup+0x42/0x120 [mlx5_core] [ 2453.398182] mlx5e_rep_tc_cleanup+0x15/0x30 [mlx5_core] [ 2453.398768] mlx5e_cleanup_rep_tx+0x6c/0x80 [mlx5_core] [ 2453.399367] mlx5e_detach_netdev+0xee/0x120 [mlx5_core] [ 2453.399957] mlx5e_netdev_change_profile+0x84/0x170 [mlx5_core] [ 2453.400598] mlx5e_vport_rep_unload+0xe0/0xf0 [mlx5_core] [ 2453.403781] mlx5_eswitch_unregister_vport_reps+0x15e/0x190 [mlx5_core] [ 2453.404479] ? mlx5_eswitch_register_vport_reps+0x200/0x200 [mlx5_core] [ 2453.405170] ? up_write+0x39/0x60 [ 2453.405529] ? kernfs_remove_by_name_ns+0xb7/0xe0 [ 2453.405985] auxiliary_bus_remove+0x2e/0x40 [ 2453.406405] device_release_driver_internal+0x243/0x2d0 [ 2453.406900] ? kobject_put+0x42/0x2d0 [ 2453.407284] bus_remove_device+0x128/0x1d0 [ 2453.407687] device_del+0x240/0x550 [ 2453.408053] ? waiting_for_supplier_show+0xe0/0xe0 [ 2453.408511] ? kobject_put+0xfa/0x2d0 [ 2453.408889] ? __kmem_cache_free+0x14d/0x280 [ 2453.409310] mlx5_rescan_drivers_locked.part.0+0xcd/0x2b0 [mlx5_core] [ 2453.409973] mlx5_unregister_device+0x40/0x50 [mlx5_core] [ 2453.410561] mlx5_uninit_one+0x3d/0x110 [mlx5_core] [ 2453.411111] remove_one+0x89/0x130 [mlx5_core] [ 24 ---truncated--- 2025-12-24 not yet calculated CVE-2023-54148 https://git.kernel.org/stable/c/d628ba98eb1637acce44001e04c718d8dbb1f7ce
https://git.kernel.org/stable/c/36697c592cd0809e626df01b3644c23ac522a4d0
https://git.kernel.org/stable/c/d03b6e6f31820b84f7449cca022047f36c42bc3f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses When using the felix driver (the only one which supports UC filtering and MC filtering) as a DSA master for a random other DSA switch, one can see the following stack trace when the downstream switch ports join a VLAN-aware bridge: ============================= WARNING: suspicious RCU usage ----------------------------- net/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage! stack backtrace: Workqueue: dsa_ordered dsa_slave_switchdev_event_work Call trace: lockdep_rcu_suspicious+0x170/0x210 vlan_for_each+0x8c/0x188 dsa_slave_sync_uc+0x128/0x178 __hw_addr_sync_dev+0x138/0x158 dsa_slave_set_rx_mode+0x58/0x70 __dev_set_rx_mode+0x88/0xa8 dev_uc_add+0x74/0xa0 dsa_port_bridge_host_fdb_add+0xec/0x180 dsa_slave_switchdev_event_work+0x7c/0x1c8 process_one_work+0x290/0x568 What it's saying is that vlan_for_each() expects rtnl_lock() context and it's not getting it, when it's called from the DSA master's ndo_set_rx_mode(). The caller of that - dsa_slave_set_rx_mode() - is the slave DSA interface's dsa_port_bridge_host_fdb_add() which comes from the deferred dsa_slave_switchdev_event_work(). We went to great lengths to avoid the rtnl_lock() context in that call path in commit 0faf890fc519 ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work"), and calling rtnl_lock() is simply not an option due to the possibility of deadlocking when calling dsa_flush_workqueue() from the call paths that do hold rtnl_lock() - basically all of them. So, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(), the state of the 8021q driver on this device is really not protected from concurrent access by anything. Looking at net/8021q/, I don't think that vlan_info->vid_list was particularly designed with RCU traversal in mind, so introducing an RCU read-side form of vlan_for_each() - vlan_for_each_rcu() - won't be so easy, and it also wouldn't be exactly what we need anyway. In general I believe that the solution isn't in net/8021q/ anyway; vlan_for_each() is not cut out for this task. DSA doesn't need rtnl_lock() to be held per se - since it's not a netdev state change that we're blocking, but rather, just concurrent additions/removals to a VLAN list. We don't even need sleepable context - the callback of vlan_for_each() just schedules deferred work. The proposed escape is to remove the dependency on vlan_for_each() and to open-code a non-sleepable, rtnl-free alternative to that, based on copies of the VLAN list modified from .ndo_vlan_rx_add_vid() and .ndo_vlan_rx_kill_vid(). 2025-12-24 not yet calculated CVE-2023-54149 https://git.kernel.org/stable/c/3948c69b3837fec2ee5a90fbc911c343199be0ac
https://git.kernel.org/stable/c/3f9e79f31e51b7d5bf95c617540deb6cf2816a3f
https://git.kernel.org/stable/c/d06f925f13976ab82167c93467c70a337a0a3cda
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix an out of bounds error in BIOS parser The array is hardcoded to 8 in atomfirmware.h, but firmware provides a bigger one sometimes. Deferencing the larger array causes an out of bounds error. commit 4fc1ba4aa589 ("drm/amd/display: fix array index out of bound error in bios parser") fixed some of this, but there are two other cases not covered by it. Fix those as well. 2025-12-24 not yet calculated CVE-2023-54150 https://git.kernel.org/stable/c/b8e7589f50b709b647b642531599e70707faf70c
https://git.kernel.org/stable/c/66acfe798cd08b36cfbb65a30fab3159811304a7
https://git.kernel.org/stable/c/5675ecd2e0b00a4318ba1db1a1234e7d45b13d6b
https://git.kernel.org/stable/c/dea2dbec716c38a0b73b6ad01d91e2b120cc5f1e
https://git.kernel.org/stable/c/d116db180decec1b21bba31d2ff495ac4d8e1b83
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: f2fs: Fix system crash due to lack of free space in LFS When f2fs tries to checkpoint during foreground gc in LFS mode, system crash occurs due to lack of free space if the amount of dirty node and dentry pages generated by data migration exceeds free space. The reproduction sequence is as follows. - 20GiB capacity block device (null_blk) - format and mount with LFS mode - create a file and write 20,000MiB - 4k random write on full range of the file RIP: 0010:new_curseg+0x48a/0x510 [f2fs] Code: 55 e7 f5 89 c0 48 0f af c3 48 8b 5d c0 48 c1 e8 20 83 c0 01 89 43 6c 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc <0f> 0b f0 41 80 4f 48 04 45 85 f6 0f 84 ba fd ff ff e9 ef fe ff ff RSP: 0018:ffff977bc397b218 EFLAGS: 00010246 RAX: 00000000000027b9 RBX: 0000000000000000 RCX: 00000000000027c0 RDX: 0000000000000000 RSI: 00000000000027b9 RDI: ffff8c25ab4e74f8 RBP: ffff977bc397b268 R08: 00000000000027b9 R09: ffff8c29e4a34b40 R10: 0000000000000001 R11: ffff977bc397b0d8 R12: 0000000000000000 R13: ffff8c25b4dd81a0 R14: 0000000000000000 R15: ffff8c2f667f9000 FS: 0000000000000000(0000) GS:ffff8c344ec80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c00055d000 CR3: 0000000e30810003 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> allocate_segment_by_default+0x9c/0x110 [f2fs] f2fs_allocate_data_block+0x243/0xa30 [f2fs] ? __mod_lruvec_page_state+0xa0/0x150 do_write_page+0x80/0x160 [f2fs] f2fs_do_write_node_page+0x32/0x50 [f2fs] __write_node_page+0x339/0x730 [f2fs] f2fs_sync_node_pages+0x5a6/0x780 [f2fs] block_operations+0x257/0x340 [f2fs] f2fs_write_checkpoint+0x102/0x1050 [f2fs] f2fs_gc+0x27c/0x630 [f2fs] ? folio_mark_dirty+0x36/0x70 f2fs_balance_fs+0x16f/0x180 [f2fs] This patch adds checking whether free sections are enough before checkpoint during gc. [Jaegeuk Kim: code clean-up] 2025-12-24 not yet calculated CVE-2023-54151 https://git.kernel.org/stable/c/f4631d295ae3fff9e240ab78dc17f4b83d14f7bc
https://git.kernel.org/stable/c/ce71c61d661cfac3f097af928995abfcebd2b8c5
https://git.kernel.org/stable/c/d11cef14f8146f3babd286c2cc8ca09c166295e2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: j1939: prevent deadlock by moving j1939_sk_errqueue() This commit addresses a deadlock situation that can occur in certain scenarios, such as when running data TP/ETP transfer and subscribing to the error queue while receiving a net down event. The deadlock involves locks in the following order: 3 j1939_session_list_lock -> active_session_list_lock j1939_session_activate ... j1939_sk_queue_activate_next -> sk_session_queue_lock ... j1939_xtp_rx_eoma_one 2 j1939_sk_queue_drop_all -> sk_session_queue_lock ... j1939_sk_netdev_event_netdown -> j1939_socks_lock j1939_netdev_notify 1 j1939_sk_errqueue -> j1939_socks_lock __j1939_session_cancel -> active_session_list_lock j1939_tp_rxtimer CPU0 CPU1 ---- ---- lock(&priv->active_session_list_lock); lock(&jsk->sk_session_queue_lock); lock(&priv->active_session_list_lock); lock(&priv->j1939_socks_lock); The solution implemented in this commit is to move the j1939_sk_errqueue() call out of the active_session_list_lock context, thus preventing the deadlock situation. 2025-12-24 not yet calculated CVE-2023-54152 https://git.kernel.org/stable/c/8a581b71cf686b4cd1a85c9c2dfc2fb88382c3b4
https://git.kernel.org/stable/c/ace6aa2ab5ba5869563ca689bbd912100514ae7b
https://git.kernel.org/stable/c/f09ce9d765de1f064ce3919f57c6beb061744784
https://git.kernel.org/stable/c/d1366b283d94ac4537a4b3a1e8668da4df7ce7e9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ext4: turn quotas off if mount failed after enabling quotas Yi found during a review of the patch "ext4: don't BUG on inconsistent journal feature" that when ext4_mark_recovery_complete() returns an error value, the error handling path does not turn off the enabled quotas, which triggers the following kmemleak: ================================================================ unreferenced object 0xffff8cf68678e7c0 (size 64): comm "mount", pid 746, jiffies 4294871231 (age 11.540s) hex dump (first 32 bytes): 00 90 ef 82 f6 8c ff ff 00 00 00 00 41 01 00 00 ............A... c7 00 00 00 bd 00 00 00 0a 00 00 00 48 00 00 00 ............H... backtrace: [<00000000c561ef24>] __kmem_cache_alloc_node+0x4d4/0x880 [<00000000d4e621d7>] kmalloc_trace+0x39/0x140 [<00000000837eee74>] v2_read_file_info+0x18a/0x3a0 [<0000000088f6c877>] dquot_load_quota_sb+0x2ed/0x770 [<00000000340a4782>] dquot_load_quota_inode+0xc6/0x1c0 [<0000000089a18bd5>] ext4_enable_quotas+0x17e/0x3a0 [ext4] [<000000003a0268fa>] __ext4_fill_super+0x3448/0x3910 [ext4] [<00000000b0f2a8a8>] ext4_fill_super+0x13d/0x340 [ext4] [<000000004a9489c4>] get_tree_bdev+0x1dc/0x370 [<000000006e723bf1>] ext4_get_tree+0x1d/0x30 [ext4] [<00000000c7cb663d>] vfs_get_tree+0x31/0x160 [<00000000320e1bed>] do_new_mount+0x1d5/0x480 [<00000000c074654c>] path_mount+0x22e/0xbe0 [<0000000003e97a8e>] do_mount+0x95/0xc0 [<000000002f3d3736>] __x64_sys_mount+0xc4/0x160 [<0000000027d2140c>] do_syscall_64+0x3f/0x90 ================================================================ To solve this problem, we add a "failed_mount10" tag, and call ext4_quota_off_umount() in this tag to release the enabled qoutas. 2025-12-24 not yet calculated CVE-2023-54153 https://git.kernel.org/stable/c/c327b83c59ee938792a0300df646efac39c7d6a7
https://git.kernel.org/stable/c/deef86fa3005cbb61ae8aa5729324c09b3f4ba73
https://git.kernel.org/stable/c/77c3ca1108eb4a26db4f256c42b271a430cebc7d
https://git.kernel.org/stable/c/d13f99632748462c32fc95d729f5e754bab06064
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix target_cmd_counter leak The target_cmd_counter struct allocated via target_alloc_cmd_counter() is never freed, resulting in leaks across various transport types, e.g.: unreferenced object 0xffff88801f920120 (size 96): comm "sh", pid 102, jiffies 4294892535 (age 713.412s) hex dump (first 32 bytes): 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........8....... backtrace: [<00000000e58a6252>] kmalloc_trace+0x11/0x20 [<0000000043af4b2f>] target_alloc_cmd_counter+0x17/0x90 [target_core_mod] [<000000007da2dfa7>] target_setup_session+0x2d/0x140 [target_core_mod] [<0000000068feef86>] tcm_loop_tpg_nexus_store+0x19b/0x350 [tcm_loop] [<000000006a80e021>] configfs_write_iter+0xb1/0x120 [<00000000e9f4d860>] vfs_write+0x2e4/0x3c0 [<000000008143433b>] ksys_write+0x80/0xb0 [<00000000a7df29b2>] do_syscall_64+0x42/0x90 [<0000000053f45fb8>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Free the structure alongside the corresponding iscsit_conn / se_sess parent. 2025-12-24 not yet calculated CVE-2023-54154 https://git.kernel.org/stable/c/1cd41d1669bcbc5052afa897f85608a62ff3fb30
https://git.kernel.org/stable/c/f84639c5ac5f4f95b3992da1af4ff382ebf2e819
https://git.kernel.org/stable/c/d14e3e553e05cb763964c991fe6acb0a6a1c6f9c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail() Syzkaller reported the following issue: ======================================= Too BIG xdp->frame_sz = 131072 WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline] WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103 ... Call Trace: <TASK> bpf_prog_4add87e5301a4105+0x1a/0x1c __bpf_prog_run include/linux/filter.h:600 [inline] bpf_prog_run_xdp include/linux/filter.h:775 [inline] bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721 netif_receive_generic_xdp net/core/dev.c:4807 [inline] do_xdp_generic+0x35c/0x770 net/core/dev.c:4866 tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043 call_write_iter include/linux/fs.h:1871 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x650/0xe40 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd xdp->frame_sz > PAGE_SIZE check was introduced in commit c8741e2bfe87 ("xdp: Allow bpf_xdp_adjust_tail() to grow packet size"). But Jesper Dangaard Brouer <jbrouer@redhat.com> noted that after introducing the xdp_init_buff() which all XDP driver use - it's safe to remove this check. The original intend was to catch cases where XDP drivers have not been updated to use xdp.frame_sz, but that is not longer a concern (since xdp_init_buff). Running the initial syzkaller repro it was discovered that the contiguous physical memory allocation is used for both xdp paths in tun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also stated by Jesper Dangaard Brouer <jbrouer@redhat.com> that XDP can work on higher order pages, as long as this is contiguous physical memory (e.g. a page). 2025-12-24 not yet calculated CVE-2023-54155 https://git.kernel.org/stable/c/a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8
https://git.kernel.org/stable/c/20acffcdc2b74fb7dcc4e299f7aca173df89d911
https://git.kernel.org/stable/c/d9252d67ed2f921c230bba449ee051b5c32e4841
https://git.kernel.org/stable/c/d14eea09edf427fa36bd446f4a3271f99164202f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: sfc: fix crash when reading stats while NIC is resetting efx_net_stats() (.ndo_get_stats64) can be called during an ethtool selftest, during which time nic_data->mc_stats is NULL as the NIC has been fini'd. In this case do not attempt to fetch the latest stats from the hardware, else we will crash on a NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000038 RIP efx_nic_update_stats abridged calltrace: efx_ef10_update_stats_pf efx_net_stats dev_get_stats dev_seq_printf_stats Skipping the read is safe, we will simply give out stale stats. To ensure that the free in efx_ef10_fini_nic() does not race against efx_ef10_update_stats_pf(), which could cause a TOCTTOU bug, take the efx->stats_lock in fini_nic (it is already held across update_stats). 2025-12-24 not yet calculated CVE-2023-54156 https://git.kernel.org/stable/c/cb1aa7cc562cab6a87ea33574c8c65f2d2fd7aeb
https://git.kernel.org/stable/c/91f4ef204e731565afdc6c2a7fcf509a3fd6fd67
https://git.kernel.org/stable/c/446f5567934331923d0aec4ce045e4ecb0174aae
https://git.kernel.org/stable/c/470152d76b3ed107d172ea46acc4bfa941f20b4b
https://git.kernel.org/stable/c/aba32b4c58112960c0c708703ca6b44dc8944082
https://git.kernel.org/stable/c/d1b355438b8325a486f087e506d412c4e852f37b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() [ cmllamas: clean forward port from commit 015ac18be7de ("binder: fix UAF of alloc->vma in race with munmap()") in 5.10 stable. It is needed in mainline after the revert of commit a43cfc87caaf ("android: binder: stop saving a pointer to the VMA") as pointed out by Liam. The commit log and tags have been tweaked to reflect this. ] In commit 720c24192404 ("ANDROID: binder: change down_write to down_read") binder assumed the mmap read lock is sufficient to protect alloc->vma inside binder_update_page_range(). This used to be accurate until commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"), which now downgrades the mmap_lock after detaching the vma from the rbtree in munmap(). Then it proceeds to teardown and free the vma with only the read lock held. This means that accesses to alloc->vma in binder_update_page_range() now will race with vm_area_free() in munmap() and can cause a UAF as shown in the following KASAN trace: ================================================================== BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0 Read of size 8 at addr ffff16204ad00600 by task server/558 CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2a0 show_stack+0x18/0x2c dump_stack+0xf8/0x164 print_address_description.constprop.0+0x9c/0x538 kasan_report+0x120/0x200 __asan_load8+0xa0/0xc4 vm_insert_page+0x7c/0x1f0 binder_update_page_range+0x278/0x50c binder_alloc_new_buf+0x3f0/0xba0 binder_transaction+0x64c/0x3040 binder_thread_write+0x924/0x2020 binder_ioctl+0x1610/0x2e5c __arm64_sys_ioctl+0xd4/0x120 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Allocated by task 559: kasan_save_stack+0x38/0x6c __kasan_kmalloc.constprop.0+0xe4/0xf0 kasan_slab_alloc+0x18/0x2c kmem_cache_alloc+0x1b0/0x2d0 vm_area_alloc+0x28/0x94 mmap_region+0x378/0x920 do_mmap+0x3f0/0x600 vm_mmap_pgoff+0x150/0x17c ksys_mmap_pgoff+0x284/0x2dc __arm64_sys_mmap+0x84/0xa4 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Freed by task 560: kasan_save_stack+0x38/0x6c kasan_set_track+0x28/0x40 kasan_set_free_info+0x24/0x4c __kasan_slab_free+0x100/0x164 kasan_slab_free+0x14/0x20 kmem_cache_free+0xc4/0x34c vm_area_free+0x1c/0x2c remove_vma+0x7c/0x94 __do_munmap+0x358/0x710 __vm_munmap+0xbc/0x130 __arm64_sys_munmap+0x4c/0x64 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 [...] ================================================================== To prevent the race above, revert back to taking the mmap write lock inside binder_update_page_range(). One might expect an increase of mmap lock contention. However, binder already serializes these calls via top level alloc->mutex. Also, there was no performance impact shown when running the binder benchmark tests. 2025-12-24 not yet calculated CVE-2023-54157 https://git.kernel.org/stable/c/1bb8a65190d45cd5c7dbc85e29b9102110cd6be6
https://git.kernel.org/stable/c/931ea1ed31be939c1efdbc49bc66d2a45684f9b4
https://git.kernel.org/stable/c/ca0cc0a9c6e56c699e2acbb93d8024523021f3c3
https://git.kernel.org/stable/c/d1d8875c8c13517f6fd1ff8d4d3e1ac366a17e07
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: don't free qgroup space unless specified Boris noticed in his simple quotas testing that he was getting a leak with Sweet Tea's change to subvol create that stopped doing a transaction commit. This was just a side effect of that change. In the delayed inode code we have an optimization that will free extra reservations if we think we can pack a dir item into an already modified leaf. Previously this wouldn't be triggered in the subvolume create case because we'd commit the transaction, it was still possible but much harder to trigger. It could actually be triggered if we did a mkdir && subvol create with qgroups enabled. This occurs because in btrfs_insert_delayed_dir_index(), which gets called when we're adding the dir item, we do the following: btrfs_block_rsv_release(fs_info, trans->block_rsv, bytes, NULL); if we're able to skip reserving space. The problem here is that trans->block_rsv points at the temporary block rsv for the subvolume create, which has qgroup reservations in the block rsv. This is a problem because btrfs_block_rsv_release() will do the following: if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) { qgroup_to_release = block_rsv->qgroup_rsv_reserved - block_rsv->qgroup_rsv_size; block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size; } The temporary block rsv just has ->qgroup_rsv_reserved set, ->qgroup_rsv_size == 0. The optimization in btrfs_insert_delayed_dir_index() sets ->qgroup_rsv_reserved = 0. Then later on when we call btrfs_subvolume_release_metadata() which has btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release); btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release); qgroup_to_release is set to 0, and we do not convert the reserved metadata space. The problem here is that the block rsv code has been unconditionally messing with ->qgroup_rsv_reserved, because the main place this is used is delalloc, and any time we call btrfs_block_rsv_release() we do it with qgroup_to_release set, and thus do the proper accounting. The subvolume code is the only other code that uses the qgroup reservation stuff, but it's intermingled with the above optimization, and thus was getting its reservation freed out from underneath it and thus leaking the reserved space. The solution is to simply not mess with the qgroup reservations if we don't have qgroup_to_release set. This works with the existing code as anything that messes with the delalloc reservations always have qgroup_to_release set. This fixes the leak that Boris was observing. 2025-12-24 not yet calculated CVE-2023-54158 https://git.kernel.org/stable/c/1e05bf5e80bb1161b7294c9ce5292b26232ab853
https://git.kernel.org/stable/c/148b16cd30b202999ec5b534e3e5d8ab4b766f21
https://git.kernel.org/stable/c/f264be24146bee2d652010a18ae2517df5856261
https://git.kernel.org/stable/c/15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53
https://git.kernel.org/stable/c/04ff6bd0317735791ef3e443c7c89f3c0dda548d
https://git.kernel.org/stable/c/478bd15f46b6e3aae78aac4f3788697f1546eea6
https://git.kernel.org/stable/c/d246331b78cbef86237f9c22389205bc9b4e1cc1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix kernel panic at qmu transfer done irq handler When handle qmu transfer irq, it will unlock @mtu->lock before give back request, if another thread handle disconnect event at the same time, and try to disable ep, it may lock @mtu->lock and free qmu ring, then qmu irq hanlder may get a NULL gpd, avoid the KE by checking gpd's value before handling it. e.g. qmu done irq on cpu0 thread running on cpu1 qmu_done_tx() handle gpd [0] mtu3_requ_complete() mtu3_gadget_ep_disable() unlock @mtu->lock give back request lock @mtu->lock mtu3_ep_disable() mtu3_gpd_ring_free() unlock @mtu->lock lock @mtu->lock get next gpd [1] [1]: goto [0] to handle next gpd, and next gpd may be NULL. 2025-12-24 not yet calculated CVE-2023-54159 https://git.kernel.org/stable/c/26ca30516b2c49dd04c134cbdf122311c538df98
https://git.kernel.org/stable/c/012936502a9cb7b0604e85bb961eb15e2bb40dd9
https://git.kernel.org/stable/c/ee53a7a88027cea765c68f3b00a50b8f58d6f786
https://git.kernel.org/stable/c/f26273428657ef4ca74740e578ae45a3be492f6f
https://git.kernel.org/stable/c/b636aff94a67be46582d4321d11743f1a10cc2c1
https://git.kernel.org/stable/c/3a7d4959560a2ee493ef222e3b63d359365f41ec
https://git.kernel.org/stable/c/d28f4091ea7ec3510fd6a3c6d433234e7a2bef14
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: firmware: arm_sdei: Fix sleep from invalid context BUG Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra triggers: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46 in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0 preempt_count: 0, expected: 0 RCU nest depth: 0, expected: 0 3 locks held by cpuhp/0/24: #0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248 #1: ffffda30217c7120 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248 #2: ffffda3021c711f0 (sdei_list_lock){....}-{3:3}, at: sdei_cpuhp_up+0x3c/0x130 irq event stamp: 36 hardirqs last enabled at (35): [<ffffda301e85b7bc>] finish_task_switch+0xb4/0x2b0 hardirqs last disabled at (36): [<ffffda301e812fec>] cpuhp_thread_fun+0x21c/0x248 softirqs last enabled at (0): [<ffffda301e80b184>] copy_process+0x63c/0x1ac0 softirqs last disabled at (0): [<0000000000000000>] 0x0 CPU: 0 PID: 24 Comm: cpuhp/0 Not tainted 5.19.0-rc3-rt5-[...] Hardware name: WIWYNN Mt.Jade Server [...] Call trace: dump_backtrace+0x114/0x120 show_stack+0x20/0x70 dump_stack_lvl+0x9c/0xd8 dump_stack+0x18/0x34 __might_resched+0x188/0x228 rt_spin_lock+0x70/0x120 sdei_cpuhp_up+0x3c/0x130 cpuhp_invoke_callback+0x250/0xf08 cpuhp_thread_fun+0x120/0x248 smpboot_thread_fn+0x280/0x320 kthread+0x130/0x140 ret_from_fork+0x10/0x20 sdei_cpuhp_up() is called in the STARTING hotplug section, which runs with interrupts disabled. Use a CPUHP_AP_ONLINE_DYN entry instead to execute the cpuhp cb later, with preemption enabled. SDEI originally got its own cpuhp slot to allow interacting with perf. It got superseded by pNMI and this early slot is not relevant anymore. [1] Some SDEI calls (e.g. SDEI_1_0_FN_SDEI_PE_MASK) take actions on the calling CPU. It is checked that preemption is disabled for them. _ONLINE cpuhp cb are executed in the 'per CPU hotplug thread'. Preemption is enabled in those threads, but their cpumask is limited to 1 CPU. Move 'WARN_ON_ONCE(preemptible())' statements so that SDEI cpuhp cb don't trigger them. Also add a check for the SDEI_1_0_FN_SDEI_PRIVATE_RESET SDEI call which acts on the calling CPU. [1]: https://lore.kernel.org/all/5813b8c5-ae3e-87fd-fccc-94c9cd08816d@arm.com/ 2025-12-24 not yet calculated CVE-2023-54160 https://git.kernel.org/stable/c/59842a9ba27d5390ae5bf3233a92cad3a26d495c
https://git.kernel.org/stable/c/48ac727ea4a3577eb1b4e24f807ba532c47930f9
https://git.kernel.org/stable/c/7d8f5ccc826b39e05ff252b1fccd808c7a0725e0
https://git.kernel.org/stable/c/66caf22787714c925e755719c293aaf3cb0b873b
https://git.kernel.org/stable/c/a8267bc8de736cae927165191b52fbc20d101dd1
https://git.kernel.org/stable/c/18d5ea5b746120a3972e6c347ad9428228445327
https://git.kernel.org/stable/c/d2c48b2387eb89e0bf2a2e06e30987cf410acad4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage() with detailed analysis and a nice repro. unix_stream_sendpage() tries to add data to the last skb in the peer's recv queue without locking the queue. If the peer's FD is passed to another socket and the socket's FD is passed to the peer, there is a loop between them. If we close both sockets without receiving FD, the sockets will be cleaned up by garbage collection. The garbage collection iterates such sockets and unlinks skb with FD from the socket's receive queue under the queue's lock. So, there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. To avoid the issue, unix_stream_sendpage() must lock the peer's recv queue. Note the issue does not exist in 6.5+ thanks to the recent sendpage() refactoring. This patch is originally written by Linus Torvalds. BUG: unable to handle page fault for address: ffff988004dd6870 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP PTI CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0 Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44 RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246 RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284 RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0 RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00 R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8 FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x1a/0x1f ? page_fault_oops+0xa9/0x1e0 ? fixup_exception+0x1d/0x310 ? exc_page_fault+0xa8/0x150 ? asm_exc_page_fault+0x22/0x30 ? kmem_cache_alloc_node+0xa2/0x1e0 ? __alloc_skb+0x16c/0x1e0 __alloc_skb+0x16c/0x1e0 alloc_skb_with_frags+0x48/0x1e0 sock_alloc_send_pskb+0x234/0x270 unix_stream_sendmsg+0x1f5/0x690 sock_sendmsg+0x5d/0x60 ____sys_sendmsg+0x210/0x260 ___sys_sendmsg+0x83/0xd0 ? kmem_cache_alloc+0xc6/0x1c0 ? avc_disable+0x20/0x20 ? percpu_counter_add_batch+0x53/0xc0 ? alloc_empty_file+0x5d/0xb0 ? alloc_file+0x91/0x170 ? alloc_file_pseudo+0x94/0x100 ? __fget_light+0x9f/0x120 __sys_sendmsg+0x54/0xa0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x69/0xd3 RIP: 0033:0x7f174d639a7d Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48 RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007 RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28 R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000 </TASK> 2025-12-24 not yet calculated CVE-2023-54161 https://git.kernel.org/stable/c/d39fc9b94dc0719afa4bc8e58341a5eb41febef3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Fix stack_depot usage Add missing stack_depot_init() call when CONFIG_DRM_XE_DEBUG_GUC is enabled to fix the following call stack: [] BUG: kernel NULL pointer dereference, address: 0000000000000000 [] Workqueue: drm_sched_run_job_work [gpu_sched] [] RIP: 0010:stack_depot_save_flags+0x172/0x870 [] Call Trace: [] <TASK> [] fast_req_track+0x58/0xb0 [xe] (cherry picked from commit 64fdf496a6929a0a194387d2bb5efaf5da2b542f) 2025-12-22 not yet calculated CVE-2025-68326 https://git.kernel.org/stable/c/1966838d1c82149cbf4a652322d26a6e5aae9c4e
https://git.kernel.org/stable/c/0e234632e39bd21dd28ffc9ba3ae8eec4deb949c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Fix synchronous external abort on unbind A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is executed after the configuration sequence described above: modprobe usb_f_ecm modprobe libcomposite modprobe configfs cd /sys/kernel/config/usb_gadget mkdir -p g1 cd g1 echo "0x1d6b" > idVendor echo "0x0104" > idProduct mkdir -p strings/0x409 echo "0123456789" > strings/0x409/serialnumber echo "Renesas." > strings/0x409/manufacturer echo "Ethernet Gadget" > strings/0x409/product mkdir -p functions/ecm.usb0 mkdir -p configs/c.1 mkdir -p configs/c.1/strings/0x409 echo "ECM" > configs/c.1/strings/0x409/configuration if [ ! -L configs/c.1/ecm.usb0 ]; then ln -s functions/ecm.usb0 configs/c.1 fi echo 11e20000.usb > UDC echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind The displayed trace is as follows: Internal error: synchronous external abort: 0000000096000010 [#1] SMP CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT Tainted: [M]=MACHINE_CHECK Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs] sp : ffff8000838b3920 x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810 x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000 x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020 x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344 x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000 x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418 x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80 Call trace: usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P) usbhsg_pullup+0x4c/0x7c [renesas_usbhs] usb_gadget_disconnect_locked+0x48/0xd4 gadget_unbind_driver+0x44/0x114 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 device_release_driver+0x18/0x24 bus_remove_device+0xcc/0x10c device_del+0x14c/0x404 usb_del_gadget+0x88/0xc0 usb_del_gadget_udc+0x18/0x30 usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs] usbhs_mod_remove+0x20/0x30 [renesas_usbhs] usbhs_remove+0x98/0xdc [renesas_usbhs] platform_remove+0x20/0x30 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 device_driver_detach+0x18/0x24 unbind_store+0xb4/0xb8 drv_attr_store+0x24/0x38 sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x128/0x1b8 vfs_write+0x2ac/0x350 ksys_write+0x68/0xfc __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021) ---[ end trace 0000000000000000 ]--- note: sh[188] exited with irqs disabled note: sh[188] exited with preempt_count 1 The issue occurs because usbhs_sys_function_pullup(), which accesses the IP registers, is executed after the USBHS clocks have been disabled. The problem is reproducible on the Renesas RZ/G3S SoC starting with the addition of module stop in the clock enable/disable APIs. With module stop functionality enabled, a bus error is expected if a master accesses a module whose clock has been stopped and module stop activated. Disable the IP clocks at the end of remove. 2025-12-22 not yet calculated CVE-2025-68327 https://git.kernel.org/stable/c/fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a
https://git.kernel.org/stable/c/cd5e86e34c66a831b5cb9b720ad411a006962cc8
https://git.kernel.org/stable/c/230b1bc1310edcd5c1b71dcd6b77ccba43139cb5
https://git.kernel.org/stable/c/9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1
https://git.kernel.org/stable/c/26838f147aeaa8f820ff799d72815fba5e209bd9
https://git.kernel.org/stable/c/aa658a6d5ac21c7cde54c6d015f2d4daff32e02d
https://git.kernel.org/stable/c/eb9ac779830b2235847b72cb15cf07c7e3333c5e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-svc: fix bug in saving controller data Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They both are of the same data and overrides each other. This resulted in the rmmod of the svc driver to fail and throw a kernel panic for kthread_stop and fifo free. 2025-12-22 not yet calculated CVE-2025-68328 https://git.kernel.org/stable/c/9d0a330abd9e49bcebf6307aac185081bde49a43
https://git.kernel.org/stable/c/354fb03002da0970d337f0d3edbeb46cc4fa6f41
https://git.kernel.org/stable/c/b359df793f609b1efce31dadfe6883ec73852619
https://git.kernel.org/stable/c/71796c91ee8e33faf4434a9e210b5063c28ea907
https://git.kernel.org/stable/c/60ab1851614e6007344042b66da6e31d1cc26cb3
https://git.kernel.org/stable/c/bd226fa02ed6db6fce0fae010802f0950fd14fb9
https://git.kernel.org/stable/c/d0fcf70c680e4d1669fcb3a8632f41400b9a73c2
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel calls vm_ops->close on each portion. For trace buffer mappings, this results in ring_buffer_unmap() being called multiple times while ring_buffer_map() was only called once. This causes ring_buffer_unmap() to return -ENODEV on subsequent calls because user_mapped is already 0, triggering a WARN_ON. Trace buffer mappings cannot support partial mappings because the ring buffer structure requires the complete buffer including the meta page. Fix this by adding a may_split callback that returns -EINVAL to prevent VMA splits entirely. 2025-12-22 not yet calculated CVE-2025-68329 https://git.kernel.org/stable/c/922fdd0b755a84f9933b3ca195f60092b6bb88ee
https://git.kernel.org/stable/c/45053c12c45f0fb8ef6ab95118dd928d2fec0255
https://git.kernel.org/stable/c/b042fdf18e89a347177a49e795d8e5184778b5b6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iio: accel: bmc150: Fix irq assumption regression The code in bmc150-accel-core.c unconditionally calls bmc150_accel_set_interrupt() in the iio_buffer_setup_ops, such as on the runtime PM resume path giving a kernel splat like this if the device has no interrupts: Unable to handle kernel NULL pointer dereference at virtual address 00000001 when read PC is at bmc150_accel_set_interrupt+0x98/0x194 LR is at __pm_runtime_resume+0x5c/0x64 (...) Call trace: bmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108 bmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc __iio_update_buffers from enable_store+0x84/0xc8 enable_store from kernfs_fop_write_iter+0x154/0x1b4 This bug seems to have been in the driver since the beginning, but it only manifests recently, I do not know why. Store the IRQ number in the state struct, as this is a common pattern in other drivers, then use this to determine if we have IRQ support or not. 2025-12-22 not yet calculated CVE-2025-68330 https://git.kernel.org/stable/c/aad9d048a3211c48ec02efa405bf462856feb862
https://git.kernel.org/stable/c/c891f504bb66604c822e7985e093cf39b97fdeb0
https://git.kernel.org/stable/c/cdd4a9e98004bd7c7488311951fa6dbae38b2b80
https://git.kernel.org/stable/c/65ad4ed983fd9ee0259d86391d6a53f78203918c
https://git.kernel.org/stable/c/93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3
https://git.kernel.org/stable/c/3aa385a9c75c09b59dcab2ff76423439d23673ab
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer When a UAS device is unplugged during data transfer, there is a probability of a system panic occurring. The root cause is an access to an invalid memory address during URB callback handling. Specifically, this happens when the dma_direct_unmap_sg() function is called within the usb_hcd_unmap_urb_for_dma() interface, but the sg->dma_address field is 0 and the sg data structure has already been freed. The SCSI driver sends transfer commands by invoking uas_queuecommand_lck() in uas.c, using the uas_submit_urbs() function to submit requests to USB. Within the uas_submit_urbs() implementation, three URBs (sense_urb, data_urb, and cmd_urb) are sequentially submitted. Device removal may occur at any point during uas_submit_urbs execution, which may result in URB submission failure. However, some URBs might have been successfully submitted before the failure, and uas_submit_urbs will return the -ENODEV error code in this case. The current error handling directly calls scsi_done(). In the SCSI driver, this eventually triggers scsi_complete() to invoke scsi_end_request() for releasing the sgtable. The successfully submitted URBs, when being unlinked to giveback, call usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg unmapping operations since the sg data structure has already been freed. This patch modifies the error condition check in the uas_submit_urbs() function. When a UAS device is removed but one or more URBs have already been successfully submitted to USB, it avoids immediately invoking scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully submitted URBs is completed before devinfo->resetting being set, then the scsi_done() function will be called within uas_try_complete() after all pending URB operations are finalized. Otherwise, the scsi_done() function will be called within uas_zap_pending(), which is executed after usb_kill_anchored_urbs(). The error handling only takes effect when uas_queuecommand_lck() calls uas_submit_urbs() and returns the error value -ENODEV . In this case, the device is disconnected, and the flow proceeds to uas_disconnect(), where uas_zap_pending() is invoked to call uas_try_complete(). 2025-12-22 not yet calculated CVE-2025-68331 https://git.kernel.org/stable/c/6289fc489e94c9beb6be2b502ccc263663733d72
https://git.kernel.org/stable/c/66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17
https://git.kernel.org/stable/c/75f8e2643085db4f7e136fc6b368eb114dd80a64
https://git.kernel.org/stable/c/e3a55221f4de080cb7a91ba10f01c4f708603f8d
https://git.kernel.org/stable/c/2b90a8131c83f6f2be69397d2b7d14d217d95d2f
https://git.kernel.org/stable/c/426edbfc88b22601ea34a441a469092e7b301c52
https://git.kernel.org/stable/c/26d56a9fcb2014b99e654127960aa0a48a391e3c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: comedi: c6xdigio: Fix invalid PNP driver unregistration The Comedi low-level driver "c6xdigio" seems to be for a parallel port connected device. When the Comedi core calls the driver's Comedi "attach" handler `c6xdigio_attach()` to configure a Comedi to use this driver, it tries to enable the parallel port PNP resources by registering a PNP driver with `pnp_register_driver()`, but ignores the return value. (The `struct pnp_driver` it uses has only the `name` and `id_table` members filled in.) The driver's Comedi "detach" handler `c6xdigio_detach()` unconditionally unregisters the PNP driver with `pnp_unregister_driver()`. It is possible for `c6xdigio_attach()` to return an error before it calls `pnp_register_driver()` and it is possible for the call to `pnp_register_driver()` to return an error (that is ignored). In both cases, the driver should not be calling `pnp_unregister_driver()` as it does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be called by the Comedi core if `c6xdigio_attach()` returns an error, or if the Comedi core decides to detach the Comedi device from the driver for some other reason.) The unconditional call to `pnp_unregister_driver()` without a previous successful call to `pnp_register_driver()` will cause `driver_unregister()` to issue a warning "Unexpected driver unregister!". This was detected by Syzbot [1]. Also, the PNP driver registration and unregistration should be done at module init and exit time, respectively, not when attaching or detaching Comedi devices to the driver. (There might be more than one Comedi device being attached to the driver, although that is unlikely.) Change the driver to do the PNP driver registration at module init time, and the unregistration at module exit time. Since `c6xdigio_detach()` now only calls `comedi_legacy_detach()`, remove the function and change the Comedi driver "detach" handler to `comedi_legacy_detach`. ------------------------------------------- [1] Syzbot sample crash report: Unexpected driver unregister! WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline] WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Modules linked in: CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline] RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41 RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8 RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000 FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0 Call Trace: <TASK> comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207 comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215 comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011 do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872 comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_sys ---truncated--- 2025-12-22 not yet calculated CVE-2025-68332 https://git.kernel.org/stable/c/9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072
https://git.kernel.org/stable/c/698149d797d0178162f394c55d4ed52aa0e0b7f6
https://git.kernel.org/stable/c/888f7e2847bcb9df8257e656e1e837828942c53b
https://git.kernel.org/stable/c/72262330f7b3ad2130e800cecf02adcce3c32c77
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix possible deadlock in the deferred_irq_workfn() For PREEMPT_RT=y kernels, the deferred_irq_workfn() is executed in the per-cpu irq_work/* task context and not disable-irq, if the rq returned by container_of() is current CPU's rq, the following scenarios may occur: lock(&rq->__lock); <Interrupt> lock(&rq->__lock); This commit use IRQ_WORK_INIT_HARD() to replace init_irq_work() to initialize rq->scx.deferred_irq_work, make the deferred_irq_workfn() is always invoked in hard-irq context. 2025-12-22 not yet calculated CVE-2025-68333 https://git.kernel.org/stable/c/600b4379b9a7ba41340d652211fb29699da4c629
https://git.kernel.org/stable/c/a257e974210320ede524f340ffe16bf4bf0dda1e
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/pmc: Add support for Van Gogh SoC The ROG Xbox Ally (non-X) SoC features a similar architecture to the Steam Deck. While the Steam Deck supports S3 (s2idle causes a crash), this support was dropped by the Xbox Ally which only S0ix suspend. Since the handler is missing here, this causes the device to not suspend and the AMD GPU driver to crash while trying to resume afterwards due to a power hang. 2025-12-22 not yet calculated CVE-2025-68334 https://git.kernel.org/stable/c/9654c56b111cd1415aca7e77f0c63c109453c409
https://git.kernel.org/stable/c/db4a3f0fbedb0398f77b9047e8b8bb2b49f355bb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from the fact that in case of early device detach via pcl818_detach(), subdevice dev->read_subdev may not have initialized its pointer to &struct comedi_async as intended. Thus, any such dereferencing of &s->async->cmd will lead to general protection fault and kernel crash. Mitigate this problem by removing a call to pcl818_ai_cancel() from pcl818_detach() altogether. This way, if the subdevice setups its support for async commands, everything async-related will be handled via subdevice's own ->cancel() function in comedi_device_detach_locked() even before pcl818_detach(). If no support for asynchronous commands is provided, there is no need to cancel anything either. [1] Syzbot crash: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762 ... Call Trace: <TASK> pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115 comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207 do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline] comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] ... 2025-12-22 not yet calculated CVE-2025-68335 https://git.kernel.org/stable/c/5caa40e7c6a43e08e3574f990865127705c22861
https://git.kernel.org/stable/c/d948c53dec36dafe182631457597c49c1f1df5ea
https://git.kernel.org/stable/c/877adccfacb32687b90714a27cfb09f444fdfa16
https://git.kernel.org/stable/c/a51f025b5038abd3d22eed2ede4cd46793d89565
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: locking/spinlock/debug: Fix data-race in do_raw_write_lock KCSAN reports: BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: do_raw_write_lock+0x120/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: do_raw_write_lock+0x88/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork value changed: 0xffffffff -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111 Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has adressed most of these races, but seems to be not consistent/not complete. >From do_raw_write_lock() only debug_write_lock_after() part has been converted to WRITE_ONCE(), but not debug_write_lock_before() part. Do it now. 2025-12-22 not yet calculated CVE-2025-68336 https://git.kernel.org/stable/c/b163a5e8c703201c905d6ec7920ed79d167e8442
https://git.kernel.org/stable/c/16b3590c0e1e615757dade098c8fbc0d4f040c76
https://git.kernel.org/stable/c/396a9270a7b90886be501611b13aa636f2e8c703
https://git.kernel.org/stable/c/c14ecb555c3ee80eeb030a4e46d00e679537f03a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted There's issue when file system corrupted: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1289! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0 RSP: 0018:ffff888117aafa30 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534 RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010 RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028 R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0 Call Trace: <TASK> __ext4_journal_get_create_access+0x42/0x170 ext4_getblk+0x319/0x6f0 ext4_bread+0x11/0x100 ext4_append+0x1e6/0x4a0 ext4_init_new_dir+0x145/0x1d0 ext4_mkdir+0x326/0x920 vfs_mkdir+0x45c/0x740 do_mkdirat+0x234/0x2f0 __x64_sys_mkdir+0xd6/0x120 do_syscall_64+0x5f/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The above issue occurs with us in errors=continue mode when accompanied by storage failures. There have been many inconsistencies in the file system data. In the case of file system data inconsistency, for example, if the block bitmap of a referenced block is not set, it can lead to the situation where a block being committed is allocated and used again. As a result, the following condition will not be satisfied then trigger BUG_ON. Of course, it is entirely possible to construct a problematic image that can trigger this BUG_ON through specific operations. In fact, I have constructed such an image and easily reproduced this issue. Therefore, J_ASSERT() holds true only under ideal conditions, but it may not necessarily be satisfied in exceptional scenarios. Using J_ASSERT() directly in abnormal situations would cause the system to crash, which is clearly not what we want. So here we directly trigger a JBD abort instead of immediately invoking BUG_ON. 2025-12-22 not yet calculated CVE-2025-68337 https://git.kernel.org/stable/c/a2a7f854d154a3e9232fec80782dad951655f52f
https://git.kernel.org/stable/c/bf34c72337e40c4670cceeb79b353356933a254b
https://git.kernel.org/stable/c/aa1703f3f706ea0867fb1991dcac709c9ec94cfb
https://git.kernel.org/stable/c/986835bf4d11032bba4ab8414d18fce038c61bb4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: dsa: microchip: Don't free uninitialized ksz_irq If something goes wrong at setup, ksz_irq_free() can be called on uninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It leads to freeing uninitialized IRQ numbers and/or domains. Use dsa_switch_for_each_user_port_continue_reverse() in the error path to iterate only over the fully initialized ports. 2025-12-23 not yet calculated CVE-2025-68338 https://git.kernel.org/stable/c/9428654c827fa8d38b898135d26d39ee2d544246
https://git.kernel.org/stable/c/32abbcf4379a0f851d7eb9d4389e7bf5c64bf6c0
https://git.kernel.org/stable/c/25b62cc5b22c45face094ae3e8717258e46d1d19
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: atm/fore200e: Fix possible data race in fore200e_open() Protect access to fore200e->available_cell_rate with rate_mtx lock in the error handling path of fore200e_open() to prevent a data race. The field fore200e->available_cell_rate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200e_open(), fore200e_close(), and fore200e_change_qos(). In fore200e_open(), the lock rate_mtx is correctly held when subtracting vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth. However, if the subsequent call to fore200e_activate_vcin() fails, the function restores the reserved bandwidth by adding back to available_cell_rate without holding the lock. This introduces a race condition because available_cell_rate is a global device resource shared across all VCCs. If the error path in fore200e_open() executes concurrently with operations like fore200e_close() or fore200e_change_qos() on other VCCs, a read-modify-write race occurs. Specifically, the error path reads the rate without the lock. If another CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in fore200e_close()) between this read and the subsequent write, the error path will overwrite the concurrent update with a stale value. This results in incorrect bandwidth accounting. 2025-12-23 not yet calculated CVE-2025-68339 https://git.kernel.org/stable/c/1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d
https://git.kernel.org/stable/c/bd1415efbab507b9b995918105eef953013449dd
https://git.kernel.org/stable/c/ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1
https://git.kernel.org/stable/c/9917ba597cf95f307778e495f71ff25a5064d167
https://git.kernel.org/stable/c/667ac868823224374f819500adc5baa2889c7bc5
https://git.kernel.org/stable/c/6610361458e7eb6502dd3182f586f91fcc218039
https://git.kernel.org/stable/c/82fca3d8a4a34667f01ec2351a607135249c9cff
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the syzbot reproducer the gre0 device is already in state UP when it attempts to add it as a port device of team0, this fails but before that header_ops->create of team0 is changed from eth_header to ipgre_header in the call to team_dev_type_check_change. Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense as the private data of the device still holds a struct team. Example sequence of iproute2 commands to reproduce the hang/BUG(): ip link add dev team0 type team ip link add dev gre0 type gre ip link set dev gre0 up ip link set dev gre0 master team0 ip link set dev team0 up ping -I team0 1.1.1.1 Move team_dev_type_check_change down where all other checks have passed as it changes the dev type with no way to restore it in case one of the checks that follow it fail. Also make sure to preserve the origial mtu assignment: - If port_dev is not the same type as dev, dev takes mtu from port_dev - If port_dev is the same type as dev, port_dev takes mtu from dev This is done by adding a conditional before the call to dev_set_mtu to prevent it from assigning port_dev->mtu = dev->mtu and instead letting team_dev_type_check_change assign dev->mtu = port_dev->mtu. The conditional is needed because the patch moves the call to team_dev_type_check_change past dev_set_mtu. Testing: - team device driver in-tree selftests - Add/remove various devices as slaves of team device - syzbot 2025-12-23 not yet calculated CVE-2025-68340 https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e
https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca
https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: veth: reduce XDP no_direct return section to fix race As explain in commit fa349e396e48 ("veth: Fix race with AF_XDP exposing old or uninitialized descriptors") for veth there is a chance after napi_complete_done() that another CPU can manage start another NAPI instance running veth_pool(). For NAPI this is correctly handled as the napi_schedule_prep() check will prevent multiple instances from getting scheduled, but for the remaining code in veth_pool() this can run concurrent with the newly started NAPI instance. The problem/race is that xdp_clear_return_frame_no_direct() isn't designed to be nested. Prior to commit 401cb7dae813 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.") the temporary BPF net context bpf_redirect_info was stored per CPU, where this wasn't an issue. Since this commit the BPF context is stored in 'current' task_struct. When running veth in threaded-NAPI mode, then the kthread becomes the storage area. Now a race exists between two concurrent veth_pool() function calls one exiting NAPI and one running new NAPI, both using the same BPF net context. Race is when another CPU gets within the xdp_set_return_frame_no_direct() section before exiting veth_pool() calls the clear-function xdp_clear_return_frame_no_direct(). 2025-12-23 not yet calculated CVE-2025-68341 https://git.kernel.org/stable/c/c1ceabcb347d1b0f7e70a7384ec7eff3847b7628
https://git.kernel.org/stable/c/d0bd018ad72a8a598ae709588934135017f8af52
https://git.kernel.org/stable/c/a14602fcae17a3f1cb8a8521bedf31728f9e7e39
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data The URB received in gs_usb_receive_bulk_callback() contains a struct gs_host_frame. The length of the data after the header depends on the gs_host_frame hf::flags and the active device features (e.g. time stamping). Introduce a new function gs_usb_get_minimum_length() and check that we have at least received the required amount of data before accessing it. Only copy the data to that skb that has actually been received. [mkl: rename gs_usb_get_minimum_length() -> +gs_usb_get_minimum_rx_length()] 2025-12-23 not yet calculated CVE-2025-68342 https://git.kernel.org/stable/c/4ffac725154cf6a253f5e6aa0c8946232b6a0af5
https://git.kernel.org/stable/c/ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b
https://git.kernel.org/stable/c/fb0c7c77a7ae3a2c3404b7d0173b8739a754b513
https://git.kernel.org/stable/c/395d988f93861101ec89d0dd9e3b876ae9392a5b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback(). Use struct_group to describe the header of the struct gs_host_frame and check that we have at least received the header before accessing any members of it. To resubmit the URB, do not dereference the pointer chain "dev->parent->hf_size_rx" but use "parent->hf_size_rx" instead. Since "urb->context" contains "parent", it is always defined, while "dev" is not defined if the URB it too short. 2025-12-23 not yet calculated CVE-2025-68343 https://git.kernel.org/stable/c/18cbce43363c9f84b90a92d57df341155eee0697
https://git.kernel.org/stable/c/3433680b759646efcacc64fe36aa2e51ae34b8f0
https://git.kernel.org/stable/c/616eee3e895b8ca0028163fcb1dce5e3e9dea322
https://git.kernel.org/stable/c/f31693dc3a584c0ad3937e857b59dbc1a7ed2b87
https://git.kernel.org/stable/c/6fe9f3279f7d2518439a7962c5870c6e9ecbadcf
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: wavefront: Fix integer overflow in sample size validation The wavefront_send_sample() function has an integer overflow issue when validating sample size. The header->size field is u32 but gets cast to int for comparison with dev->freemem Fix by using unsigned comparison to avoid integer overflow. 2025-12-24 not yet calculated CVE-2025-68344 https://git.kernel.org/stable/c/5588b7c86effffa9bb55383a38800649d7b40778
https://git.kernel.org/stable/c/bca11de0a277b8baeb7d006f93b543c907b6e782
https://git.kernel.org/stable/c/1823e08f76c68b9e1d26f6d5ef831b96f61a62a0
https://git.kernel.org/stable/c/0c4a13ba88594fd4a27292853e736c6b4349823d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() The acpi_get_first_physical_node() function can return NULL, in which case the get_device() function also returns NULL, but this value is then dereferenced without checking,so add a check to prevent a crash. Found by Linux Verification Center (linuxtesting.org) with SVACE. 2025-12-24 not yet calculated CVE-2025-68345 https://git.kernel.org/stable/c/c28946b7409b7b68fb0481ec738c8b04578b11c6
https://git.kernel.org/stable/c/343fa9800cf9870ec681e21f0a6f2157b74ae520
https://git.kernel.org/stable/c/c34b04cc6178f33c08331568c7fd25c5b9a39f66
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: dice: fix buffer overflow in detect_stream_formats() The function detect_stream_formats() reads the stream_count value directly from a FireWire device without validating it. This can lead to out-of-bounds writes when a malicious device provides a stream_count value greater than MAX_STREAMS. Fix by applying the same validation to both TX and RX stream counts in detect_stream_formats(). 2025-12-24 not yet calculated CVE-2025-68346 https://git.kernel.org/stable/c/c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6
https://git.kernel.org/stable/c/932aa1e80b022419cf9710e970739b7a8794f27c
https://git.kernel.org/stable/c/1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9
https://git.kernel.org/stable/c/324f3e03e8a85931ce0880654e3c3eb38b0f0bba
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events The DSP event handling code in hwdep_read() could write more bytes to the user buffer than requested, when a user provides a buffer smaller than the event header size (8 bytes). Fix by using min_t() to clamp the copy size, This ensures we never copy more than the user requested. 2025-12-24 not yet calculated CVE-2025-68347 https://git.kernel.org/stable/c/6275fd726d53a8ec724f20201cf3bd862711e17b
https://git.kernel.org/stable/c/161291bac551821bba98eb4ea84c82338578d1b0
https://git.kernel.org/stable/c/cdda0d06f8650e33255f79839f188bbece44117c
https://git.kernel.org/stable/c/210d77cca3d0494ed30a5c628b20c1d95fa04fb1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: block: fix memory leak in __blkdev_issue_zero_pages Move the fatal signal check before bio_alloc() to prevent a memory leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending. Previously, the bio was allocated before checking for a fatal signal. If a signal was pending, the code would break out of the loop without freeing or chaining the just-allocated bio, causing a memory leak. This matches the pattern already used in __blkdev_issue_write_zeroes() where the signal check precedes the allocation. 2025-12-24 not yet calculated CVE-2025-68348 https://git.kernel.org/stable/c/453e4b0c84d0db1454ff0adf655d91179e6fca3a
https://git.kernel.org/stable/c/7957635c679e8a01147163a3a4a1f16e1210fa03
https://git.kernel.org/stable/c/7193407bc4457212fa38ec3aff9c640e63a8dbef
https://git.kernel.org/stable/c/f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Fixes a crash when layout is null during this call stack: write_inode -> nfs4_write_inode -> pnfs_layoutcommit_inode pnfs_set_layoutcommit relies on the lseg refcount to keep the layout around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt to reference a null layout. 2025-12-24 not yet calculated CVE-2025-68349 https://git.kernel.org/stable/c/59947dff0fb7c19c09ce6dccbcd253fd542b6c25
https://git.kernel.org/stable/c/ca2e7fdad7c683b64821c94a58b9b68733214dad
https://git.kernel.org/stable/c/38694f9aae00459ab443a7dc8b3949a6b33b560a
https://git.kernel.org/stable/c/e0f8058f2cb56de0b7572f51cd563ca5debce746
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: exfat: fix divide-by-zero in exfat_allocate_bitmap The variable max_ra_count can be 0 in exfat_allocate_bitmap(), which causes a divide-by-zero error in the subsequent modulo operation (i % max_ra_count), leading to a system crash. When max_ra_count is 0, it means that readahead is not used. This patch load the bitmap without readahead. 2025-12-24 not yet calculated CVE-2025-68350 https://git.kernel.org/stable/c/88fc3dd6e631b3e2975f898c6c2b6bc6f7058b44
https://git.kernel.org/stable/c/d70a5804c563b5e34825353ba9927509df709651
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: exfat: fix refcount leak in exfat_find Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`. Function `exfat_get_dentry_set` would increase the reference counter of `es->bh` on success. Therefore, `exfat_put_dentry_set` must be called after `exfat_get_dentry_set` to ensure refcount consistency. This patch relocate two checks to avoid possible leaks. 2025-12-24 not yet calculated CVE-2025-68351 https://git.kernel.org/stable/c/d009ff8959d28d2a33aeb96a5f7e7161c421d78f
https://git.kernel.org/stable/c/9aee8de970f18c2aaaa348e3de86c38e2d956c1d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix out-of-bounds memory access in ch341_transfer_one Discovered by Atuin - Automated Vulnerability Discovery Engine. The 'len' variable is calculated as 'min(32, trans->len + 1)', which includes the 1-byte command header. When copying data from 'trans->tx_buf' to 'ch341->tx_buf + 1', using 'len' as the length is incorrect because: 1. It causes an out-of-bounds read from 'trans->tx_buf' (which has size 'trans->len', i.e., 'len - 1' in this context). 2. It can cause an out-of-bounds write to 'ch341->tx_buf' if 'len' is CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341->tx_buf + 1 overflows the buffer. Fix this by copying 'len - 1' bytes. 2025-12-24 not yet calculated CVE-2025-68352 https://git.kernel.org/stable/c/cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974
https://git.kernel.org/stable/c/ea1e43966cd03098fcd5f0d72e6c2901d45fa08d
https://git.kernel.org/stable/c/81841da1f30f66a850cc8796d99ba330aad9d696
https://git.kernel.org/stable/c/545d1287e40a55242f6ab68bcc1ba3b74088b1bc
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: net: vxlan: prevent NULL deref in vxlan_xmit_one Neither sock4 nor sock6 pointers are guaranteed to be non-NULL in vxlan_xmit_one, e.g. if the iface is brought down. This can lead to the following NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:vxlan_xmit_one+0xbb3/0x1580 Call Trace: vxlan_xmit+0x429/0x610 dev_hard_start_xmit+0x55/0xa0 __dev_queue_xmit+0x6d0/0x7f0 ip_finish_output2+0x24b/0x590 ip_output+0x63/0x110 Mentioned commits changed the code path in vxlan_xmit_one and as a side effect the sock4/6 pointer validity checks in vxlan(6)_get_route were lost. Fix this by adding back checks. Since both commits being fixed were released in the same version (v6.7) and are strongly related, bundle the fixes in a single commit. 2025-12-24 not yet calculated CVE-2025-68353 https://git.kernel.org/stable/c/4ac26aafdc8c7271414e2e7c0b2cb266a26591bc
https://git.kernel.org/stable/c/1f73a56f986005f0bc64ed23873930e2ee4f5911
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex regulator_supply_alias_list was accessed without any locking in regulator_supply_alias(), regulator_register_supply_alias(), and regulator_unregister_supply_alias(). Concurrent registration, unregistration and lookups can race, leading to: 1 use-after-free if an alias entry is removed while being read, 2 duplicate entries when two threads register the same alias, 3 inconsistent alias mappings observed by consumers. Protect all traversals, insertions and deletions on regulator_supply_alias_list with the existing regulator_list_mutex. 2025-12-24 not yet calculated CVE-2025-68354 https://git.kernel.org/stable/c/a9864d42ebcdd394ebb864643b961b36e7b515be
https://git.kernel.org/stable/c/431a1d44ad4866362cc28fc1cc4ca93d84989239
https://git.kernel.org/stable/c/64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf
https://git.kernel.org/stable/c/0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Fix exclusive map memory leak When excl_prog_hash is 0 and excl_prog_hash_size is non-zero, the map also needs to be freed. Otherwise, the map memory will not be reclaimed, just like the memory leak problem reported by syzbot [1]. syzbot reported: BUG: memory leak backtrace (crc 7b9fb9b4): map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512 __sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131 2025-12-24 not yet calculated CVE-2025-68355 https://git.kernel.org/stable/c/f0022551745d72fc0e7bc8601234d690dee2178d
https://git.kernel.org/stable/c/688b745401ab16e2e1a3b504863f0a45fd345638
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: gfs2: Prevent recursive memory reclaim Function new_inode() returns a new inode with inode->i_mapping->gfp_mask set to GFP_HIGHUSER_MOVABLE. This value includes the __GFP_FS flag, so allocations in that address space can recurse into filesystem memory reclaim. We don't want that to happen because it can consume a significant amount of stack memory. Worse than that is that it can also deadlock: for example, in several places, gfs2_unstuff_dinode() is called inside filesystem transactions. This calls filemap_grab_folio(), which can allocate a new folio, which can trigger memory reclaim. If memory reclaim recurses into the filesystem and starts another transaction, a deadlock will ensue. To fix these kinds of problems, prevent memory reclaim from recursing into filesystem code by making sure that the gfp_mask of inode address spaces doesn't include __GFP_FS. The "meta" and resource group address spaces were already using GFP_NOFS as their gfp_mask (which doesn't include __GFP_FS). The default value of GFP_HIGHUSER_MOVABLE is less restrictive than GFP_NOFS, though. To avoid being overly limiting, use the default value and only knock off the __GFP_FS flag. I'm not sure if this will actually make a difference, but it also shouldn't hurt. This patch is loosely based on commit ad22c7a043c2 ("xfs: prevent stack overflows from page cache allocation"). Fixes xfstest generic/273. 2025-12-24 not yet calculated CVE-2025-68356 https://git.kernel.org/stable/c/edb2b255618621dc83d0ec23150e16b2c697077f
https://git.kernel.org/stable/c/9c0960ed112398bdb6c60ccf6e6b583bc59acede
https://git.kernel.org/stable/c/49e7347f4644d031306d56cb4d51e467cbdcbc69
https://git.kernel.org/stable/c/2c5f4a53476e3cab70adc77b38942c066bd2c17c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: iomap: allocate s_dio_done_wq for async reads as well Since commit 222f2c7c6d14 ("iomap: always run error completions in user context"), read error completions are deferred to s_dio_done_wq. This means the workqueue also needs to be allocated for async reads. 2025-12-24 not yet calculated CVE-2025-68357 https://git.kernel.org/stable/c/c67775cf0da2407f113c1229e350758f4dca0f51
https://git.kernel.org/stable/c/7fd8720dff2d9c70cf5a1a13b7513af01952ec02
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix racy bitfield write in btrfs_clear_space_info_full() From the memory-barriers.txt document regarding memory barrier ordering guarantees: (*) These guarantees do not apply to bitfields, because compilers often generate code to modify these using non-atomic read-modify-write sequences. Do not attempt to use bitfields to synchronize parallel algorithms. (*) Even in cases where bitfields are protected by locks, all fields in a given bitfield must be protected by one lock. If two fields in a given bitfield are protected by different locks, the compiler's non-atomic read-modify-write sequences can cause an update to one field to corrupt the value of an adjacent field. btrfs_space_info has a bitfield sharing an underlying word consisting of the fields full, chunk_alloc, and flush: struct btrfs_space_info { struct btrfs_fs_info * fs_info; /* 0 8 */ struct btrfs_space_info * parent; /* 8 8 */ ... int clamp; /* 172 4 */ unsigned int full:1; /* 176: 0 4 */ unsigned int chunk_alloc:1; /* 176: 1 4 */ unsigned int flush:1; /* 176: 2 4 */ ... Therefore, to be safe from parallel read-modify-writes losing a write to one of the bitfield members protected by a lock, all writes to all the bitfields must use the lock. They almost universally do, except for btrfs_clear_space_info_full() which iterates over the space_infos and writes out found->full = 0 without a lock. Imagine that we have one thread completing a transaction in which we finished deleting a block_group and are thus calling btrfs_clear_space_info_full() while simultaneously the data reclaim ticket infrastructure is running do_async_reclaim_data_space(): T1 T2 btrfs_commit_transaction btrfs_clear_space_info_full data_sinfo->full = 0 READ: full:0, chunk_alloc:0, flush:1 do_async_reclaim_data_space(data_sinfo) spin_lock(&space_info->lock); if(list_empty(tickets)) space_info->flush = 0; READ: full: 0, chunk_alloc:0, flush:1 MOD/WRITE: full: 0, chunk_alloc:0, flush:0 spin_unlock(&space_info->lock); return; MOD/WRITE: full:0, chunk_alloc:0, flush:1 and now data_sinfo->flush is 1 but the reclaim worker has exited. This breaks the invariant that flush is 0 iff there is no work queued or running. Once this invariant is violated, future allocations that go into __reserve_bytes() will add tickets to space_info->tickets but will see space_info->flush is set to 1 and not queue the work. After this, they will block forever on the resulting ticket, as it is now impossible to kick the worker again. I also confirmed by looking at the assembly of the affected kernel that it is doing RMW operations. For example, to set the flush (3rd) bit to 0, the assembly is: andb $0xfb,0x60(%rbx) and similarly for setting the full (1st) bit to 0: andb $0xfe,-0x20(%rax) So I think this is really a bug on practical systems. I have observed a number of systems in this exact state, but am currently unable to reproduce it. Rather than leaving this footgun lying around for the future, take advantage of the fact that there is room in the struct anyway, and that it is already quite large and simply change the three bitfield members to bools. This avoids writes to space_info->full having any effect on ---truncated--- 2025-12-24 not yet calculated CVE-2025-68358 https://git.kernel.org/stable/c/6f442808a86eef847ee10afa9e6459494ed85bb3
https://git.kernel.org/stable/c/742b90eaf394f0018352c0e10dc89763b2dd5267
https://git.kernel.org/stable/c/38e818718c5e04961eea0fa8feff3f100ce40408
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of qgroup record after failure to add delayed ref head In the previous code it was possible to incur into a double kfree() scenario when calling add_delayed_ref_head(). This could happen if the record was reported to already exist in the btrfs_qgroup_trace_extent_nolock() call, but then there was an error later on add_delayed_ref_head(). In this case, since add_delayed_ref_head() returned an error, the caller went to free the record. Since add_delayed_ref_head() couldn't set this kfree'd pointer to NULL, then kfree() would have acted on a non-NULL 'record' object which was pointing to memory already freed by the callee. The problem comes from the fact that the responsibility to kfree the object is on both the caller and the callee at the same time. Hence, the fix for this is to shift the ownership of the 'qrecord' object out of the add_delayed_ref_head(). That is, we will never attempt to kfree() the given object inside of this function, and will expect the caller to act on the 'qrecord' object on its own. The only exception where the 'qrecord' object cannot be kfree'd is if it was inserted into the tracing logic, for which we already have the 'qrecord_inserted_ret' boolean to account for this. Hence, the caller has to kfree the object only if add_delayed_ref_head() reports not to have inserted it on the tracing logic. As a side-effect of the above, we must guarantee that 'qrecord_inserted_ret' is properly initialized at the start of the function, not at the end, and then set when an actual insert happens. This way we avoid 'qrecord_inserted_ret' having an invalid value on an early exit. The documentation from the add_delayed_ref_head() has also been updated to reflect on the exact ownership of the 'qrecord' object. 2025-12-24 not yet calculated CVE-2025-68359 https://git.kernel.org/stable/c/7617680769e3119dfb3b43a2b7c287ce2242211c
https://git.kernel.org/stable/c/364685c4c2d9c9f4408d95451bcf42fdeebc3ebb
https://git.kernel.org/stable/c/725e46298876a2cc1f1c3fb22ba69d29102c3ddf
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks MT7996 driver can use both wed and wed_hif2 devices to offload traffic from/to the wireless NIC. In the current codebase we assume to always use the primary wed device in wed callbacks resulting in the following crash if the hw runs wed_hif2 (e.g. 6GHz link). [ 297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a [ 297.464928] Mem abort info: [ 297.467722] ESR = 0x0000000096000005 [ 297.471461] EC = 0x25: DABT (current EL), IL = 32 bits [ 297.476766] SET = 0, FnV = 0 [ 297.479809] EA = 0, S1PTW = 0 [ 297.482940] FSC = 0x05: level 1 translation fault [ 297.487809] Data abort info: [ 297.490679] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 297.496156] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 297.501196] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000 [ 297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000 [ 297.523532] Internal error: Oops: 0000000096000005 [#1] SMP [ 297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G O 6.12.50 #0 [ 297.723908] Tainted: [O]=OOT_MODULE [ 297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT) [ 297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table] [ 297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76] [ 297.752688] lr : mtk_wed_flow_remove+0x58/0x80 [ 297.757126] sp : ffffffc080fe3ae0 [ 297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7 [ 297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00 [ 297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018 [ 297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000 [ 297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000 [ 297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da [ 297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200 [ 297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002 [ 297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000 [ 297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8 [ 297.831686] Call trace: [ 297.834123] mt76_wed_offload_disable+0x64/0xa0 [mt76] [ 297.839254] mtk_wed_flow_remove+0x58/0x80 [ 297.843342] mtk_flow_offload_cmd+0x434/0x574 [ 297.847689] mtk_wed_setup_tc_block_cb+0x30/0x40 [ 297.852295] nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table] [ 297.858466] nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table] [ 297.864463] process_one_work+0x174/0x300 [ 297.868465] worker_thread+0x278/0x430 [ 297.872204] kthread+0xd8/0xdc [ 297.875251] ret_from_fork+0x10/0x20 [ 297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421) [ 297.884901] ---[ end trace 0000000000000000 ]--- Fix the issue detecting the proper wed reference to use running wed callabacks. 2025-12-24 not yet calculated CVE-2025-68360 https://git.kernel.org/stable/c/ab94ecb997fd1bbc501a0116c7aad51556b67c86
https://git.kernel.org/stable/c/d582d0e988d696698c94edf097062bb987ae592c
https://git.kernel.org/stable/c/385aab8fccd7a8746b9f1a17f3c1e38498a14bc7
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: erofs: limit the level of fs stacking for file-backed mounts Otherwise, it could cause potential kernel stack overflow (e.g., EROFS mounting itself). 2025-12-24 not yet calculated CVE-2025-68361 https://git.kernel.org/stable/c/34447aeedbaea8f9aad3da5b07030a1c0e124639
https://git.kernel.org/stable/c/b4911825348a494e894e6ccfcf88d99e9425f129
https://git.kernel.org/stable/c/620472e6b303c4dbcc7ecf1aba1cda4f3523e4a4
https://git.kernel.org/stable/c/d53cd891f0e4311889349fff3a784dc552f814b9
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() The rtl8187_rx_cb() calculates the rx descriptor header address by subtracting its size from the skb tail pointer. However, it does not validate if the received packet (skb->len from urb->actual_length) is large enough to contain this header. If a truncated packet is received, this will lead to a buffer underflow, reading memory before the start of the skb data area, and causing a kernel panic. Add length checks for both rtl8187 and rtl8187b descriptor headers before attempting to access them, dropping the packet cleanly if the check fails. 2025-12-24 not yet calculated CVE-2025-68362 https://git.kernel.org/stable/c/4758770a673c60d8f615809304d72e1432fa6355
https://git.kernel.org/stable/c/638d4148e166d114a4cd7becaae992ce1a815ed8
https://git.kernel.org/stable/c/5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15
https://git.kernel.org/stable/c/b647d2574e4583c2e3b0ab35568f60c88e910840
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Check skb->transport_header is set in bpf_skb_check_mtu The bpf_skb_check_mtu helper needs to use skb->transport_header when the BPF_MTU_CHK_SEGS flag is used: bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS) The transport_header is not always set. There is a WARN_ON_ONCE report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + bpf_prog_test_run is used: WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 skb_gso_validate_network_len bpf_skb_check_mtu bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch bpf_test_run bpf_prog_test_run_skb For a normal ingress skb (not test_run), skb_reset_transport_header is performed but there is plan to avoid setting it as described in commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()"). This patch fixes the bpf helper by checking skb_transport_header_was_set(). The check is done just before skb->transport_header is used, to avoid breaking the existing bpf prog. The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next. 2025-12-24 not yet calculated CVE-2025-68363 https://git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9
https://git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7
https://git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5
https://git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' just to avoid crashing the whole kernel due to a filesystem corruption. 2025-12-24 not yet calculated CVE-2025-68364 https://git.kernel.org/stable/c/e5c2503696ec2e0dc7b2aee902dc859ccde39ddf
https://git.kernel.org/stable/c/7abbe41d22a06aae00fd46d29f59dd40a01e988f
https://git.kernel.org/stable/c/e5c52c320577cd405b251943ef77842dc6f303bf
https://git.kernel.org/stable/c/8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Initialize allocated memory before use KMSAN reports: Multiple uninitialized values detected: - KMSAN: uninit-value in ntfs_read_hdr (3) - KMSAN: uninit-value in bcmp (3) Memory is allocated by __getname(), which is a wrapper for kmem_cache_alloc(). This memory is used before being properly cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to properly allocate and clear memory before use. 2025-12-24 not yet calculated CVE-2025-68365 https://git.kernel.org/stable/c/192e8ce302f14ac66259231dd10cede19858d742
https://git.kernel.org/stable/c/a8a3ca23bbd9d849308a7921a049330dc6c91398
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK: nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 nbd_genl_connect+0x16d0/0x1ab0 genl_family_rcv_msg_doit+0x1f3/0x310 genl_rcv_msg+0x44a/0x790 The issue can be easily reproduced by adding a small delay before refcount_inc(&nbd->config_refs) in nbd_genl_connect(): mutex_unlock(&nbd->config_lock); if (!ret) { set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); + printk("before sleep\n"); + mdelay(5 * 1000); + printk("after sleep\n"); refcount_inc(&nbd->config_refs); nbd_connect_reply(info, nbd->index); } 2025-12-24 not yet calculated CVE-2025-68366 https://git.kernel.org/stable/c/c9b99c948b4fb014812afe7b5ccf2db121d22e46
https://git.kernel.org/stable/c/9a38306643874566d20f7aba7dff9e6f657b51a9
https://git.kernel.org/stable/c/c9e805f6a35d1dd189a9345595a5c20e87611942
https://git.kernel.org/stable/c/1649714b930f9ea6233ce0810ba885999da3b5d4
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse The following warning appears when running syzkaller, and this issue also exists in the mainline code. ------------[ cut here ]------------ list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100. WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130 Modules linked in: CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__list_add_valid_or_report+0xf7/0x130 RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817 RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001 RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100 R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48 FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: <TASK> input_register_handler+0xb3/0x210 mac_hid_start_emulation+0x1c5/0x290 mac_hid_toggle_emumouse+0x20a/0x240 proc_sys_call_handler+0x4c2/0x6e0 new_sync_write+0x1b1/0x2d0 vfs_write+0x709/0x950 ksys_write+0x12a/0x250 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The WARNING occurs when two processes concurrently write to the mac-hid emulation sysctl, causing a race condition in mac_hid_toggle_emumouse(). Both processes read old_val=0, then both try to register the input handler, leading to a double list_add of the same handler. CPU0 CPU1 ------------------------- ------------------------- vfs_write() //write 1 vfs_write() //write 1 proc_sys_write() proc_sys_write() mac_hid_toggle_emumouse() mac_hid_toggle_emumouse() old_val = *valp // old_val=0 old_val = *valp // old_val=0 mutex_lock_killable() proc_dointvec() // *valp=1 mac_hid_start_emulation() input_register_handler() mutex_unlock() mutex_lock_killable() proc_dointvec() mac_hid_start_emulation() input_register_handler() //Trigger Warning mutex_unlock() Fix this by moving the old_val read inside the mutex lock region. 2025-12-24 not yet calculated CVE-2025-68367 https://git.kernel.org/stable/c/230621ffdb361d15cd3ef92d8b4fa8d314f4fad4
https://git.kernel.org/stable/c/388391dd1cc567fcf0b372b63d414c119d23e911
https://git.kernel.org/stable/c/48a7d427eb65922b3f17fbe00e2bbc7cb9eac381
https://git.kernel.org/stable/c/1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: md: init bioset in mddev_init IO operations may be needed before md_run(), such as updating metadata after writing sysfs. Without bioset, this triggers a NULL pointer dereference as below: BUG: kernel NULL pointer dereference, address: 0000000000000020 Call Trace: md_update_sb+0x658/0xe00 new_level_store+0xc5/0x120 md_attr_store+0xc9/0x1e0 sysfs_kf_write+0x6f/0xa0 kernfs_fop_write_iter+0x141/0x2a0 vfs_write+0x1fc/0x5a0 ksys_write+0x79/0x180 __x64_sys_write+0x1d/0x30 x64_sys_call+0x2818/0x2880 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Reproducer ``` mdadm -CR /dev/md0 -l1 -n2 /dev/sd[cd] echo inactive > /sys/block/md0/md/array_state echo 10 > /sys/block/md0/md/new_level ``` mddev_init() can only be called once per mddev, no need to test if bioset has been initialized anymore. 2025-12-24 not yet calculated CVE-2025-68368 https://git.kernel.org/stable/c/9d37fe37dfa0833a8768740f0575e0ffd793cb4a
https://git.kernel.org/stable/c/381a3ce1c0ffed647c9b913e142b099c7e9d5afc
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ntfs3: init run lock for extend inode After setting the inode mode of $Extend to a regular file, executing the truncate system call will enter the do_truncate() routine, causing the run_lock uninitialized error reported by syzbot. Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to a regular file, the do_truncate() routine would not be entered. Add the run_lock initialization when loading $Extend. syzbot reported: INFO: trying to register non-static key. Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984 register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299 __lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590 ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860 ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387 ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808 2025-12-24 not yet calculated CVE-2025-68369 https://git.kernel.org/stable/c/6e17555728bc469d484c59db4a0abc65c19bc315
https://git.kernel.org/stable/c/19164d8228317f3f1fe2662a9ba587cfe3b2d29e
https://git.kernel.org/stable/c/ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076
https://git.kernel.org/stable/c/be99c62ac7e7af514e4b13f83c891a3cccefaa48
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: coresight: tmc: add the handle of the event to the path The handle is essential for retrieving the AUX_EVENT of each CPU and is required in perf mode. It has been added to the coresight_path so that dependent devices can access it from the path when needed. The existing bug can be reproduced with: perf record -e cs_etm//k -C 0-9 dd if=/dev/zero of=/dev/null Showing an oops as follows: Unable to handle kernel paging request at virtual address 000f6e84934ed19e Call trace: tmc_etr_get_buffer+0x30/0x80 [coresight_tmc] (P) catu_enable_hw+0xbc/0x3d0 [coresight_catu] catu_enable+0x70/0xe0 [coresight_catu] coresight_enable_path+0xb0/0x258 [coresight] 2025-12-24 not yet calculated CVE-2025-68370 https://git.kernel.org/stable/c/faa8f38f7ccb344ace2c1f364efc70e3a12d32f3
https://git.kernel.org/stable/c/d0c9effd82f2c19b92acd07d357fac5f392d549a
https://git.kernel.org/stable/c/aaa5abcc9d44d2c8484f779ab46d242d774cabcb
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix device resources accessed after device removal Correct possible race conditions during device removal. Previously, a scheduled work item to reset a LUN could still execute after the device was removed, leading to use-after-free and other resource access issues. This race condition occurs because the abort handler may schedule a LUN reset concurrently with device removal via sdev_destroy(), leading to use-after-free and improper access to freed resources. - Check in the device reset handler if the device is still present in the controller's SCSI device list before running; if not, the reset is skipped. - Cancel any pending TMF work that has not started in sdev_destroy(). - Ensure device freeing in sdev_destroy() is done while holding the LUN reset mutex to avoid races with ongoing resets. 2025-12-24 not yet calculated CVE-2025-68371 https://git.kernel.org/stable/c/eccc02ba1747501d92bb2049e3ce378ba372f641
https://git.kernel.org/stable/c/4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1
https://git.kernel.org/stable/c/1a5c5a2f88e839af5320216a02ffb075b668596a
https://git.kernel.org/stable/c/b518e86d1a70a88f6592a7c396cf1b93493d1aab
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: nbd: defer config put in recv_work There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Or only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the waiter") moved nbd_config_put() to run before waking up the waiter in recv_work, in order to ensure that nbd_start_device_ioctl() would not be woken up while nbd->task_recv was still uncleared. However, in nbd_start_device_ioctl(), after being woken up it explicitly calls flush_workqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup. Move nbd_config_put() to the end of recv_work, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recv_work is still running, even if clear + reconfigure interleave. In addition, we don't need to worry about recv_work dropping the last nbd_put (which causes deadlock): path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_work path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0 Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put") 2025-12-24 not yet calculated CVE-2025-68372 https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6
https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f
https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01
https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: md: avoid repeated calls to del_gendisk There is a uaf problem which is found by case 23rdev-lifetime: Oops: general protection fault, probably for non-canonical address 0xdead000000000122 RIP: 0010:bdi_unregister+0x4b/0x170 Call Trace: <TASK> __del_gendisk+0x356/0x3e0 mddev_unlock+0x351/0x360 rdev_attr_store+0x217/0x280 kernfs_fop_write_iter+0x14a/0x210 vfs_write+0x29e/0x550 ksys_write+0x74/0xf0 do_syscall_64+0xbb/0x380 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff5250a177e The sequence is: 1. rdev remove path gets reconfig_mutex 2. rdev remove path release reconfig_mutex in mddev_unlock 3. md stop calls do_md_stop and sets MD_DELETED 4. rdev remove path calls del_gendisk because MD_DELETED is set 5. md stop path release reconfig_mutex and calls del_gendisk again So there is a race condition we should resolve. This patch adds a flag MD_DO_DELETE to avoid the race condition. 2025-12-24 not yet calculated CVE-2025-68373 https://git.kernel.org/stable/c/b4c5cf406062ad44cd178269571530c6435b2f3b
https://git.kernel.org/stable/c/f0fae1debeb9102398ddf2ef69b4f5d395afafed
https://git.kernel.org/stable/c/90e3bb44c0a86e245d8e5c6520206fa113acb1ee
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: md: fix rcu protection in md_wakeup_thread We attempted to use RCU to protect the pointer 'thread', but directly passed the value when calling md_wakeup_thread(). This means that the RCU pointer has been acquired before rcu_read_lock(), which renders rcu_read_lock() ineffective and could lead to a use-after-free. 2025-12-24 not yet calculated CVE-2025-68374 https://git.kernel.org/stable/c/21989cb5034c835b212385a2afadf279d8069da0
https://git.kernel.org/stable/c/a4bd1caf591faeae44cb10b6517e7dacb5139bda
https://git.kernel.org/stable/c/f98b191f78124405294481dea85f8a22a3eb0a59
https://git.kernel.org/stable/c/0dc76205549b4c25705e54345f211b9f66e018a0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: perf/x86: Fix NULL event access and potential PEBS record loss When intel_pmu_drain_pebs_icl() is called to drain PEBS records, the perf_event_overflow() could be called to process the last PEBS record. While perf_event_overflow() could trigger the interrupt throttle and stop all events of the group, like what the below call-chain shows. perf_event_overflow() -> __perf_event_overflow() ->__perf_event_account_interrupt() -> perf_event_throttle_group() -> perf_event_throttle() -> event->pmu->stop() -> x86_pmu_stop() The side effect of stopping the events is that all corresponding event pointers in cpuc->events[] array are cleared to NULL. Assume there are two PEBS events (event a and event b) in a group. When intel_pmu_drain_pebs_icl() calls perf_event_overflow() to process the last PEBS record of PEBS event a, interrupt throttle is triggered and all pointers of event a and event b are cleared to NULL. Then intel_pmu_drain_pebs_icl() tries to process the last PEBS record of event b and encounters NULL pointer access. To avoid this issue, move cpuc->events[] clearing from x86_pmu_stop() to x86_pmu_del(). It's safe since cpuc->active_mask or cpuc->pebs_enabled is always checked before access the event pointer from cpuc->events[]. 2025-12-24 not yet calculated CVE-2025-68375 https://git.kernel.org/stable/c/cf69b99805c263117305ac6dffbc85aaf9259d32
https://git.kernel.org/stable/c/6b089028bff1f2ff9e0c62b8f1faca1a620e5d6e
https://git.kernel.org/stable/c/7e772a93eb61cb6265bdd1c5bde17d0f2718b452
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: coresight: ETR: Fix ETR buffer use-after-free issue When ETR is enabled as CS_MODE_SYSFS, if the buffer size is changed and enabled again, currently sysfs_buf will point to the newly allocated memory(buf_new) and free the old memory(buf_old). But the etr_buf that is being used by the ETR remains pointed to buf_old, not updated to buf_new. In this case, it will result in a memory use-after-free issue. Fix this by checking ETR's mode before updating and releasing buf_old, if the mode is CS_MODE_SYSFS, then skip updating and releasing it. 2025-12-24 not yet calculated CVE-2025-68376 https://git.kernel.org/stable/c/70acbc9c77686b7a521af6d7a543dcd9c324cf07
https://git.kernel.org/stable/c/cda077a19f5c8d6ec61e5b97deca203d95e3a422
https://git.kernel.org/stable/c/35501ac3c7d40a7bb9568c2f89d6b56beaf9bed3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ns: initialize ns_list_node for initial namespaces Make sure that the list is always initialized for initial namespaces. 2025-12-24 not yet calculated CVE-2025-68377 https://git.kernel.org/stable/c/e31c902d785411eb4a246fba2e8a32aa59d33ce2
https://git.kernel.org/stable/c/3dd50c58664e2684bd610a57bf3ab713cbb0ea91
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check in __bpf_get_stackid() Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid() when copying stack trace data. The issue occurs when the perf trace contains more stack entries than the stack map bucket can hold, leading to an out-of-bounds write in the bucket's data array. 2025-12-24 not yet calculated CVE-2025-68378 https://git.kernel.org/stable/c/d1f424a77b6bd27b361737ed73df49a0158f1590
https://git.kernel.org/stable/c/2a008f6de163279deffd488c1deab081bce5667c
https://git.kernel.org/stable/c/4669a8db976c8cbd5427fe9945f12c5fa5168ff3
https://git.kernel.org/stable/c/23f852daa4bab4d579110e034e4d513f7d490846
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix null deref on srq->rq.queue after resize failure A NULL pointer dereference can occur in rxe_srq_chk_attr() when ibv_modify_srq() is invoked twice in succession under certain error conditions. The first call may fail in rxe_queue_resize(), which leads rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then triggers a crash (null deref) when accessing srq->rq.queue->buf->index_mask. Call Trace: <TASK> rxe_modify_srq+0x170/0x480 [rdma_rxe] ? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe] ? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs] ? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs] ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs] ? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs] ? tryinc_node_nr_active+0xe6/0x150 ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs] ? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs] ? __pfx___raw_spin_lock_irqsave+0x10/0x10 ? __pfx_do_vfs_ioctl+0x10/0x10 ? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0 ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10 ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs] ? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs] __x64_sys_ioctl+0x138/0x1c0 do_syscall_64+0x82/0x250 ? fdget_pos+0x58/0x4c0 ? ksys_write+0xf3/0x1c0 ? __pfx_ksys_write+0x10/0x10 ? do_syscall_64+0xc8/0x250 ? __pfx_vm_mmap_pgoff+0x10/0x10 ? fget+0x173/0x230 ? fput+0x2a/0x80 ? ksys_mmap_pgoff+0x224/0x4c0 ? do_syscall_64+0xc8/0x250 ? do_user_addr_fault+0x37b/0xfe0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e 2025-12-24 not yet calculated CVE-2025-68379 https://git.kernel.org/stable/c/b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7
https://git.kernel.org/stable/c/5dbeb421e137824aa9bd8358bdfc926a3965fc0d
https://git.kernel.org/stable/c/bc4c14a3863cc0e03698caec9a0cdabd779776ee
https://git.kernel.org/stable/c/503a5e4690ae14c18570141bc0dcf7501a8419b0
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix peer HE MCS assignment In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition. While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field. Ext Tag: HE Capabilities [...] Supported HE-MCS and NSS Set [...] Rx and Tx MCS Maps 160 MHz [...] Tx HE-MCS Map 160 MHz: 0xffff Swap the assignment to fix this issue. As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer's receive MCS. Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 2025-12-24 not yet calculated CVE-2025-68380 https://git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2b
https://git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2
https://git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ff
https://git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetric_key_id structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a possible buffer overflow when copying data from potentially malicious X.509 certificate fields that can be arbitrarily large, such as ASN.1 INTEGER serial numbers, issuer names, etc. 2025-12-24 not yet calculated CVE-2025-68724 https://git.kernel.org/stable/c/c73be4f51eed98fa0c7c189db8f279e1c86bfbf7
https://git.kernel.org/stable/c/6af753ac5205115e6c310c8c4236c01b59a1c44f
https://git.kernel.org/stable/c/b7090a5c153105b9fd221a5a81459ee8cd5babd6
https://git.kernel.org/stable/c/df0845cf447ae1556c3440b8b155de0926cbaa56
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Do not let BPF test infra emit invalid GSO types to stack Yinhao et al. reported that their fuzzer tool was able to trigger a skb_warn_bad_offload() from netif_skb_features() -> gso_features_check(). When a BPF program - triggered via BPF test infra - pushes the packet to the loopback device via bpf_clone_redirect() then mentioned offload warning can be seen. GSO-related features are then rightfully disabled. We get into this situation due to convert___skb_to_skb() setting gso_segs and gso_size but not gso_type. Technically, it makes sense that this warning triggers since the GSO properties are malformed due to the gso_type. Potentially, the gso_type could be marked non-trustworthy through setting it at least to SKB_GSO_DODGY without any other specific assumptions, but that also feels wrong given we should not go further into the GSO engine in the first place. The checks were added in 121d57af308d ("gso: validate gso_type in GSO handlers") because there were malicious (syzbot) senders that combine a protocol with a non-matching gso_type. If we would want to drop such packets, gso_features_check() currently only returns feature flags via netif_skb_features(), so one location for potentially dropping such skbs could be validate_xmit_unreadable_skb(), but then otoh it would be an additional check in the fast-path for a very corner case. Given bpf_clone_redirect() is the only place where BPF test infra could emit such packets, lets reject them right there. 2025-12-24 not yet calculated CVE-2025-68725 https://git.kernel.org/stable/c/fbea4c63b5385588cb44ab21f91e55e33c719a54
https://git.kernel.org/stable/c/04a899573fb87273a656f178b5f920c505f68875
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: crypto: aead - Fix reqsize handling Commit afddce13ce81d ("crypto: api - Add reqsize to crypto_alg") introduced cra_reqsize field in crypto_alg struct to replace type specific reqsize fields. It looks like this was introduced specifically for ahash and acomp from the commit description as subsequent commits add necessary changes in these alg frameworks. However, this is being recommended for use in all crypto algs instead of setting reqsize using crypto_*_set_reqsize(). Using cra_reqsize in aead algorithms, hence, causes memory corruptions and crashes as the underlying functions in the algorithm framework have not been updated to set the reqsize properly from cra_reqsize. [1] Add proper set_reqsize calls in the aead init function to properly initialize reqsize for these algorithms in the framework. [1]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b 2025-12-24 not yet calculated CVE-2025-68726 https://git.kernel.org/stable/c/64377e66e187164bd6737112d07257f5f0feb681
https://git.kernel.org/stable/c/12b413f5460c393d1151a37f591140693eca0f84
https://git.kernel.org/stable/c/9b04d8f00569573796dd05397f5779135593eb24
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ntfs3: Fix uninit buffer allocated by __getname() Fix uninit errors caused after buffer allocation given to 'de'; by initializing the buffer with zeroes. The fix was found by using KMSAN. 2025-12-24 not yet calculated CVE-2025-68727 https://git.kernel.org/stable/c/4b1fd82848fdf0e01b3320815b261006c1722c3e
https://git.kernel.org/stable/c/d88d4b455b6794f48d7adad52593f1700c7bd50e
https://git.kernel.org/stable/c/b40a4eb4a0543d49686a6e693745009dac3b86a9
https://git.kernel.org/stable/c/9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix uninit memory after failed mi_read in mi_format_new Fix a KMSAN un-init bug found by syzkaller. ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be uptodate. We do not bring the buffer uptodate before setting it as uptodate. If the buffer were to not be uptodate, it could mean adding a buffer with un-init data to the mi record. Attempting to load that record will trigger KMSAN. Avoid this by setting the buffer as uptodate, if it's not already, by overwriting it. 2025-12-24 not yet calculated CVE-2025-68728 https://git.kernel.org/stable/c/7ce8f2028dfccb2161b905cf8ab85cdd9e93909c
https://git.kernel.org/stable/c/46f2a881e5a7311d41551edb3915e4d4e8802341
https://git.kernel.org/stable/c/81ffe9a265df3e41534726b852ab08792e3d374d
https://git.kernel.org/stable/c/73e6b9dacf72a1e7a4265eacca46f8f33e0997d6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix MSDU buffer types handling in RX error path Currently, packets received on the REO exception ring from unassociated peers are of MSDU buffer type, while the driver expects link descriptor type packets. These packets are not parsed further due to a return check on packet type in ath12k_hal_desc_reo_parse_err(), but the associated skb is not freed. This may lead to kernel crashes and buffer leaks. Hence to fix, update the RX error handler to explicitly drop MSDU buffer type packets received on the REO exception ring. This prevents further processing of invalid packets and ensures stability in the RX error handling path. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 2025-12-24 not yet calculated CVE-2025-68729 https://git.kernel.org/stable/c/5ff5a9d71cdc49c3400f30583a784ad0a17d01ec
https://git.kernel.org/stable/c/ab0554f51e5f2b9506e8a09e8accd02f00056729
https://git.kernel.org/stable/c/36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context() Don't add BO to the vdev->bo_list in ivpu_gem_create_object(). When failure happens inside drm_gem_shmem_create(), the BO is not fully created and ivpu_gem_bo_free() callback will not be called causing a deleted BO to be left on the list. 2025-12-24 not yet calculated CVE-2025-68730 https://git.kernel.org/stable/c/8172838a284c27190fa6782c2740a97020434750
https://git.kernel.org/stable/c/c9ef5ccd8bd9bcf598b6d3f77e7eb4dde7149aec
https://git.kernel.org/stable/c/8b694b405a84696f1d964f6da7cf9721e68c4714
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array() The unpublished smatch static checker reported a warning. drivers/accel/amdxdna/aie2_pci.c:904 aie2_query_ctx_status_array() warn: potential user controlled sizeof overflow 'args->num_element * args->element_size' '1-u32max(user) * 1-u32max(user)' Even this will not cause a real issue, it is better to put a reasonable limitation for element_size and num_element. Add condition to make sure the input element_size <= 4K and num_element <= 1K. 2025-12-24 not yet calculated CVE-2025-68731 https://git.kernel.org/stable/c/359653edd5374fbba28f93043554dcc494aee85f
https://git.kernel.org/stable/c/9e16c8bf9aebf629344cfd4cd5e3dc7d8c3f7d82
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: gpu: host1x: Fix race in syncpt alloc/free Fix race condition between host1x_syncpt_alloc() and host1x_syncpt_put() by using kref_put_mutex() instead of kref_put() + manual mutex locking. This ensures no thread can acquire the syncpt_mutex after the refcount drops to zero but before syncpt_release acquires it. This prevents races where syncpoints could be allocated while still being cleaned up from a previous release. Remove explicit mutex locking in syncpt_release as kref_put_mutex() handles this atomically. 2025-12-24 not yet calculated CVE-2025-68732 https://git.kernel.org/stable/c/4e6e07ce0197aecfb6c4a62862acc93b3efedeb7
https://git.kernel.org/stable/c/d138f73ffb0c57ded473c577719e6e551b7b1f27
https://git.kernel.org/stable/c/79197c6007f2afbfd7bcf5b9b80ccabf8483d774
https://git.kernel.org/stable/c/c7d393267c497502fa737607f435f05dfe6e3d9b
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: smack: fix bug: unprivileged task can create labels If an unprivileged task is allowed to relabel itself (/smack/relabel-self is not empty), it can freely create new labels by writing their names into own /proc/PID/attr/smack/current This occurs because do_setattr() imports the provided label in advance, before checking "relabel-self" list. This change ensures that the "relabel-self" list is checked before importing the label. 2025-12-24 not yet calculated CVE-2025-68733 https://git.kernel.org/stable/c/ac9fce2efabad37c338aac86fbe100f77a080e59
https://git.kernel.org/stable/c/64aa81250171b6bb6803e97ea7a5d73bfa061f6e
https://git.kernel.org/stable/c/60e8d49989410a7ade60f5dadfcd979c117d05c0
https://git.kernel.org/stable/c/c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only. Issue found using a prototype static analysis tool. 2025-12-24 not yet calculated CVE-2025-68734 https://git.kernel.org/stable/c/475032fa2bb82ffb592c321885e917e39f47357f
https://git.kernel.org/stable/c/adb7577e23a431fc53aa1b6107733c0d751015fb
https://git.kernel.org/stable/c/b70c24827e11fdc71465f9207e974526fb457bb9
https://git.kernel.org/stable/c/3f7c72bc73c4e542fde14cce017549d8a0b61a3c
https://git.kernel.org/stable/c/03695541b3349bc40bf5d6563d44d6147fb20260
https://git.kernel.org/stable/c/6dce43433e0635e7b00346bc937b69ce48ea71bb
https://git.kernel.org/stable/c/ea7936304ed74ab7f965d17f942a173ce91a5ca8
https://git.kernel.org/stable/c/3f978e3f1570155a1327ffa25f60968bc7b9398f
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Prevent potential UAF in group creation This commit prevents the possibility of a use after free issue in the GROUP_CREATE ioctl function, which arose as pointer to the group is accessed in that ioctl function after storing it in the Xarray. A malicious userspace can second guess the handle of a group and try to call GROUP_DESTROY ioctl from another thread around the same time as GROUP_CREATE ioctl. To prevent the use after free exploit, this commit uses a mark on an entry of group pool Xarray which is added just before returning from the GROUP_CREATE ioctl function. The mark is checked for all ioctls that specify the group handle and so userspace won't be abe to delete a group that isn't marked yet. v2: Add R-bs and fixes tags 2025-12-24 not yet calculated CVE-2025-68735 https://git.kernel.org/stable/c/deb8b2491f6b9882ae02d7dc2651c7bf4f3b7e05
https://git.kernel.org/stable/c/c646ebff3fa571e7ea974235286fb9ed3edc260c
https://git.kernel.org/stable/c/eec7e23d848d2194dd8791fcd0f4a54d4378eecd
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: landlock: Fix handling of disconnected directories Disconnected files or directories can appear when they are visible and opened from a bind mount, but have been renamed or moved from the source of the bind mount in a way that makes them inaccessible from the mount point (i.e. out of scope). Previously, access rights tied to files or directories opened through a disconnected directory were collected by walking the related hierarchy down to the root of the filesystem, without taking into account the mount point because it couldn't be found. This could lead to inconsistent access results, potential access right widening, and hard-to-debug renames, especially since such paths cannot be printed. For a sandboxed task to create a disconnected directory, it needs to have write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to the underlying source of the bind mount, and read access to the related mount point. Because a sandboxed task cannot acquire more access rights than those defined by its Landlock domain, this could lead to inconsistent access rights due to missing permissions that should be inherited from the mount point hierarchy, while inheriting permissions from the filesystem hierarchy hidden by this mount point instead. Landlock now handles files and directories opened from disconnected directories by taking into account the filesystem hierarchy when the mount point is not found in the hierarchy walk, and also always taking into account the mount point from which these disconnected directories were opened. This ensures that a rename is not allowed if it would widen access rights [1]. The rationale is that, even if disconnected hierarchies might not be visible or accessible to a sandboxed task, relying on the collected access rights from them improves the guarantee that access rights will not be widened during a rename because of the access right comparison between the source and the destination (see LANDLOCK_ACCESS_FS_REFER). It may look like this would grant more access on disconnected files and directories, but the security policies are always enforced for all the evaluated hierarchies. This new behavior should be less surprising to users and safer from an access control perspective. Remove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and fix the related comment. Because opened files have their access rights stored in the related file security properties, there is no impact for disconnected or unlinked files. 2025-12-24 not yet calculated CVE-2025-68736 https://git.kernel.org/stable/c/cadb28f8b3fd6908e3051e86158c65c3a8e1c907
https://git.kernel.org/stable/c/49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: arm64/pageattr: Propagate return value from __change_memory_common The rodata=on security measure requires that any code path which does vmalloc -> set_memory_ro/set_memory_rox must protect the linear map alias too. Therefore, if such a call fails, we must abort set_memory_* and caller must take appropriate action; currently we are suppressing the error, and there is a real chance of such an error arising post commit a166563e7ec3 ("arm64: mm: support large block mapping when rodata=full"). Therefore, propagate any error to the caller. 2025-12-24 not yet calculated CVE-2025-68737 https://git.kernel.org/stable/c/3e2fc1e57a5361633a4bf4222640c6bfe41ff8ea
https://git.kernel.org/stable/c/e5efd56fa157d2e7d789949d1d64eccbac18a897
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx() If a link does not have an assigned channel yet, mt7996_vif_link returns NULL. We still need to store the updated queue settings in that case, and apply them later. Move the location of the queue params to within struct mt7996_vif_link. 2025-12-24 not yet calculated CVE-2025-68738 https://git.kernel.org/stable/c/96841352aaba7723c20afb3a5356746810ef8198
https://git.kernel.org/stable/c/b8f34c1c5c4f5130c20e3253c95ba1d844d402b9
https://git.kernel.org/stable/c/79277f8ad15ec5f255ed0e1427c7a8a3e94e7f52
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: hisi: Fix potential UAF in OPP handling Ensure all required data is acquired before calling dev_pm_opp_put(opp) to maintain correct resource acquisition and release order. 2025-12-24 not yet calculated CVE-2025-68739 https://git.kernel.org/stable/c/efb028b07f7b2d141b91c2fab5276b601f0d0dbe
https://git.kernel.org/stable/c/469b0b8ce08818f3e4f01d2fa8d0dadeab501e1f
https://git.kernel.org/stable/c/26dd44a40096468396b6438985d8e44e0743f64c
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: ima: Handle error code returned by ima_filter_rule_match() In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if (!rc)' check and sets 'result = true'. The LSM rule is considered a match, causing extra files to be measured by IMA. This issue can be reproduced in the following scenario: After unloading the SELinux policy module via 'semodule -d', if an IMA measurement is triggered before ima_lsm_rules is updated, in ima_match_rules(), the first call to ima_filter_rule_match() returns -ESTALE. This causes the code to enter the 'if (rc == -ESTALE && !rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In ima_lsm_copy_rule(), since the SELinux module has been removed, the rule becomes NULL, and the second call to ima_filter_rule_match() returns -ENOENT. This bypasses the 'if (!rc)' check and results in a false match. Call trace: selinux_audit_rule_match+0x310/0x3b8 security_audit_rule_match+0x60/0xa0 ima_match_rules+0x2e4/0x4a0 ima_match_policy+0x9c/0x1e8 ima_get_action+0x48/0x60 process_measurement+0xf8/0xa98 ima_bprm_check+0x98/0xd8 security_bprm_check+0x5c/0x78 search_binary_handler+0x6c/0x318 exec_binprm+0x58/0x1b8 bprm_execve+0xb8/0x130 do_execveat_common.isra.0+0x1a8/0x258 __arm64_sys_execve+0x48/0x68 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x44/0x200 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x3c8/0x3d0 Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error codes like -ENOENT do not bypass the check and accidentally result in a successful match. 2025-12-24 not yet calculated CVE-2025-68740 https://git.kernel.org/stable/c/c2238d487a640ae3511e1b6f4640ab27ce10d7f6
https://git.kernel.org/stable/c/de4431faf308d0c533cb386f5fa9af009bc86158
https://git.kernel.org/stable/c/32952c4f4d1b2deb30dce72ba109da808a9018e1
https://git.kernel.org/stable/c/738c9738e690f5cea24a3ad6fd2d9a323cf614f6
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix improper freeing of purex item In qla2xxx_process_purls_iocb(), an item is allocated via qla27xx_copy_multiple_pkt(), which internally calls qla24xx_alloc_purex_item(). The qla24xx_alloc_purex_item() function may return a pre-allocated item from a per-adapter pool for small allocations, instead of dynamically allocating memory with kzalloc(). An error handling path in qla2xxx_process_purls_iocb() incorrectly uses kfree() to release the item. If the item was from the pre-allocated pool, calling kfree() on it is a bug that can lead to memory corruption. Fix this by using the correct deallocation function, qla24xx_free_purex_item(), which properly handles both dynamically allocated and pre-allocated items. 2025-12-24 not yet calculated CVE-2025-68741 https://git.kernel.org/stable/c/8e9f0a0717ba31d5842721627ade1e62d7aec012
https://git.kernel.org/stable/c/cfe3e2f768d248fd3d965d561d0768a56dd0b9f8
https://git.kernel.org/stable/c/5fa1c8226b4532ad7011d295d3ab4ad45df105ae
https://git.kernel.org/stable/c/78b1a242fe612a755f2158fd206ee6bb577d18ca
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Fix invalid prog->stats access when update_effective_progs fails Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows: __cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog ---softirq start--- __do_softirq ... __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp) ---softirq end--- static_branch_dec(&cgroup_bpf_enabled_key[atype]) The reason is that fault injection caused update_effective_progs to fail and then changed the original prog into dummy_bpf_prog.prog in purge_effective_progs. Then a softirq came, and accessing the members of dummy_bpf_prog.prog in the softirq triggers invalid mem access. To fix it, skip updating stats when stats is NULL. 2025-12-24 not yet calculated CVE-2025-68742 https://git.kernel.org/stable/c/539137e3038ce6f953efd72110110f03c14c7d97
https://git.kernel.org/stable/c/56905bb70c8b88421709bb4e32fcba617aa37d41
https://git.kernel.org/stable/c/2579c356ccd35d06238b176e4b460978186d804b
https://git.kernel.org/stable/c/7dc211c1159d991db609bdf4b0fb9033c04adcbc
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: mshv: Fix create memory region overlap check The current check is incorrect; it only checks if the beginning or end of a region is within an existing region. This doesn't account for userspace specifying a region that begins before and ends after an existing region. Change the logic to a range intersection check against gfns and uaddrs for each region. Remove mshv_partition_region_by_uaddr() as it is no longer used. 2025-12-24 not yet calculated CVE-2025-68743 https://git.kernel.org/stable/c/2183924dd834e0703f87e17c17e689bcbf55d69d
https://git.kernel.org/stable/c/ab3e7a78d83a61d335458cfe2e4d17eba69ae73d
https://git.kernel.org/stable/c/ba9eb9b86d232854e983203dc2fb1ba18e316681
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: bpf: Free special fields when update [lru_,]percpu_hash maps As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the map gets freed. Fix this by calling 'bpf_obj_free_fields()' after 'copy_map_value[,_long]()' in 'pcpu_copy_value()'. 2025-12-24 not yet calculated CVE-2025-68744 https://git.kernel.org/stable/c/3bf1378747e251571e0de15e7e0a6bf2919044e7
https://git.kernel.org/stable/c/96a5cb7072cabbac5c66ac9318242c3bdceebb68
https://git.kernel.org/stable/c/4a03d69cece145e4fb527464be29c3806aa3221e
https://git.kernel.org/stable/c/6af6e49a76c9af7d42eb923703e7648cb2bf401a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Clear cmds after chip reset Commit aefed3e5548f ("scsi: qla2xxx: target: Fix offline port handling and host reset handling") caused two problems: 1. Commands sent to FW, after chip reset got stuck and never freed as FW is not going to respond to them anymore. 2. BUG_ON(cmd->sg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a ("scsi: qla2xxx: Fix missed DMA unmap for aborted commands") attempted to fix this, but introduced another bug under different circumstances when two different CPUs were racing to call qlt_unmap_sg() at the same time: BUG_ON(!valid_dma_direction(dir)) in dma_unmap_sg_attrs(). So revert "scsi: qla2xxx: Fix missed DMA unmap for aborted commands" and partially revert "scsi: qla2xxx: target: Fix offline port handling and host reset handling" at __qla2x00_abort_all_cmds. 2025-12-24 not yet calculated CVE-2025-68745 https://git.kernel.org/stable/c/5c1fb3fd05da3d55b8cbc42d7d660b313cbdc936
https://git.kernel.org/stable/c/d46c69a087aa3d1513f7a78f871b80251ea0c1ae
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Fix timeout handling When the CPU that the QSPI interrupt handler runs on (typically CPU 0) is excessively busy, it can lead to rare cases of the IRQ thread not running before the transfer timeout is reached. While handling the timeouts, any pending transfers are cleaned up and the message that they correspond to is marked as failed, which leaves the curr_xfer field pointing at stale memory. To avoid this, clear curr_xfer to NULL upon timeout and check for this condition when the IRQ thread is finally run. While at it, also make sure to clear interrupts on failure so that new interrupts can be run. A better, more involved, fix would move the interrupt clearing into a hard IRQ handler. Ideally we would also want to signal that the IRQ thread no longer needs to be run after the timeout is hit to avoid the extra check for a valid transfer. 2025-12-24 not yet calculated CVE-2025-68746 https://git.kernel.org/stable/c/551060efb156c50fe33799038ba8145418cfdeef
https://git.kernel.org/stable/c/bb0c58be84f907285af45657c1d4847b960a12bf
https://git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbc
https://git.kernel.org/stable/c/b4e002d8a7cee3b1d70efad0e222567f92a73000
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF on kernel BO VA nodes If the MMU is down, panthor_vm_unmap_range() might return an error. We expect the page table to be updated still, and if the MMU is blocked, the rest of the GPU should be blocked too, so no risk of accessing physical memory returned to the system (which the current code doesn't cover for anyway). Proceed with the rest of the cleanup instead of bailing out and leaving the va_node inserted in the drm_mm, which leads to UAF when other adjacent nodes are removed from the drm_mm tree. 2025-12-24 not yet calculated CVE-2025-68747 https://git.kernel.org/stable/c/5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391
https://git.kernel.org/stable/c/1123eadb843588b361c96f53a771202b7953154f
https://git.kernel.org/stable/c/0612704b6f6ddf2ae223019c52148c5ac76cf70e
https://git.kernel.org/stable/c/98dd5143447af0ee33551776d8b2560c35d0bc4a
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF race between device unplug and FW event processing The function panthor_fw_unplug() will free the FW memory sections. The problem is that there could still be pending FW events which are yet not handled at this point. process_fw_events_work() can in this case try to access said freed memory. Simply call disable_work_sync() to both drain and prevent future invocation of process_fw_events_work(). 2025-12-24 not yet calculated CVE-2025-68748 https://git.kernel.org/stable/c/31db188355a49337e3e8ec98b99377e482eab22c
https://git.kernel.org/stable/c/5e3ff56d4cb591daea70786d07dc21d06dc34108
https://git.kernel.org/stable/c/6c1da9ae2c123a9ffda5375e64cc81f9ed3cc04a
https://git.kernel.org/stable/c/7051f6ba968fa69918d72cc26de4d6cf7ea05b90
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix race condition when unbinding BOs Fix 'Memory manager not clean during takedown' warning that occurs when ivpu_gem_bo_free() removes the BO from the BOs list before it gets unmapped. Then file_priv_unbind() triggers a warning in drm_mm_takedown() during context teardown. Protect the unmapping sequence with bo_list_lock to ensure the BO is always fully unmapped when removed from the list. This ensures the BO is either fully unmapped at context teardown time or present on the list and unmapped by file_priv_unbind(). 2025-12-24 not yet calculated CVE-2025-68749 https://git.kernel.org/stable/c/fb16493ebd8f171bcf0772262619618a131f30f7
https://git.kernel.org/stable/c/d71333ffdd3707d84cfb95acfaf8ba892adc066b
https://git.kernel.org/stable/c/00812636df370bedf4e44a0c81b86ea96bca8628
 
Linux--Linux In the Linux kernel, the following vulnerability has been resolved: usb: potential integer overflow in usbg_make_tpg() The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt. I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the relevant code accordingly. This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential memory corruption"). 2025-12-24 not yet calculated CVE-2025-68750 https://git.kernel.org/stable/c/0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24
https://git.kernel.org/stable/c/603a83e5fee38a950bfcfb2f36449311fa00a474
https://git.kernel.org/stable/c/6f77e344515b5258edb3988188311464209b1c7c
https://git.kernel.org/stable/c/6722e080b5b39ab7471386c73d0c1b39572f943c
https://git.kernel.org/stable/c/a33f507f36d5881f602dab581ab0f8d22b49762c
https://git.kernel.org/stable/c/358d5ba08f1609c34a054aed88c431844d09705a
https://git.kernel.org/stable/c/620a5e1e84a3a7004270703a118d33eeb1c0f368
https://git.kernel.org/stable/c/153874010354d050f62f8ae25cbb960c17633dc5
 
Liton Arefin--WP Adminify Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Adminify: from n/a through <= 4.0.6.1. 2025-12-24 not yet calculated CVE-2025-68592 https://vdp.patchstack.com/database/Wordpress/Plugin/adminify/vulnerability/wordpress-wp-adminify-plugin-4-0-6-1-broken-access-control-vulnerability-2?_s_id=cve
 
Liton Arefin--WP Adminify Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Adminify: from n/a through <= 4.0.6.1. 2025-12-24 not yet calculated CVE-2025-68593 https://vdp.patchstack.com/database/Wordpress/Plugin/adminify/vulnerability/wordpress-wp-adminify-plugin-4-0-6-1-broken-access-control-vulnerability?_s_id=cve
 
LiveComposer--Page Builder: Live Composer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiveComposer Page Builder: Live Composer live-composer-page-builder allows Stored XSS. This issue affects Page Builder: Live Composer: from n/a through <= 2.0.5. 2025-12-24 not yet calculated CVE-2025-68598 https://vdp.patchstack.com/database/Wordpress/Plugin/live-composer-page-builder/vulnerability/wordpress-page-builder-live-composer-plugin-2-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
MariaDB--MariaDB MariaDB mariadb-dump Utility Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MariaDB. Interaction with the mariadb-dump utility is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of view names. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27000. 2025-12-23 not yet calculated CVE-2025-13699 ZDI-25-1025
vendor-provided URL
 
Marketing Fire--Editorial Calendar Missing Authorization vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editorial Calendar: from n/a through <= 3.8.8. 2025-12-24 not yet calculated CVE-2025-68603 https://vdp.patchstack.com/database/Wordpress/Plugin/editorial-calendar/vulnerability/wordpress-editorial-calendar-plugin-3-8-8-broken-access-control-vulnerability?_s_id=cve
 
Mitchell Bennis--Simple File List Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple File List: from n/a through <= 6.1.15. 2025-12-24 not yet calculated CVE-2025-68591 https://vdp.patchstack.com/database/Wordpress/Plugin/simple-file-list/vulnerability/wordpress-simple-file-list-plugin-6-1-15-broken-access-control-vulnerability?_s_id=cve
 
modeltheme--ModelTheme Addons for WPBakery and Elementor Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Stored XSS.This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through < 1.5.6. 2025-12-24 not yet calculated CVE-2025-68532 https://vdp.patchstack.com/database/Wordpress/Plugin/modeltheme-addons-for-wpbakery/vulnerability/wordpress-modeltheme-addons-for-wpbakery-and-elementor-plugin-1-5-6-cross-site-scripting-xss-vulnerability?_s_id=cve
 
MSP360--Free Backup MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MSP360 Free Backup. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is needed additionally. The specific flaw exists within the restore functionality. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27245. 2025-12-23 not yet calculated CVE-2025-12838 ZDI-25-988
 
Frappe--Attachments module of Frappe Framework v15.89.0 An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file. 2025-12-22 not yet calculated CVE-2025-67289 http://erpnext.com
http://frappe.com
https://github.com/vuquyen03/CVE/blob/main/CVE-2025-67289/README.md
 
Blitz--Blitz Panel v1.17.0 An open redirect vulnerability in the login endpoint of Blitz Panel v1.17.0 allows attackers to redirect users to malicious domains via a crafted URL. This issue affects the next_url parameter in the login endpoint and could lead to phishing or token theft after successful authentication. 2025-12-24 not yet calculated CVE-2025-60935 https://github.com/ReturnFI/Blitz
https://gist.github.com/HEXER365/2e866b47d56585e1e59e7c16bf4b4db7
 
Cadmium--Cadmium CMS v.0.4.9 Cadmium CMS v.0.4.9 has a background arbitrary file upload vulnerability in /admin/content/filemanager/uploads. 2025-12-23 not yet calculated CVE-2025-51511 https://github.com/cadmium-org/cadmium-cms/issues/23
 
ClinCapture--ClinCapture EDC 3.0 and 2.2.3 Reflected cross-site scripting (XSS) vulnerability in ClinCapture EDC 3.0 and 2.2.3, allowing an unauthenticated remote attacker to execute JavaScript code in the context of the victim's browser. 2025-12-22 not yet calculated CVE-2025-65270 https://www.clincapture.com/
https://github.com/xh4vm/CVE-2025-65270
 
ClipBucket--ClipBucket 5.5.2 ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full administrative control of the application. 2025-12-22 not yet calculated CVE-2025-67418 http://clipbucket.com
https://medium.com/@arpit03sharma2003/cve-2025-67418-when-default-credentials-become-a-remote-root-button-03be5ee4b927
 
CloudLog--Cloudlog v2.6.15 Time-based blind SQL Injection vulnerability in Cloudlog v2.6.15 at the endpoint /index.php/logbookadvanced/search in the qsoresults parameter. 2025-12-26 not yet calculated CVE-2024-44065 https://github.com/magicbug/Cloudlog
https://github.com/jacopo1223/jacopo.github/tree/main/CVE-2024-44065
 
Cola--Cola Dnslog v1.3.2 Cola Dnslog v1.3.2 is vulnerable to Directory Traversal. When a DNS query for a TXT record is processed, the application concatenates the requested URL (or a portion of it) directly with a base path using os.path.join. This bypass allows directory traversal or absolute path injection, leading to the potential exposure of sensitive information. 2025-12-26 not yet calculated CVE-2025-57403 https://github.com/AbelChe/cola_dnslog/issues/29
https://gist.github.com/Captaince/99b728c792c72b2666c2400625702df0
 
Comtech--Comtech EF Data CDM-625 / CDM-625A Incorrect access control in Comtech EF Data CDM-625 / CDM-625A Advanced Satellite Modem with firmware v2.5.1 allows attackers to change the Administrator password and escalate privileges via sending a crafted POST request to /Forms/admin_access_1. 2025-12-26 not yet calculated CVE-2025-67015 https://www.comtechefdata.com/
https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-67015%20_%20Comtech%20EF%20Data%20CDM-625%20_%20CDM-625A%20Advanced%20_%20Broken%20Access%20Control
 
Croogo--Croogo CMS 4.0.7 A path traversal vulnerability in Croogo CMS 4.0.7 allows remote attackers to read arbitrary files via a specially crafted path in the 'edit-file' parameter. 2025-12-26 not yet calculated CVE-2024-42718 https://github.com/croogo/croogo
https://github.com/jacopo1223/jacopo.github/tree/main/CVE-2024-42718
 
--Delight Custom Firmware (CFW) for Nokia Symbian Belle devices on Nokia 808 (Delight v1.8), Nokia N8 (Delight v6.7), Nokia E7 (Delight v1.3), Nokia C7 (Delight v6.7), Nokia 700 (Delight v1.2), Nokia 701 (Delight v1.1), Nokia 603 (Delight v1.0), Nokia 500 (Delight v1.2), Nokia E6 (Delight v1.0), Nokia Oro (Delight v1.0), and Vertu Constellation T (Delight v1.0) An issue was discovered in the Delight Custom Firmware (CFW) for Nokia Symbian Belle devices on Nokia 808 (Delight v1.8), Nokia N8 (Delight v6.7), Nokia E7 (Delight v1.3), Nokia C7 (Delight v6.7), Nokia 700 (Delight v1.2), Nokia 701 (Delight v1.1), Nokia 603 (Delight v1.0), Nokia 500 (Delight v1.2), Nokia E6 (Delight v1.0), Nokia Oro (Delight v1.0), and Vertu Constellation T (Delight v1.0) allowing local attackers to inject startup scripts via crafted .txt files in the :\Data directory. 2025-12-26 not yet calculated CVE-2025-65885 https://www.symwld.com/delight/
https://gist.github.com/symbuzzer/3315e88adc2bba0b6cc66d192b49546d
 
--DEV Systemtechnik GmbH DEV 7113 RF over Fiber Distribution System 32-0078 H.01 Incorrect access control in DEV Systemtechnik GmbH DEV 7113 RF over Fiber Distribution System 32-0078 H.01 allows unauthenticated attackers to access an administrative endpoint. 2025-12-26 not yet calculated CVE-2025-67014 https://dev-systemtechnik.com
https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-67014%20_%20DEV%20Systemtechnik%20GmbH%20DEV%207113%20RF%20over%20_%20Broken%20Access%20Control
 
Eclipse--Eclipse Cyclone DDS before v0.10.5 Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges. 2025-12-23 not yet calculated CVE-2025-67109 http://eclipse.com
https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/ddsrt/src/time/posix/time.c#L28
https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/security/builtin_plugins/authentication/src/auth_utils.c#L84
https://gist.github.com/lkloliver/669e15bc7e6194133e4ee1026ce157e6
 
eProsima--eProsima Fast-DDS v3.3 An integer overflow in eProsima Fast-DDS v3.3 allows attackers to cause a Denial of Service (DoS) via a crafted input. 2025-12-23 not yet calculated CVE-2025-65865 http://eprosima.com
http://fast-dds.com
https://github.com/lkloliver/poc/blob/main/Detail.md
https://gist.github.com/lkloliver/7aa48cb9fc7a1dd74cb595212bb69d33
 
eProsima--eProsima Fast-DDS v3.3 eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections. 2025-12-23 not yet calculated CVE-2025-67108 http://eprosima.com
http://fast-dds.com
https://github.com/eProsima/Fast-DDS/blob/master/src/cpp/security/accesscontrol/Permissions.cpp#L263
https://gist.github.com/lkloliver/81b5d5a8328d712dbfd497bf11dbe913
 
--ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 The web management interface in ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery (CSRF) protection mechanisms (no tokens, no Origin/Referer validation) on critical configuration endpoints. 2025-12-26 not yet calculated CVE-2025-67013 https://www.etlsystems.com/
https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-67013%20_%20ETL%20Systems%20Ltd%20DEXTRA%20Series%20_%20CSRF
 
FluentCMS--FluentCMS 1.2.3. A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the "Add Page" function, the application fails to properly sanitize input in the <head> section, allowing remote attackers to inject arbitrary script tags. 2025-12-26 not yet calculated CVE-2025-67349 https://github.com/fluentcms/FluentCMS/issues/2403
https://github.com/eoniboogie/CVE_Disclosures/blob/main/CVE-2025-67349/CVE-2025-67349.md
 
FuguHub--FuguHub 8.1 A reflected cross-site scripting (XSS) vulnerability exists in FuguHub 8.1 when serving SVG files through the /fs/ file manager interface. FuguHub does not sanitize or restrict script execution inside SVG content. When a victim opens a crafted SVG containing an inline <script> element, the browser executes the attacker-controlled JavaScript. 2025-12-22 not yet calculated CVE-2025-65790 https://fuguhub.com/
https://github.com/hunterxxx/FuguHub-8.1-Reflected-SVG-XSS-CVE-2025-65790
 
GNU--GNU Unrtf v0.21.10 A stack overflow in the src/main.c component of GNU Unrtf v0.21.10 allows attackers to cause a Denial of Service (DoS) via injecting a crafted input into the filename parameter. 2025-12-23 not yet calculated CVE-2025-65410 https://www.gnu.org/software/unrtf/
https://lists.gnu.org/archive/html/bug-unrtf/2025-11/msg00001.html
https://savannah.gnu.org/projects/unrtf/
https://hg.savannah.gnu.org/hgweb/unrtf/rev/a5d3b025a8b1
 
--GT Edge AI Platform before v2.0.10 Insecure permissions in the /api/v1/agents API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access sensitive information. 2025-12-22 not yet calculated CVE-2025-63662 https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending
https://gist.github.com/p80n-sec/48ce34c929e8b946f0ad25f76e7b8cef
 
--GT Edge AI Platform before v2.0.10 Incorrect access control in the /api/v1/conversations/*/files API of GT Edge AI Platform before v2.0.10 allows unauthorized attackers to access other users' uploaded files. 2025-12-22 not yet calculated CVE-2025-63663 https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending
https://gist.github.com/p80n-sec/f3ca933480157cb4e18c387d92f4d0c2
 
--GT Edge AI Platform before v2.0.10 Incorrect access control in the /api/v1/conversations/*/messages API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access other users' message history with AI agents. 2025-12-22 not yet calculated CVE-2025-63664 https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending
https://gist.github.com/p80n-sec/0a0a71a2190d5e6f8083bf6069e7b5f2
 
--Home Assistant Core before v2025.8.0 Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability. 2025-12-23 not yet calculated CVE-2025-65713 https://github.com/home-assistant/core/pull/150046
https://gist.github.com/GenoWang/7359360285e0fe21a7a58d10ff71d032
 
--K7 Ultimate Security 17.0.2045. An issue was discovered in K7 Ultimate Security 17.0.2045. A Local Privilege Escalation (LPE) vulnerability in the K7 Ultimate Security antivirus can be exploited by a local unprivileged user on default installations of the product. Insecure access to a named pipe allows unprivileged users to edit any registry key, leading to a full compromise as SYSTEM. 2025-12-22 not yet calculated CVE-2025-67826 https://www.k7computing.com/
https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-22nd-Dec-2025
 
--Keyfactor SignServer versions prior to 7.2. An error in the SignServer container startup logic was found in Keyfactor SignServer versions prior to 7.2. The Admin CLI command used to configure Certificate access to the initial startup of the container sets a property of "allowany" to allow any user with a valid and trusted client auth certificate to connect. Admins can then set more restricted access to specific certificates. A logic error caused this admin CLI command to be run on each restart of the container instead of only the first startup as intended resetting the configuration to "allowany". 2025-12-22 not yet calculated CVE-2025-26787 https://support.keyfactor.com/hc/en-us/articles/33997706776987-SignServer-security-advisory-Container-vulnerability-CVE-2025-26787-fixed-in-version-7-2
https://docs.keyfactor.com/signserver/latest/signserver-7-2-release-notes
 
Krishanmuraiji--krishanmuraiji SMS v.1.0 SQL injection vulnerability in krishanmuraiji SMS v.1.0, within the /studentms/admin/edit-class-detail.php via the editid GET parameter. An attacker can trigger controlled delays using SQL SLEEP() to infer database contents. Successful exploitation may lead to full database compromise, especially within an administrative module. 2025-12-26 not yet calculated CVE-2025-66947 https://github.com/kabir0104k/CVE-2025-66947/blob/main/README.md
 
libxmljs--libxmljs 1.0.11 A vulnerability exists in the libxmljs 1.0.11 when parsing a specially crafted XML document. Accessing the internal _ref property on entity_ref and entity_decl nodes causes a segmentation fault, potentially leading to a denial-of-service (DoS). 2025-12-26 not yet calculated CVE-2025-25341 https://github.com/libxmljs/libxmljs/issues/667
 
Linksys--Linksys E5600 V1.1.0.26 Linksys E5600 V1.1.0.26 is vulnerable to command injection in the runtime.macClone function via the mc.ip parameter. 2025-12-23 not yet calculated CVE-2025-29228 https://github.com/JZP018/Vuln/blob/main/linsys/E5600/CI_macClone_mc.ip/CI_macClone_mc.ip.md
 
Linksys--Linksys E5600 V1.1.0.26 linksys E5600 V1.1.0.26 is vulnerable to command injection in the function ddnsStatus. 2025-12-23 not yet calculated CVE-2025-29229 https://github.com/JZP018/Vuln/blob/main/linsys/E5600/CI_ddnsStatus/CI_ddnsStatus.md
 
n--LSC Smart Connect Indoor IP Camera 1.4.13 LSC Smart Connect Indoor IP Camera 1.4.13 contains a RCE vulnerability in start_app.sh. 2025-12-22 not yet calculated CVE-2025-65817 https://github.com/Istaarkk/CVE-2025-65817/blob/main/README.md
 
--Media module of Piranha CMS v12.1 A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field. 2025-12-22 not yet calculated CVE-2025-67291 http://piranha.com
https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67291
 
MynNET--MyNET up to v26.05 MyNET up to v26.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the src parameter. 2025-12-22 not yet calculated CVE-2024-25812 https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN
https://github.com/am0nt31r0/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md
 
MyNET--MyNET up to v26.05 MyNET up to v26.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the msg parameter. 2025-12-22 not yet calculated CVE-2024-25814 https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN
https://github.com/am0nt31r0/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md
 
MyNET--MyNET up to v26.06 Iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET v.26.06 and before allows a remote attacker to execute arbitrary code via the src parameter. 2025-12-22 not yet calculated CVE-2024-27708 https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN
https://github.com/esquim0/Common_Vulnerabilities_and_Exposures_CVE/blob/main/2024/MyNet.md
 
MyNET--MyNET up to v26.08 MyNET up to v26.08 was discovered to contain a Reflected cross-site scripting (XSS) vulnerability via the msgtipo parameter. 2025-12-22 not yet calculated CVE-2024-35321 https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN
https://github.com/am0nt31r0/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md
https://github.com/Manuel-arc/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md
 
MyNET--MyNET up to v26.08 MyNET up to v26.08 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the ficheiro parameter. 2025-12-24 not yet calculated CVE-2024-35322 https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN
https://miguelsantareno.github.io/airc_exploit.txt
 
MyNET--MyNET up to v26.08 A reflected cross-site scripting (XSS) vulnerability in MyNET up to v26.08 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter HTTP. 2025-12-24 not yet calculated CVE-2024-40317 https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN
https://miguelsantareno.github.io/airc_exploit.txt
 
MyNET--MyNET up to v26.08.316 MyNET up to v26.08.316 was discovered to contain an Unauthenticated SQL Injection vulnerability via the intmenu parameter. 2025-12-24 not yet calculated CVE-2024-39037 https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN
https://miguelsantareno.github.io/airc_exploit.txt
 
Netgear--Netgear EX8000 V1.0.0.126 Netgear EX8000 V1.0.0.126 is vulnerable to Command Injection via the iface parameter in the action_bandwidth function. 2025-12-23 not yet calculated CVE-2025-45493 https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/cve-netgear_EX8000_CI_action_bandwidth.pdf
https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/netgear_EX8000_CI_action_bandwidth.mp4
 
Netgear--Netgear EX8000 V1.0.0.126 Netgear EX8000 V1.0.0.126 was discovered to contain a command injection vulnerability via the switch_status function. 2025-12-23 not yet calculated CVE-2025-50526 https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/cve-netgear_EX8000_CI_switch_status.pdf
https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/netgear_EX8000_CI_switch_status.mp4
 
--Page Settings module of Piranha CMS v12.1 A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field. 2025-12-22 not yet calculated CVE-2025-67290 http://piranha.com
https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67290
 
--PluXml CMS 5.8.22 Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php). 2025-12-22 not yet calculated CVE-2025-67436 https://github.com/pluxml/PluXml
https://github.com/RajChowdhury240/CVE-2025-67435/
 
--PublicCMS V5.202506.b PublicCMS V5.202506.b is vulnerable to Cross Site Scripting (XSS) in the Content Search module. 2025-12-22 not yet calculated CVE-2025-65837 https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/XSS_1.md
https://github.com/sanluan/PublicCMS/issues/100
 
--RTPS protocol implementation of OpenDDS DDS before v3.33.0 An integer overflow in the RTPS protocol implementation of OpenDDS DDS before v3.33.0 allows attackers to cause a Denial of Service (DoS) via a crafted message. 2025-12-23 not yet calculated CVE-2025-67111 https://github.com/lkloliver/poc/blob/main/POC_OpenDDS.md
https://gist.github.com/lkloliver/fcc5da83b4cba137ce95177a9afc4126
 
RuoYi--RuoYi v.4.7.9 SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java. 2025-12-23 not yet calculated CVE-2024-57521 https://gitee.com/y_project/RuoYi/commit/ddd858ca732618a472b10eaab2f8e4b45812ffc5
https://gitee.com/y_project/RuoYi/issues/IBC976
https://github.com/mrlihd/Ruoyi-4.7.9-SQL-Injection-PoC
https://github.com/mrlihd/CVE-2024-57521-SQL-Injection-PoC/blob/main/README.md
 
Schlix--Schlix CMS before v2.2.9-5 Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel. 2025-12-22 not yet calculated CVE-2025-67443 https://www.schlix.com/news/release/december-2025-errata-5-bug-fix-release.html#:~:text=Fixed%20XSS%20vulnerability%20bug%20when%20clicking%20New%20User%20%28thank%20you%20to%20Ak%C4%B1ner%20K%C4%B1sa%20who%20reported%20this%20security%20bug%20and%20provided%20reasonable%20time%20to%20fix%29
https://gist.github.com/akinerkisa/b22f4517a4011d049c5fc7fd3b29c9f2
 
Speedify--Speedify VPN up to v15.0.0 A command injection vulnerability in the me.connectify.SMJobBlessHelper XPC service of Speedify VPN up to v15.0.0 allows attackers to execute arbitrary commands with root-level privileges. 2025-12-23 not yet calculated CVE-2025-25364 https://connectify.me
https://speedify.com/
https://speedify.com/blog/news/speedify-macos-vpn-application-vulnerability/
 
TechStore--TechStore version 1.0. A reflected Cross-Site Scripting (XSS) vulnerability has been identified in TechStore version 1.0. The user_name endpoint reflects the id query parameter directly into the HTML response without output encoding or sanitization, allowing execution of arbitrary JavaScript code in a victim's browser. 2025-12-23 not yet calculated CVE-2025-66845 https://gist.github.com/MuratSevri/d78efed86ca5f82e8a6683ace5061319
 
Terra--Terra Informatica Software, Inc Sciter v.4.4.7.0 An issue in Terra Informatica Software, Inc Sciter v.4.4.7.0 allows a local attacker to obtain sensitive information via the adopt component of the Sciter video rendering function. 2025-12-26 not yet calculated CVE-2024-29720 https://github.com/sciter-sdk/rust-sciter/issues/143
 
Umbraco--Umbraco CMS v16.3.3 An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. 2025-12-22 not yet calculated CVE-2025-67288 http://umbraco.com
https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288
 
Webmail--Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory. 2025-12-22 not yet calculated CVE-2025-68645 https://wiki.zimbra.com/wiki/Security_Center
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
 
Xionmai--Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access. 2025-12-22 not yet calculated CVE-2025-65856 http://ip.com
http://hangzhou.com
https://luismirandaacebedo.github.io/CVE-2025-65856/
 
Xiongmai--Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access. 2025-12-22 not yet calculated CVE-2025-65857 http://ip.com
http://hangzhou.com
https://luismirandaacebedo.github.io/CVE-2025-65857/
 
Yealink--Yealink T21P_E2 Phone 52.84.0.15 Yealink T21P_E2 Phone 52.84.0.15 is vulnerable to Directory Traversal. A remote normal privileged attacker can read arbitrary files via a crafted request result read function of the diagnostic component. 2025-12-26 not yet calculated CVE-2025-66737 http://yealink.com
https://drive.google.com/file/d/1MpxnCL4koKupqWWDmY3ljlybjIPD8ieD/view?usp=sharing
 
Yealink--Yealink T21P_E2 Phone 52.84.0.15 An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component. 2025-12-26 not yet calculated CVE-2025-66738 http://yealink.com
https://drive.google.com/file/d/13t5ywSPJMx4487njJcH3ZTNuc_k3h4ty/view?usp=sharing
 
youlai--youlai-boot V2.21.1 youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The getRoleForm function in SysRoleController.java does not perform permission checks, which may allow non-root users to directly access root roles. 2025-12-22 not yet calculated CVE-2025-66735 https://gitee.com/youlaiorg/youlai-boot/issues/ICH8FR
https://gitee.com/youlaiorg/youlai-boot/commit/9197065102f92264ded814a9d3e9f2a4ff0da121
https://gist.github.com/old6ma/dc9e6e4a693d12c1a35fd4e1d21d4743
 
youlai--youlai-boot V2.21.1 youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The importUsers function in SysUserController.java does not perform a permission check on the current user's identity, which may allow regular users to import user data into the database, resulting in an authorization bypass vulnerability. 2025-12-22 not yet calculated CVE-2025-66736 https://gitee.com/youlaiorg/youlai-boot/commit/9197065102f92264ded814a9d3e9f2a4ff0da121
https://gitee.com/youlaiorg/youlai-boot/issues/ICH8FV
https://gist.github.com/old6ma/be1d4a5373ee2de901ed4c8d81485046
 
Nawawi Jamili--Docket Cache Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache docket-cache allows PHP Local File Inclusion.This issue affects Docket Cache: from n/a through <= 24.07.03. 2025-12-24 not yet calculated CVE-2025-68506 https://vdp.patchstack.com/database/Wordpress/Plugin/docket-cache/vulnerability/wordpress-docket-cache-plugin-24-07-03-local-file-inclusion-vulnerability?_s_id=cve
 
NSF Unidata--NetCDF-C NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of time units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27273. 2025-12-23 not yet calculated CVE-2025-14932 ZDI-25-1153
 
NSF Unidata--NetCDF-C NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NC variables. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27266. 2025-12-23 not yet calculated CVE-2025-14933 ZDI-25-1151
 
NSF Unidata--NetCDF-C NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of variable names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27267. 2025-12-23 not yet calculated CVE-2025-14934 ZDI-25-1152
 
NSF Unidata--NetCDF-C NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168. 2025-12-23 not yet calculated CVE-2025-14935 ZDI-25-1154
 
NSF Unidata--NetCDF-C NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of attribute names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27269. 2025-12-23 not yet calculated CVE-2025-14936 ZDI-25-1155
 
Open Design Alliance--ODA Drawings SDK - All Versions < 2026.12 A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,  memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios. 2025-12-22 not yet calculated CVE-2025-10021 https://www.opendesign.com/security-advisories
 
pavothemes--Bookory Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Bookory bookory allows PHP Local File Inclusion. This issue affects Bookory: from n/a through <= 2.2.7. 2025-12-24 not yet calculated CVE-2025-68530 https://vdp.patchstack.com/database/Wordpress/Theme/bookory/vulnerability/wordpress-bookory-theme-2-2-7-local-file-inclusion-vulnerability?_s_id=cve
 
pdfforge--PDF Architect pdfforge PDF Architect DOC File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of DOC files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27503. 2025-12-23 not yet calculated CVE-2025-14416 ZDI-25-1073
 
pdfforge--PDF Architect pdfforge PDF Architect Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27501. 2025-12-23 not yet calculated CVE-2025-14417 ZDI-25-1074
 
pdfforge--PDF Architect pdfforge PDF Architect XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27502. 2025-12-23 not yet calculated CVE-2025-14418 ZDI-25-1075
 
pdfforge--PDF Architect pdfforge PDF Architect PDF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27902. 2025-12-23 not yet calculated CVE-2025-14419 ZDI-25-1076
 
pdfforge--PDF Architect pdfforge PDF Architect CBZ File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CBZ files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27514. 2025-12-23 not yet calculated CVE-2025-14420 ZDI-25-1077
 
pdfforge--PDF Architect pdfforge PDF Architect PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27915. 2025-12-23 not yet calculated CVE-2025-14421 ZDI-25-1078
 
PDFsam--Enhanced PDFsam Enhanced App Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of App objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27260. 2025-12-23 not yet calculated CVE-2025-14401 ZDI-25-1089
 
PDFsam--Enhanced PDFsam Enhanced DOC File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of DOC files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27499. 2025-12-23 not yet calculated CVE-2025-14402 ZDI-25-1090
 
PDFsam--Enhanced PDFsam Enhanced Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27500. 2025-12-23 not yet calculated CVE-2025-14403 ZDI-25-1091
 
PDFsam--Enhanced PDFsam Enhanced XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27498. 2025-12-23 not yet calculated CVE-2025-14404 ZDI-25-1092
 
PDFsam--Enhanced PDFsam Enhanced Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows phyiscally-present attackers to escalate privileges on affected installations of PDFsam Enhanced. An attacker must first obtain the ability to mount a malicious drive onto the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27867. 2025-12-23 not yet calculated CVE-2025-14405 ZDI-25-1093
 
PHP Group--PHP In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. 2025-12-27 not yet calculated CVE-2025-14177 https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7
 
PHP Group--PHP In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server. 2025-12-27 not yet calculated CVE-2025-14180 https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj
 
PickPlugins--Post Grid and Gutenberg Blocks Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS. This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.18. 2025-12-24 not yet calculated CVE-2025-68605 https://vdp.patchstack.com/database/Wordpress/Plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-18-cross-site-scripting-xss-vulnerability?_s_id=cve
 
pixelgrade--Category Icon Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixelgrade Category Icon category-icon allows Stored XSS. This issue affects Category Icon: from n/a through <= 1.0.2. 2025-12-24 not yet calculated CVE-2025-68525 https://vdp.patchstack.com/database/Wordpress/Plugin/category-icon/vulnerability/wordpress-category-icon-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
pluginsware--Advanced Classifieds & Directory Pro Cross-Site Request Forgery (CSRF) vulnerability in pluginsware Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro allows Cross Site Request Forgery.This issue affects Advanced Classifieds & Directory Pro: from n/a through <= 3.2.9. 2025-12-24 not yet calculated CVE-2025-68580 https://vdp.patchstack.com/database/Wordpress/Plugin/advanced-classifieds-and-directory-pro/vulnerability/wordpress-advanced-classifieds-directory-pro-plugin-3-2-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
RealDefense--SUPERAntiSpyware RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27657. 2025-12-23 not yet calculated CVE-2025-14488 ZDI-25-1167
 
RealDefense--SUPERAntiSpyware RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27658. 2025-12-23 not yet calculated CVE-2025-14489 ZDI-25-1165
 
RealDefense--SUPERAntiSpyware RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27659. 2025-12-23 not yet calculated CVE-2025-14490 ZDI-25-1166
 
RealDefense--SUPERAntiSpyware RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27660. 2025-12-23 not yet calculated CVE-2025-14491 ZDI-25-1164
 
RealDefense--SUPERAntiSpyware RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27668. 2025-12-23 not yet calculated CVE-2025-14492 ZDI-25-1172
 
RealDefense--SUPERAntiSpyware RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27675. 2025-12-23 not yet calculated CVE-2025-14493 ZDI-25-1170
 
RealDefense--SUPERAntiSpyware RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27676. 2025-12-23 not yet calculated CVE-2025-14494 ZDI-25-1163
 
RealDefense--SUPERAntiSpyware RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27677. 2025-12-23 not yet calculated CVE-2025-14495 ZDI-25-1169
 
RealDefense--SUPERAntiSpyware RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27678. 2025-12-23 not yet calculated CVE-2025-14496 ZDI-25-1171
 
RealDefense--SUPERAntiSpyware RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27680. 2025-12-23 not yet calculated CVE-2025-14497 ZDI-25-1168
 
Rhys Wynne--WP Email Capture Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery. This issue affects WP Email Capture: from n/a through <= 3.12.5. 2025-12-24 not yet calculated CVE-2025-68529 https://vdp.patchstack.com/database/Wordpress/Plugin/wp-email-capture/vulnerability/wordpress-wp-email-capture-plugin-3-12-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
Rustaurius--Five Star Restaurant Reservations Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Cross Site Request Forgery. This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.7. 2025-12-24 not yet calculated CVE-2025-68601 https://vdp.patchstack.com/database/Wordpress/Plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
SALESmanago--SALESmanago Missing Authorization vulnerability in SALESmanago SALESmanago salesmanago allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SALESmanago: from n/a through <= 3.9.0. 2025-12-24 not yet calculated CVE-2025-68571 https://vdp.patchstack.com/database/Wordpress/Plugin/salesmanago/vulnerability/wordpress-salesmanago-plugin-3-9-0-broken-access-control-vulnerability?_s_id=cve
 
Sante--PACS Server Sante PACS Server HTTP Content-Length Header Handling NULL Pointer Dereference Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HTTP Content-Length header. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-26770. 2025-12-23 not yet calculated CVE-2025-14501 ZDI-25-1104
 
Scott Paterson--Accept Donations with PayPal URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Scott Paterson Accept Donations with PayPal easy-paypal-donation allows Phishing. This issue affects Accept Donations with PayPal: from n/a through <= 1.5.1. 2025-12-24 not yet calculated CVE-2025-68602 https://vdp.patchstack.com/database/Wordpress/Plugin/easy-paypal-donation/vulnerability/wordpress-accept-donations-with-paypal-plugin-1-5-1-open-redirection-vulnerability?_s_id=cve
 
Senstar--Symphony Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Senstar Symphony. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of FetchStoredLicense method. The issue results from the exposure of sensitive information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26908. 2025-12-23 not yet calculated CVE-2025-12491 ZDI-25-1060
 
Sharp Display Solutions, Ltd.--Media Player MP-01 Missing Authentication for Critical Function vulnerability in Sharp Display Solutions Media Player MP-01 All Verisons allows a attacker may access to the web interface of the affected product without authentication and change settings or perform other operations, and deliver content from the authoring software to the affected product without authentication. 2025-12-22 not yet calculated CVE-2025-12049 https://sharp-displays.jp.sharp/global/support/info/MP01-CVE-2025-12049.html
 
Sharp Display Solutions, Ltd.--NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ Path Traversal vulnerability in Sharp Display Solutions projectors allows a attacker may access and read any files within the projector. 2025-12-22 not yet calculated CVE-2025-11540 https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html
 
Sharp Display Solutions, Ltd.--NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ Stack-based Buffer Overflow vulnerability in Sharp Display Solutions projectors allows a attacker may execute arbitrary commands and programs. 2025-12-22 not yet calculated CVE-2025-11541 https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html
 
Sharp Display Solutions, Ltd.--NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ Stack-based Buffer Overflow vulnerability in Sharp Display Solutions projectors allows a attacker may execute arbitrary commands and programs. 2025-12-22 not yet calculated CVE-2025-11542 https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html
 
Sharp Display Solutions, Ltd.--NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may create and run unauthorized firmware. 2025-12-22 not yet calculated CVE-2025-11543 https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html
 
Sharp Display Solutions, Ltd.--NP-P627UL, NP-P627ULG, NP-P627UL+, NP-P547UL, NP-P547ULG, NP-P607UL+, NP-CG6600UL, NP-H6271UL, NP-H5471UL, NP-P627ULH, NP-P547ULH, NP-PE455UL, NP-PE455ULG, NP-PE455WL, NP-PE455WLG, NP-PE505XLG, NP-CG6500XL, NP-CG6400UL, NP-CG6400WL, NP-CB4500XL, NP-CA4120X, NP-CA4160W, NP-CA4160X, NP-CA4200U, NP-CA4200W, NP-CA4202W, NP-CA4260X, NP-CA4300X, NP-CA4355X, NP-CD2100U, NP-CD2120X, NP-CD2300X, NP-CR2100X, NP-CR2170W, NP-CR2170X, NP-CR2200U, NP-CR2200W, NP-CR2280X, NP-CR2310X, NP-CR2350X, NP-MC302XG, NP-MC332WG, NP-MC342XG, NP-MC372X, NP-MC372XG, NP-MC382W, NP-MC382WG, NP-MC422XG, NP-ME342UG, NP-ME372W, NP-ME372WG, NP-ME382U, NP-ME382UG, NP-ME402X, NP-ME402XG, NP-P525UL, NP-P525ULG, NP-P525UL+, NP-P525WL, NP-P525WLG, NP-P525WL+, NP-P605UL, NP-P605ULG, NP-P605UL+, NP-CG6500UL, NP-CG6500WL, NP-CB4500UL, NP-CB4500WL, NP-P525ULH, NP-P525WLH, NP-P605ULH, NP-P554U, NP-P554UG, NP-P554U+, NP-P554W, NP-P554WG, NP-P554W+, NP-P474U, NP-P474UG, NP-P474W, NP-P474WG, NP-P604XG, NP-P604X+, NP-P603XG, NP-P523X+, NP-PE523XG, NP-PE523X+, NP-CF6600U, NP-CF6600W, NP-CF6700X, NP-CF6500X, NP-CB4600U, NP-P554UH, NP-P554WH, NP-P474UH, NP-P474WH, NP-P604XH, NP-P603XH, NP-PE523XH, NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG ,NP-ME401W, NP-ME361W, NP-ME331W, NP-ME301W, NP-ME401X, NP-ME361X, NP-ME331X, NP-ME301X, NP-ME401WG, NP-ME361WG, NP-ME331WG, NP-ME301WG, NP-ME401XG, NP-ME361XG, NP-ME331XG, NP-ME301XG, NP-CA4155W, NP-CA4350X, NP-CA4255X, NP-CA4155X, NP-CA4115X, NP-MC331WG, NP-MC421XG, NP-MC401XG, NP-MC371XG, NP-MC331XG, NP-MC301XG, NP-CK4155W, NP-CK4255X, NP-CK4155X, NP-CK4055X, NP-CM4150X, NP-CM4050X, NP-CK4155WG, NP-CK4255XG, NP-CK4155XG, NP-CR2165W, NP-CR2305X, NP-CR2275X, NP-CR2165X, NP-CR2155X, NP-CD2115X, NP-CD2105X, NP-CM4151X, NP-CR2276X, NP-CD2116X, NP-P502H, NP-P502W, NP-P452H, NP-P452W Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may create and run unauthorized firmware. 2025-12-22 not yet calculated CVE-2025-11544 https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11544.html
 
Sharp Display Solutions, Ltd.--NP-PA1705UL-W, NP-PA1705UL-W+, NP-PA1705UL-B, NP-PA1705UL-B+, NP-PA1505UL-W, NP-PA1505UL-W+, NP-PA1505UL-B, NP-PA1505UL-B+, NP-PA1505UL-BJL NP-PV800UL-W, NP-PV800UL-W+, NP-PV800UL-B, NP-PV800UL-B+, NP-PV710UL-W, NP-PV710UL-W+, NP-PV710UL-B, NP-PV710UL-B+, NP-PV800UL-W1, NP-PV800UL-B1, NP-PV710UL-W1, NP-PV710UL-B1, NP-PV800UL-B1G, NP-PV710UL-B1G, NP-PV800UL-WH, NP-PV710UL-WH, NP-P627UL, NP-P627ULG, NP-P627UL+, NP-P547UL, NP-P547ULG, NP-P607UL+, NP-CG6600UL, NP-H6271UL, NP-H5471UL, NP-P627ULH, NP-P547ULH NP-PV710UL+ NP-PA1004UL-W, NP-PA1004UL-WG, NP-PA1004UL-W+, NP-PA1004UL-WH, NP-PA1004UL-B, NP-PA1004UL-BG, NP-PA1004UL-B+, NP-PA804UL-W, NP-PA804UL-WG, NP-PA804UL-W+, NP-PA804UL-WH, NP-PA804UL-B, NP-PA804UL-BG, NP-PA804UL-B+, NP-PA1004UL-BH, NP-PA804UL-BH, NP-PE455UL, NP-PE455ULG, NP-PE455WL, NP-PE455WLG, NP-PE505XLG, NP-CG6500XL, NP-CG6400UL, NP-CG6400WL, NP-CB4500XL, NP-CA4120X, NP-CA4160W, NP-CA4160X, NP-CA4200U, NP-CA4200W, NP-CA4202W, NP-CA4260X, NP-CA4300X, NP-CA4355X, NP-CD2100U, NP-CD2120X, NP-CD2300X, NP-CR2100X, NP-CR2170W, NP-CR2170X, NP-CR2200U, NP-CR2200W, NP-CR2280X, NP-CR2310X, NP-CR2350X, NP-MC302XG, NP-MC332WG, NP-MC342XG, NP-MC372X, NP-MC372XG, NP-MC382W, NP-MC382WG, NP-MC422XG, NP-ME342UG, NP-ME372W, NP-ME372WG, NP-ME382U, NP-ME382UG, NP-ME402X, NP-ME402XG NP-CU4300XD, NP-CU4200XD, NP-CU4200WD, NP-UM383WL, NP-UM383WLG, NP-CJ2200WD, NP-PH3501QL, NP-PH3501QL+, NP-PH2601QL, NP-PH2601QL+, NP-PH350Q40L, NP-PH260Q30L, NP-PX1005QL-W, NP-PX1005QL-B, NP-PX1005QL-B+, NP-P525UL, NP-P525ULG, NP-P525UL+, NP-P525WL, NP-P525WLG, NP-P525WL+, NP-P605UL, NP-P605ULG, NP-P605UL+ Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sharp Display Solutions projectors allows a attacker may improperly access the HTTP server and execute arbitrary actions. 2025-12-22 not yet calculated CVE-2025-11545 https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11545.html
 
siyuan-note--siyuan SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode is stored within the session cookie, an attacker who intercepts or obtains a user's encrypted session cookie (e.g., via session hijacking) can locally decrypt it using the public key. Once decrypted, the attacker can retrieve the AccessAuthCode in plain text and use it to authenticate or take over the session. 2025-12-27 not yet calculated CVE-2025-68948 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f7ph-rc3w-qp28
 
Soda PDF--Desktop Soda PDF Desktop Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Soda PDF Desktop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-25793. 2025-12-23 not yet calculated CVE-2025-14406 ZDI-25-1079
 
Soda PDF--Desktop Soda PDF Desktop PDF File Parsing Memory Corruption Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27141. 2025-12-23 not yet calculated CVE-2025-14407 ZDI-25-1080
 
Soda PDF--Desktop Soda PDF Desktop PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27143. 2025-12-23 not yet calculated CVE-2025-14408 ZDI-25-1081
 
Soda PDF--Desktop Soda PDF Desktop PDF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27120. 2025-12-23 not yet calculated CVE-2025-14409 ZDI-25-1082
 
Soda PDF--Desktop Soda PDF Desktop PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27142. 2025-12-23 not yet calculated CVE-2025-14410 ZDI-25-1083
 
Soda PDF--Desktop Soda PDF Desktop PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27140. 2025-12-23 not yet calculated CVE-2025-14411 ZDI-25-1084
 
Soda PDF--Desktop Soda PDF Desktop XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27495. 2025-12-23 not yet calculated CVE-2025-14412 ZDI-25-1085
 
Soda PDF--Desktop Soda PDF Desktop CBZ File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CBZ files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27509. 2025-12-23 not yet calculated CVE-2025-14413 ZDI-25-1086
 
Soda PDF--Desktop Soda PDF Desktop Word File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Word files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27496. 2025-12-23 not yet calculated CVE-2025-14414 ZDI-25-1087
 
Soda PDF--Desktop Soda PDF Desktop Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27494. 2025-12-23 not yet calculated CVE-2025-14415 ZDI-25-1088
 
Spider Themes--BBP Core Missing Authorization vulnerability in Spider Themes BBP Core bbp-core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BBP Core: from n/a through <= 1.4.1. 2025-12-24 not yet calculated CVE-2025-68572 https://vdp.patchstack.com/database/Wordpress/Plugin/bbp-core/vulnerability/wordpress-bbp-core-plugin-1-4-1-broken-access-control-vulnerability?_s_id=cve
 
Spiffy Plugins--Spiffy Calendar Missing Authorization vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spiffy Calendar: from n/a through <= 5.0.7. 2025-12-24 not yet calculated CVE-2025-68523 https://vdp.patchstack.com/database/Wordpress/Plugin/spiffy-calendar/vulnerability/wordpress-spiffy-calendar-plugin-5-0-7-broken-access-control-vulnerability?_s_id=cve
 
sunshinephotocart--Sunshine Photo Cart Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.1. 2025-12-24 not yet calculated CVE-2025-68535 https://vdp.patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-5-7-1-broken-access-control-vulnerability?_s_id=cve
 
Syed Balkhi--User Feedback Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection. This issue affects User Feedback: from n/a through <= 1.10.1. 2025-12-24 not yet calculated CVE-2025-68496 https://vdp.patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-sql-injection-vulnerability?_s_id=cve
 
Tencent--FaceDetection-DSFD Tencent FaceDetection-DSFD resnet Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent FaceDetection-DSFD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the resnet endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27197. 2025-12-23 not yet calculated CVE-2025-13715 ZDI-25-1183
vendor-provided URL
 
Tencent--Hunyuan3D-1 Tencent Hunyuan3D-1 load_pretrained Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent Hunyuan3D-1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the load_pretrained function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27191. 2025-12-23 not yet calculated CVE-2025-13713 ZDI-25-1027
vendor-provided URL
 
Tencent--HunyuanDiT Tencent HunyuanDiT model_resume Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the model_resume function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27183. 2025-12-23 not yet calculated CVE-2025-13707 ZDI-25-1029
vendor-provided URL
 
Tencent--HunyuanDiT Tencent HunyuanDiT merge Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the merge endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27190. 2025-12-23 not yet calculated CVE-2025-13712 ZDI-25-1028
vendor-provided URL
 
Tencent--HunyuanVideo Tencent HunyuanVideo load_vae Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanVideo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the load_vae function.The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27186. 2025-12-23 not yet calculated CVE-2025-13710 ZDI-25-1030
vendor-provided URL
 
Tencent--MedicalNet Tencent MedicalNet generate_model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent MedicalNet. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the generate_model function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27192. 2025-12-23 not yet calculated CVE-2025-13714 ZDI-25-1031
vendor-provided URL
 
Tencent--MimicMotion Tencent MimicMotion create_pipeline Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent MimicMotion. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the create_pipeline function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27208. 2025-12-23 not yet calculated CVE-2025-13716 ZDI-25-1032
vendor-provided URL
 
Tencent--NeuralNLP-NeuralClassifier Tencent NeuralNLP-NeuralClassifier _load_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent NeuralNLP-NeuralClassifier. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the _load_checkpoint function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27184. 2025-12-23 not yet calculated CVE-2025-13708 ZDI-25-1033
vendor-provided URL
 
Tencent--PatrickStar Tencent PatrickStar merge_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent PatrickStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the merge_checkpoint endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27182. 2025-12-23 not yet calculated CVE-2025-13706 ZDI-25-1034
vendor-provided URL
 
Tencent--TFace Tencent TFace restore_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent TFace. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the restore_checkpoint function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27185. 2025-12-23 not yet calculated CVE-2025-13709 ZDI-25-1036
vendor-provided URL
 
Tencent--TFace Tencent TFace eval Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent TFace. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the eval endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27187. 2025-12-23 not yet calculated CVE-2025-13711 ZDI-25-1035
vendor-provided URL
 
The Plugin Factory--Google AdSense for Responsive Design Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Plugin Factory Google AdSense for Responsive Design &#8211; GARD google-adsense-for-responsive-design-gard allows DOM-Based XSS.This issue affects Google AdSense for Responsive Design &#8211; GARD: from n/a through <= 2.23. 2025-12-24 not yet calculated CVE-2025-67632 https://vdp.patchstack.com/database/Wordpress/Plugin/google-adsense-for-responsive-design-gard/vulnerability/wordpress-google-adsense-for-responsive-design-gard-plugin-2-23-cross-site-scripting-xss-vulnerability?_s_id=cve
 
thembay--Fana Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion. This issue affects Fana: from n/a through <= 1.1.35. 2025-12-24 not yet calculated CVE-2025-68540 https://vdp.patchstack.com/database/Wordpress/Theme/fana/vulnerability/wordpress-fana-theme-1-1-35-local-file-inclusion-vulnerability?_s_id=cve
 
thembay--Zota Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion. This issue affects Zota: from n/a through <= 1.3.14. 2025-12-24 not yet calculated CVE-2025-68537 https://vdp.patchstack.com/database/Wordpress/Theme/zota/vulnerability/wordpress-zota-theme-1-3-14-local-file-inclusion-vulnerability?_s_id=cve
 
Tikweb Management--Fast User Switching Cross-Site Request Forgery (CSRF) vulnerability in Tikweb Management Fast User Switching fast-user-switching allows Cross Site Request Forgery. This issue affects Fast User Switching: from n/a through <= 1.4.10. 2025-12-24 not yet calculated CVE-2025-68583 https://vdp.patchstack.com/database/Wordpress/Plugin/fast-user-switching/vulnerability/wordpress-fast-user-switching-plugin-1-4-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
titopandub--Evergreen Post Tweeter Cross-Site Request Forgery (CSRF) vulnerability in titopandub Evergreen Post Tweeter evergreen-post-tweeter allows Stored XSS. This issue affects Evergreen Post Tweeter: from n/a through <= 1.8.9. 2025-12-24 not yet calculated CVE-2025-67622 https://vdp.patchstack.com/database/Wordpress/Plugin/evergreen-post-tweeter/vulnerability/wordpress-evergreen-post-tweeter-plugin-1-8-9-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve
 
tmtraderunner--Trade Runner Cross-Site Request Forgery (CSRF) vulnerability in tmtraderunner Trade Runner traderunner allows Cross Site Request Forgery. This issue affects Trade Runner: from n/a through <= 3.14. 2025-12-24 not yet calculated CVE-2025-67625 https://vdp.patchstack.com/database/Wordpress/Plugin/traderunner/vulnerability/wordpress-trade-runner-plugin-3-14-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
totalsoft--TS Poll Missing Authorization vulnerability in totalsoft TS Poll poll-wp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TS Poll: from n/a through <= 2.5.3. 2025-12-24 not yet calculated CVE-2025-68588 https://vdp.patchstack.com/database/Wordpress/Plugin/poll-wp/vulnerability/wordpress-ts-poll-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve
 
TouchOfTech--Draft Notify Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TouchOfTech Draft Notify draft-notify allows Stored XSS. This issue affects Draft Notify: from n/a through <= 1.5. 2025-12-24 not yet calculated CVE-2025-67627 https://vdp.patchstack.com/database/Wordpress/Plugin/draft-notify/vulnerability/wordpress-draft-notify-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve
 
TradingView--Desktop TradingView Desktop Electron Uncontrolled Search Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of TradingView Desktop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of the Electron framework. The product loads a script file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-27395. 2025-12-23 not yet calculated CVE-2025-14498 ZDI-25-1070
 
Trustindex--Widgets for Social Photo Feed Missing Authorization vulnerability in Trustindex Widgets for Social Photo Feed social-photo-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Widgets for Social Photo Feed: from n/a through <= 1.7.7. 2025-12-24 not yet calculated CVE-2025-68595 https://vdp.patchstack.com/database/Wordpress/Plugin/social-photo-feed-widget/vulnerability/wordpress-widgets-for-social-photo-feed-plugin-1-7-7-broken-access-control-vulnerability?_s_id=cve
 
Unknown--Gravity Forms The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path. 2025-12-24 not yet calculated CVE-2025-13407 https://wpscan.com/vulnerability/e09908fb-f5ad-45ca-8698-c0d596fd39cc/
 
VIPRE--Advanced Security VIPRE Advanced Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security for PC. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The issue results from incorrect permissions on a folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27147. 2025-12-23 not yet calculated CVE-2025-13703 ZDI-25-1023
vendor-provided URL
 
Virusdie--Virusdie Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Virusdie Virusdie virusdie allows Retrieve Embedded Sensitive Data. This issue affects Virusdie: from n/a through <= 1.1.6. 2025-12-24 not yet calculated CVE-2025-68576 https://vdp.patchstack.com/database/Wordpress/Plugin/virusdie/vulnerability/wordpress-virusdie-plugin-1-1-6-sensitive-data-exposure-vulnerability?_s_id=cve
 
Virusdie--Virusdie Missing Authorization vulnerability in Virusdie Virusdie virusdie allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Virusdie: from n/a through <= 1.1.6. 2025-12-24 not yet calculated CVE-2025-68577 https://vdp.patchstack.com/database/Wordpress/Plugin/virusdie/vulnerability/wordpress-virusdie-plugin-1-1-6-broken-access-control-vulnerability?_s_id=cve
 
voidcoders--WPBakery Visual Composer WHMCS Elements Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements void-visual-whmcs-element allows DOM-Based XSS.This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through <= 1.0.4.3. 2025-12-24 not yet calculated CVE-2025-68574 https://vdp.patchstack.com/database/Wordpress/Plugin/void-visual-whmcs-element/vulnerability/wordpress-wpbakery-visual-composer-whmcs-elements-plugin-1-0-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve
 
Wappointment team--Wappointment Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wappointment: from n/a through <=2.7.2. 2025-12-24 not yet calculated CVE-2025-68575 https://vdp.patchstack.com/database/Wordpress/Plugin/wappointment/vulnerability/wordpress-wappointment-plugin-2-7-2-broken-access-control-vulnerability?_s_id=cve
 
wb2osz--Dire Wolf wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior to commit 694c954, contain a stack-based buffer overflow vulnerability in the function kiss_rec_byte() located in src/kiss_frame.c. When processing crafted KISS frames that reach the maximum allowed frame length (MAX_KISS_LEN), the function appends a terminating FEND byte without reserving sufficient space in the stack buffer. This results in an out-of-bounds write followed by an out-of-bounds read during the subsequent call to kiss_unwrap(), leading to stack memory corruption or application crashes. This vulnerability may allow remote unauthenticated attackers to trigger a denial-of-service condition. 2025-12-22 not yet calculated CVE-2025-34457 https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-010-direwolf-stack-buffer-overflow-kiss-frame.md
https://github.com/wb2osz/direwolf/issues/617
https://github.com/wb2osz/direwolf/commit/694c954
https://www.vulncheck.com/advisories/wb2osz-direwolf-stack-based-buffer-overflow-dos
 
wb2osz--Dire Wolf wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior to commit 3658a87, contain a reachable assertion vulnerability in the APRS MIC-E decoder function aprs_mic_e() located in src/decode_aprs.c. When processing a specially crafted AX.25 frame containing a MIC-E message with an empty or truncated comment field, the application triggers an unhandled assertion checking for a non-empty comment. This assertion failure causes immediate process termination, allowing a remote, unauthenticated attacker to cause a denial of service by sending malformed APRS traffic. 2025-12-22 not yet calculated CVE-2025-34458 https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-010-direwolf-stack-buffer-overflow-kiss-frame.md
https://github.com/wb2osz/direwolf/issues/618
https://github.com/wb2osz/direwolf/commit/3658a87
https://www.vulncheck.com/advisories/wb2osz-direwolf-reachable-assertion-dos
 
webheadcoder--WH Tweaks Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webheadcoder WH Tweaks wh-tweaks allows Stored XSS. This issue affects WH Tweaks: from n/a through <= 1.0.2. 2025-12-24 not yet calculated CVE-2025-67630 https://vdp.patchstack.com/database/Wordpress/Plugin/wh-tweaks/vulnerability/wordpress-wh-tweaks-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve
 
WP Shuffle--Subscribe to Unlock Lite Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion. This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0. 2025-12-24 not yet calculated CVE-2025-68563 https://vdp.patchstack.com/database/Wordpress/Plugin/subscribe-to-unlock-lite/vulnerability/wordpress-subscribe-to-unlock-lite-plugin-1-3-0-local-file-inclusion-vulnerability?_s_id=cve
 
WP Socio--WP Telegram Widget and Join Link Missing Authorization vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Telegram Widget and Join Link: from n/a through <= 2.2.11. 2025-12-24 not yet calculated CVE-2025-68589 https://vdp.patchstack.com/database/Wordpress/Plugin/wptelegram-widget/vulnerability/wordpress-wp-telegram-widget-and-join-link-plugin-2-2-11-broken-access-control-vulnerability?_s_id=cve
 
WP Swings--Membership For WooCommerce Authorization Bypass Through User-Controlled Key vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Membership For WooCommerce: from n/a through <= 3.0.3. 2025-12-24 not yet calculated CVE-2025-67909 https://vdp.patchstack.com/database/Wordpress/Plugin/membership-for-woocommerce/vulnerability/wordpress-membership-for-woocommerce-plugin-3-0-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve
 
WPFactory--Free Shipping Bar: Amount Left for Free Shipping for WooCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce amount-left-free-shipping-woocommerce allows Stored XSS. This issue affects Free Shipping Bar: Amount Left for Free Shipping for WooCommerce: from n/a through <= 2.4.9. 2025-12-24 not yet calculated CVE-2025-68528 https://vdp.patchstack.com/database/Wordpress/Plugin/amount-left-free-shipping-woocommerce/vulnerability/wordpress-free-shipping-bar-amount-left-for-free-shipping-for-woocommerce-plugin-2-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve
 
wphocus--My auctions allegro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Stored XSS. This issue affects My auctions allegro: from n/a through <= 3.6.32. 2025-12-24 not yet calculated CVE-2025-68566 https://vdp.patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability?_s_id=cve
 
wphocus--My auctions allegro Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Cross Site Request Forgery. This issue affects My auctions allegro: from n/a through <= 3.6.32. 2025-12-24 not yet calculated CVE-2025-68567 https://vdp.patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
 
wpstream--WpStream Missing Authorization vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpStream: from n/a through <= 4.9.5. 2025-12-24 not yet calculated CVE-2025-68521 https://vdp.patchstack.com/database/Wordpress/Plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-9-5-broken-access-control-vulnerability?_s_id=cve
 
wpstream--WpStream Missing Authorization vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpStream: from n/a through <= 4.9.5. 2025-12-24 not yet calculated CVE-2025-68522 https://vdp.patchstack.com/database/Wordpress/Plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-9-5-broken-access-control-vulnerability-2?_s_id=cve
 
WPXPO--PostX Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPXPO PostX ultimate-post allows Retrieve Embedded Sensitive Data. This issue affects PostX: from n/a through <= 5.0.3. 2025-12-24 not yet calculated CVE-2025-68606 https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-sensitive-data-exposure-vulnerability?_s_id=cve
 
Yannick Lefebvre--Link Library Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery. This issue affects Link Library: from n/a through <= 7.8.4. 2025-12-24 not yet calculated CVE-2025-68600 https://vdp.patchstack.com/database/Wordpress/Plugin/link-library/vulnerability/wordpress-link-library-plugin-7-8-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
 
YITHEMES--YITH Slider for page builders Missing Authorization vulnerability in YITHEMES YITH Slider for page builders yith-slider-for-page-builders allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH Slider for page builders: from n/a through <= 1.0.11. 2025-12-24 not yet calculated CVE-2025-68581 https://vdp.patchstack.com/database/Wordpress/Plugin/yith-slider-for-page-builders/vulnerability/wordpress-yith-slider-for-page-builders-plugin-1-0-11-broken-access-control-vulnerability?_s_id=cve
 

Back to top


Posted on Thursday January 01, 1970


Posted on Thursday January 01, 1970


請即與我們聯絡: fix@hk-computer-repair.com

有用連結:

Google Inc.
Yahoo! HK

3ComAcerAMDCiscoEpsonESETFujitsuHPIBMIntelLenovoMcAfeeMicrosoftNVidiaSun MicrosystemSymantecTrend MicroTom's Hardware


Protected by Copyscape Duplicate Content Detection Software